public function AccessTest::testEntityAccess in Entity Construction Kit (ECK) 8
Tests if access handling for created entities is handled correctly.
File
- tests/
src/ Functional/ AccessTest.php, line 126
Class
- AccessTest
- Tests eck's access control.
Namespace
Drupal\Tests\eck\FunctionalCode
public function testEntityAccess() {
$entityTypeName = $this->entityTypeInfo['id'];
$ownEntityPermissions = $anyEntityPermissions = [
"create {$entityTypeName} entities",
];
foreach ([
'view',
'edit',
'delete',
] as $op) {
$ownEntityPermissions[] = "{$op} own {$entityTypeName} entities";
$anyEntityPermissions[] = "{$op} any {$entityTypeName} entities";
}
$ownEntityUser = $this
->drupalCreateUser($ownEntityPermissions);
$anyEntityUser = $this
->drupalCreateUser($anyEntityPermissions);
$this
->drupalLogin($anyEntityUser);
$edit['title[0][value]'] = $this
->randomMachineName();
$route_args = [
'eck_entity_type' => $entityTypeName,
'eck_entity_bundle' => $this->bundleInfo['type'],
];
$this
->drupalGet(Url::fromRoute("eck.entity.add", $route_args));
$this
->submitForm($edit, 'Save');
$this
->drupalLogin($ownEntityUser);
$edit['title[0][value]'] = $this
->randomMachineName();
$route_args = [
'eck_entity_type' => $entityTypeName,
'eck_entity_bundle' => $this->bundleInfo['type'],
];
$this
->drupalGet(Url::fromRoute("eck.entity.add", $route_args));
$this
->submitForm($edit, 'Save');
// Get the entity that was created by the 'any' user.
$arguments = [
$entityTypeName => 1,
];
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
// The 'own' user has no permission to see content which is not theirs.
$this
->assertSession()
->statusCodeEquals(403);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));
// The 'own' user has no permission to edit content which is not theirs.
$this
->assertSession()
->statusCodeEquals(403);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));
// The 'own' user has no permission to delete content which is not theirs.
$this
->assertSession()
->statusCodeEquals(403);
// Get the entity that was created by the 'own' user.
$arguments = [
$entityTypeName => 2,
];
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
// The 'own' user has permission to see their own content.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));
// The 'own' user has permission to edit their own content.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));
// The 'own' user has permission to delete their own content.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalLogin($anyEntityUser);
// Get the entity that was created by the 'any' user.
$arguments = [
$entityTypeName => 1,
];
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
// The 'any' user has permission to see their own content.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));
// The 'any' user has permission to edit their own content.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));
// The 'any' user has permission to delete their own content.
$this
->assertSession()
->statusCodeEquals(200);
// Get the entity that was created by the 'own' user.
$arguments = [
$entityTypeName => 2,
];
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
// The 'any' user has permission to see content which is not theirs.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));
// The 'any' user has permission to edit content which is not theirs.
$this
->assertSession()
->statusCodeEquals(200);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));
// The 'any' user has permission to delete content which is not theirs.
$this
->assertSession()
->statusCodeEquals(200);
// Create entity with "Unpublished" status.
$this
->createEntity($entityTypeName, [
'type' => $this->bundleInfo['type'],
'title' => $this
->randomString(),
'status' => FALSE,
]);
// Normal users should not have access to unpublished entities.
$arguments = [
$entityTypeName => 3,
];
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
$this
->assertSession()
->statusCodeEquals(403);
// This one permission should be not enough to get access.
$viewUnpublishedEntityUser = $this
->drupalCreateUser([
'view unpublished eck entities',
]);
$this
->drupalLogin($viewUnpublishedEntityUser);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
$this
->assertSession()
->statusCodeEquals(200);
// Finally, users with normal access and 'view unpublished eck entities'
// permission should have access.
$viewUnpublishedAndAnyEntityUser = $this
->drupalCreateUser([
'view unpublished eck entities',
"view any {$entityTypeName} entities",
]);
$this
->drupalLogin($viewUnpublishedAndAnyEntityUser);
$this
->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
$this
->assertSession()
->statusCodeEquals(200);
}