You are here

public function CartEntityAccessTest::testViewAccessWithoutViewPermission in Commerce Core 8.2

Tests order view access without a "view own commerce_order" permission.

File

modules/cart/tests/src/Functional/CartEntityAccessTest.php, line 114

Class

CartEntityAccessTest
Tests cart access.

Namespace

Drupal\Tests\commerce_cart\Functional

Code

public function testViewAccessWithoutViewPermission() {
  $customer = $this
    ->drupalCreateUser([
    'access checkout',
  ]);
  user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, [
    'view own commerce_order',
  ]);

  // Authorized cart.
  $cart = \Drupal::service('commerce_cart.cart_provider')
    ->createCart('default', $this->store, $customer);
  $this
    ->drupalLogin($customer);
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->switchSession('anonymous');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Anonymous active cart.
  $this
    ->drupalGet('product/' . $this->variation
    ->getProductId());
  $this
    ->submitForm([], 'Add to cart');
  $this->mink
    ->setDefaultSessionName('default');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->switchSession('anonymous2');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->switchSession('anonymous');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Anonymous completed cart.
  $this
    ->drupalGet('checkout/3/login');
  $this
    ->submitForm([], 'Continue as Guest');
  $this
    ->submitForm([
    'contact_information[email]' => 'guest@example.com',
    'contact_information[email_confirm]' => 'guest@example.com',
    'billing_information[profile][address][0][address][given_name]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][family_name]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][organization]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][address_line1]' => $this
      ->randomString(),
    'billing_information[profile][address][0][address][postal_code]' => '94043',
    'billing_information[profile][address][0][address][locality]' => 'Mountain View',
    'billing_information[profile][address][0][address][administrative_area]' => 'CA',
  ], 'Continue to review');
  $this
    ->submitForm([], 'Complete checkout');

  // Anonymous users can view their completed orders.
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this->mink
    ->setDefaultSessionName('default');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this->mink
    ->setDefaultSessionName('anonymous2');
  $this
    ->drupalGet('user/0/orders/3');
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Authenticated completed cart.
  $cart
    ->getState()
    ->applyTransitionById('place');
  $cart
    ->save();
  $this
    ->switchSession('anonymous');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Customers always see their completed orders when using the cart module.
  $this->mink
    ->setDefaultSessionName('default');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this->mink
    ->setDefaultSessionName('anonymous2');
  $this
    ->drupalGet('user/' . $customer
    ->id() . '/orders/' . $cart
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);
}