You are here

public function WidgetAccessTest::testWidgetAccess in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/media_library/tests/src/FunctionalJavascript/WidgetAccessTest.php \Drupal\Tests\media_library\FunctionalJavascript\WidgetAccessTest::testWidgetAccess()
  2. 9 core/modules/media_library/tests/src/FunctionalJavascript/WidgetAccessTest.php \Drupal\Tests\media_library\FunctionalJavascript\WidgetAccessTest::testWidgetAccess()

Tests that the widget access works as expected.

File

core/modules/media_library/tests/src/FunctionalJavascript/WidgetAccessTest.php, line 25

Class

WidgetAccessTest
Tests the media library UI access.

Namespace

Drupal\Tests\media_library\FunctionalJavascript

Code

public function testWidgetAccess() {
  $assert_session = $this
    ->assertSession();
  $session = $this
    ->getSession();
  $this
    ->createMediaItems([
    'type_one' => [
      'Horse',
      'Bear',
    ],
  ]);
  $account = $this
    ->drupalCreateUser([
    'create basic_page content',
  ]);
  $this
    ->drupalLogin($account);

  // Assert users can not select media items they do not have access to.
  $unpublished_media = Media::create([
    'name' => 'Mosquito',
    'bundle' => 'type_one',
    'field_media_test' => 'Mosquito',
    'status' => FALSE,
  ]);
  $unpublished_media
    ->save();

  // Visit a node create page.
  $this
    ->drupalGet('node/add/basic_page');

  // Set the hidden value and trigger the mousedown event on the button via
  // JavaScript since the field and button are hidden.
  $session
    ->executeScript("jQuery('[data-media-library-widget-value=\"field_unlimited_media\"]').val('1,2,{$unpublished_media->id()}')");
  $session
    ->executeScript("jQuery('[data-media-library-widget-update=\"field_unlimited_media\"]').trigger('mousedown')");
  $this
    ->assertElementExistsAfterWait('css', '.js-media-library-item');

  // Assert the published items are selected and the unpublished item is not
  // selected.
  $assert_session
    ->pageTextContains('Horse');
  $assert_session
    ->pageTextContains('Bear');
  $assert_session
    ->pageTextNotContains('Mosquito');
  $this
    ->drupalLogout();
  $role = Role::load(RoleInterface::ANONYMOUS_ID);
  $role
    ->revokePermission('view media');
  $role
    ->save();

  // Create a working state.
  $allowed_types = [
    'type_one',
    'type_two',
    'type_three',
    'type_four',
  ];

  // The opener parameters are not relevant to the test, but the opener
  // expects them to be there or it will deny access.
  $state = MediaLibraryState::create('media_library.opener.field_widget', $allowed_types, 'type_three', 2, [
    'entity_type_id' => 'node',
    'bundle' => 'basic_page',
    'field_name' => 'field_unlimited_media',
  ]);
  $url_options = [
    'query' => $state
      ->all(),
  ];

  // Verify that unprivileged users can't access the widget view.
  $this
    ->drupalGet('admin/content/media-widget', $url_options);
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('admin/content/media-widget-table', $url_options);
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('media-library', $url_options);
  $assert_session
    ->responseContains('Access denied');

  // Allow users with 'view media' permission to access the media library view
  // and controller. Since we are using the node entity type in the state
  // object, ensure the user also has permission to work with those.
  $this
    ->grantPermissions($role, [
    'create basic_page content',
    'view media',
  ]);
  $this
    ->drupalGet('admin/content/media-widget', $url_options);
  $assert_session
    ->elementExists('css', '.js-media-library-view');
  $this
    ->drupalGet('admin/content/media-widget-table', $url_options);
  $assert_session
    ->elementExists('css', '.js-media-library-view');
  $this
    ->drupalGet('media-library', $url_options);
  $assert_session
    ->elementExists('css', '.js-media-library-view');

  // Assert the user does not have access to the media add form if the user
  // does not have the 'create media' permission.
  $assert_session
    ->fieldNotExists('files[upload][]');

  // Assert users can not access the widget displays of the media library view
  // without a valid media library state.
  $this
    ->drupalGet('admin/content/media-widget');
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('admin/content/media-widget-table');
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('media-library');
  $assert_session
    ->responseContains('Access denied');

  // Assert users with the 'create media' permission can access the media add
  // form.
  $this
    ->grantPermissions($role, [
    'create media',
  ]);
  $this
    ->drupalGet('media-library', $url_options);
  $assert_session
    ->elementExists('css', '.js-media-library-view');
  $assert_session
    ->fieldExists('Add files');

  // Assert the media library can not be accessed if the required state
  // parameters are changed without changing the hash.
  $this
    ->drupalGet('media-library', [
    'query' => array_merge($url_options['query'], [
      'media_library_opener_id' => 'fail',
    ]),
  ]);
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('media-library', [
    'query' => array_merge($url_options['query'], [
      'media_library_allowed_types' => [
        'type_one',
        'type_two',
      ],
    ]),
  ]);
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('media-library', [
    'query' => array_merge($url_options['query'], [
      'media_library_selected_type' => 'type_one',
    ]),
  ]);
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('media-library', [
    'query' => array_merge($url_options['query'], [
      'media_library_remaining' => 3,
    ]),
  ]);
  $assert_session
    ->responseContains('Access denied');
  $this
    ->drupalGet('media-library', [
    'query' => array_merge($url_options['query'], [
      'hash' => 'fail',
    ]),
  ]);
  $assert_session
    ->responseContains('Access denied');
}