public function CartEntityAccessTest::testViewAccessWithoutViewPermission in Commerce Core 8.2
Tests order view access without a "view own commerce_order" permission.
File
- modules/
cart/ tests/ src/ Functional/ CartEntityAccessTest.php, line 114
Class
- CartEntityAccessTest
- Tests cart access.
Namespace
Drupal\Tests\commerce_cart\FunctionalCode
public function testViewAccessWithoutViewPermission() {
$customer = $this
->drupalCreateUser([
'access checkout',
]);
user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, [
'view own commerce_order',
]);
// Authorized cart.
$cart = \Drupal::service('commerce_cart.cart_provider')
->createCart('default', $this->store, $customer);
$this
->drupalLogin($customer);
$this
->drupalGet('user/' . $customer
->id() . '/orders/' . $cart
->id());
$this
->assertSession()
->statusCodeEquals(403);
$this
->switchSession('anonymous');
$this
->drupalGet('user/' . $customer
->id() . '/orders/' . $cart
->id());
$this
->assertSession()
->statusCodeEquals(403);
// Anonymous active cart.
$this
->drupalGet('product/' . $this->variation
->getProductId());
$this
->submitForm([], 'Add to cart');
$this->mink
->setDefaultSessionName('default');
$this
->drupalGet('user/0/orders/3');
$this
->assertSession()
->statusCodeEquals(403);
$this
->switchSession('anonymous2');
$this
->drupalGet('user/0/orders/3');
$this
->assertSession()
->statusCodeEquals(403);
$this
->switchSession('anonymous');
$this
->drupalGet('user/0/orders/3');
$this
->assertSession()
->statusCodeEquals(403);
// Anonymous completed cart.
$this
->drupalGet('checkout/3/login');
$this
->submitForm([], 'Continue as Guest');
$this
->submitForm([
'contact_information[email]' => 'guest@example.com',
'contact_information[email_confirm]' => 'guest@example.com',
'billing_information[profile][address][0][address][given_name]' => $this
->randomString(),
'billing_information[profile][address][0][address][family_name]' => $this
->randomString(),
'billing_information[profile][address][0][address][organization]' => $this
->randomString(),
'billing_information[profile][address][0][address][address_line1]' => $this
->randomString(),
'billing_information[profile][address][0][address][postal_code]' => '94043',
'billing_information[profile][address][0][address][locality]' => 'Mountain View',
'billing_information[profile][address][0][address][administrative_area]' => 'CA',
], 'Continue to review');
$this
->submitForm([], 'Complete checkout');
// Anonymous users can view their completed orders.
$this
->drupalGet('user/0/orders/3');
$this
->assertSession()
->statusCodeEquals(200);
$this->mink
->setDefaultSessionName('default');
$this
->drupalGet('user/0/orders/3');
$this
->assertSession()
->statusCodeEquals(403);
$this->mink
->setDefaultSessionName('anonymous2');
$this
->drupalGet('user/0/orders/3');
$this
->assertSession()
->statusCodeEquals(403);
// Authenticated completed cart.
$cart
->getState()
->applyTransitionById('place');
$cart
->save();
$this
->switchSession('anonymous');
$this
->drupalGet('user/' . $customer
->id() . '/orders/' . $cart
->id());
$this
->assertSession()
->statusCodeEquals(403);
// Customers always see their completed orders when using the cart module.
$this->mink
->setDefaultSessionName('default');
$this
->drupalGet('user/' . $customer
->id() . '/orders/' . $cart
->id());
$this
->assertSession()
->statusCodeEquals(200);
$this->mink
->setDefaultSessionName('anonymous2');
$this
->drupalGet('user/' . $customer
->id() . '/orders/' . $cart
->id());
$this
->assertSession()
->statusCodeEquals(403);
}