You are here

public function CommonCollectionFilterAccessTestPatternsTrait::doTestCollectionFilterAccessBasedOnPermissions in JSON:API 8.2

Same name and namespace in other branches
  1. 8 tests/src/Traits/CommonCollectionFilterAccessTestPatternsTrait.php \Drupal\Tests\jsonapi\Traits\CommonCollectionFilterAccessTestPatternsTrait::doTestCollectionFilterAccessBasedOnPermissions()

Implements ::testCollectionFilterAccess() for pure permission-based access.

Parameters

string $label_field_name: The entity type's label field name.

string $view_permission: The entity type's permission that grants 'view' access.

Return value

\Drupal\Core\Entity\EntityInterface The referencing entity.

6 calls to CommonCollectionFilterAccessTestPatternsTrait::doTestCollectionFilterAccessBasedOnPermissions()
CommonCollectionFilterAccessTestPatternsTrait::doTestCollectionFilterAccessForPublishableEntities in tests/src/Traits/CommonCollectionFilterAccessTestPatternsTrait.php
Implements ::testCollectionFilterAccess() for permission + status access.
FeedTest::testCollectionFilterAccess in tests/src/Functional/FeedTest.php
FileTest::testCollectionFilterAccess in tests/src/Functional/FileTest.php
MenuLinkContentTest::testCollectionFilterAccess in tests/src/Functional/MenuLinkContentTest.php
ShortcutTest::testCollectionFilterAccess in tests/src/Functional/ShortcutTest.php

... See full list

File

tests/src/Traits/CommonCollectionFilterAccessTestPatternsTrait.php, line 32

Class

CommonCollectionFilterAccessTestPatternsTrait
Provides common filter access control tests.

Namespace

Drupal\Tests\jsonapi\Traits

Code

public function doTestCollectionFilterAccessBasedOnPermissions($label_field_name, $view_permission) {
  assert($this instanceof ResourceTestBase);

  // Set up data model.
  $this
    ->assertTrue($this->container
    ->get('module_installer')
    ->install([
    'entity_test',
  ], TRUE), 'Installed modules.');
  entity_test_create_bundle('bar', NULL, 'entity_test');
  $this
    ->createEntityReferenceField('entity_test', 'bar', 'spotlight', NULL, static::$entityTypeId, 'default', [
    'target_bundles' => [
      $this->entity
        ->bundle() => $this->entity
        ->bundle(),
    ],
  ]);
  $this
    ->rebuildAll();
  $this
    ->grantPermissionsToTestedRole([
    'view test entity',
  ]);

  // Create data.
  $referencing_entity = EntityTest::create([
    'name' => 'Camelids',
    'type' => 'bar',
    'spotlight' => [
      'target_id' => $this->entity
        ->id(),
    ],
  ]);
  $referencing_entity
    ->save();

  // Test.
  $collection_url = Url::fromRoute('jsonapi.entity_test--bar.collection');

  // Specifying a delta exercises TemporaryQueryGaurd more thoroughly.
  $filter_path = "spotlight.0.{$label_field_name}";
  $collection_filter_url = $collection_url
    ->setOption('query', [
    "filter[{$filter_path}]" => $this->entity
      ->label(),
  ]);
  $request_options = [];
  $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
  $request_options = NestedArray::mergeDeep($request_options, $this
    ->getAuthenticationRequestOptions());
  if ($view_permission !== NULL) {

    // ?filter[spotlight.LABEL]: 0 results.
    $response = $this
      ->request('GET', $collection_filter_url, $request_options);
    $doc = Json::decode((string) $response
      ->getBody());
    $this
      ->assertCount(0, $doc['data']);

    // Grant "view" permission.
    $this
      ->grantPermissionsToTestedRole([
      $view_permission,
    ]);
  }

  // ?filter[spotlight.LABEL]: 1 result.
  $response = $this
    ->request('GET', $collection_filter_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertCount(1, $doc['data']);
  $this
    ->assertSame($referencing_entity
    ->uuid(), $doc['data'][0]['id']);

  // ?filter[spotlight.LABEL]: 1 result.
  $response = $this
    ->request('GET', $collection_filter_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertCount(1, $doc['data']);
  $this
    ->assertSame($referencing_entity
    ->uuid(), $doc['data'][0]['id']);

  // Install the jsonapi_test_field_filter_access module, which contains a
  // hook_jsonapi_entity_field_filter_access() implementation that forbids
  // access to the spotlight field if the 'filter by spotlight field'
  // permission is not granted.
  $this
    ->assertTrue($this->container
    ->get('module_installer')
    ->install([
    'jsonapi_test_field_filter_access',
  ], TRUE), 'Installed modules.');
  $this
    ->rebuildAll();

  // Ensure that a 403 response is generated for attempting to filter by a
  // field that is forbidden by an implementation of
  // hook_jsonapi_entity_field_filter_access() .
  $response = $this
    ->request('GET', $collection_filter_url, $request_options);
  $message = "The current user is not authorized to filter by the `spotlight` field, given in the path `spotlight`.";
  $expected_cache_tags = [
    '4xx-response',
    'http_response',
  ];
  $expected_cache_contexts = [
    'url.query_args:filter',
    'url.query_args:sort',
    'url.site',
    'user.permissions',
  ];
  $this
    ->assertResourceErrorResponse(403, $message, $collection_filter_url, $response, FALSE, $expected_cache_tags, $expected_cache_contexts, FALSE, 'MISS');

  // And ensure the it is allowed when the proper permission is granted.
  $this
    ->grantPermissionsToTestedRole([
    'filter by spotlight field',
  ]);
  $response = $this
    ->request('GET', $collection_filter_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertCount(1, $doc['data']);
  $this
    ->assertSame($referencing_entity
    ->uuid(), $doc['data'][0]['id']);
  $this
    ->revokePermissionsFromTestedRole([
    'filter by spotlight field',
  ]);
  $this
    ->assertTrue($this->container
    ->get('module_installer')
    ->uninstall([
    'jsonapi_test_field_filter_access',
  ], TRUE), 'Uninstalled modules.');
  return $referencing_entity;
}