You are here

public function AccessTest::testEntityAccess in Entity Construction Kit (ECK) 8

Tests if access handling for created entities is handled correctly.

File

tests/src/Functional/AccessTest.php, line 126

Class

AccessTest
Tests eck's access control.

Namespace

Drupal\Tests\eck\Functional

Code

public function testEntityAccess() {
  $entityTypeName = $this->entityTypeInfo['id'];
  $ownEntityPermissions = $anyEntityPermissions = [
    "create {$entityTypeName} entities",
  ];
  foreach ([
    'view',
    'edit',
    'delete',
  ] as $op) {
    $ownEntityPermissions[] = "{$op} own {$entityTypeName} entities";
    $anyEntityPermissions[] = "{$op} any {$entityTypeName} entities";
  }
  $ownEntityUser = $this
    ->drupalCreateUser($ownEntityPermissions);
  $anyEntityUser = $this
    ->drupalCreateUser($anyEntityPermissions);
  $this
    ->drupalLogin($anyEntityUser);
  $edit['title[0][value]'] = $this
    ->randomMachineName();
  $route_args = [
    'eck_entity_type' => $entityTypeName,
    'eck_entity_bundle' => $this->bundleInfo['type'],
  ];
  $this
    ->drupalGet(Url::fromRoute("eck.entity.add", $route_args));
  $this
    ->submitForm($edit, 'Save');
  $this
    ->drupalLogin($ownEntityUser);
  $edit['title[0][value]'] = $this
    ->randomMachineName();
  $route_args = [
    'eck_entity_type' => $entityTypeName,
    'eck_entity_bundle' => $this->bundleInfo['type'],
  ];
  $this
    ->drupalGet(Url::fromRoute("eck.entity.add", $route_args));
  $this
    ->submitForm($edit, 'Save');

  // Get the entity that was created by the 'any' user.
  $arguments = [
    $entityTypeName => 1,
  ];
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));

  // The 'own' user has no permission to see content which is not theirs.
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));

  // The 'own' user has no permission to edit content which is not theirs.
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));

  // The 'own' user has no permission to delete content which is not theirs.
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Get the entity that was created by the 'own' user.
  $arguments = [
    $entityTypeName => 2,
  ];
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));

  // The 'own' user has permission to see their own content.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));

  // The 'own' user has permission to edit their own content.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));

  // The 'own' user has permission to delete their own content.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalLogin($anyEntityUser);

  // Get the entity that was created by the 'any' user.
  $arguments = [
    $entityTypeName => 1,
  ];
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));

  // The 'any' user has permission to see their own content.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));

  // The 'any' user has permission to edit their own content.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));

  // The 'any' user has permission to delete their own content.
  $this
    ->assertSession()
    ->statusCodeEquals(200);

  // Get the entity that was created by the 'own' user.
  $arguments = [
    $entityTypeName => 2,
  ];
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));

  // The 'any' user has permission to see content which is not theirs.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.edit_form", $arguments));

  // The 'any' user has permission to edit content which is not theirs.
  $this
    ->assertSession()
    ->statusCodeEquals(200);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.delete_form", $arguments));

  // The 'any' user has permission to delete content which is not theirs.
  $this
    ->assertSession()
    ->statusCodeEquals(200);

  // Create entity with "Unpublished" status.
  $this
    ->createEntity($entityTypeName, [
    'type' => $this->bundleInfo['type'],
    'title' => $this
      ->randomString(),
    'status' => FALSE,
  ]);

  // Normal users should not have access to unpublished entities.
  $arguments = [
    $entityTypeName => 3,
  ];
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // This one permission should be not enough to get access.
  $viewUnpublishedEntityUser = $this
    ->drupalCreateUser([
    'view unpublished eck entities',
  ]);
  $this
    ->drupalLogin($viewUnpublishedEntityUser);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
  $this
    ->assertSession()
    ->statusCodeEquals(200);

  // Finally, users with normal access and 'view unpublished eck entities'
  // permission should have access.
  $viewUnpublishedAndAnyEntityUser = $this
    ->drupalCreateUser([
    'view unpublished eck entities',
    "view any {$entityTypeName} entities",
  ]);
  $this
    ->drupalLogin($viewUnpublishedAndAnyEntityUser);
  $this
    ->drupalGet(Url::fromRoute("entity.{$entityTypeName}.canonical", $arguments));
  $this
    ->assertSession()
    ->statusCodeEquals(200);
}