You are here

public function ParagraphsAccessTest::testParagraphAccessCheck in Paragraphs 8

Same name in this branch
  1. 8 tests/src/Functional/WidgetLegacy/ParagraphsAccessTest.php \Drupal\Tests\paragraphs\Functional\WidgetLegacy\ParagraphsAccessTest::testParagraphAccessCheck()
  2. 8 tests/src/Functional/WidgetStable/ParagraphsAccessTest.php \Drupal\Tests\paragraphs\Functional\WidgetStable\ParagraphsAccessTest::testParagraphAccessCheck()

Tests the Paragraph access and permissions.

File

tests/src/Functional/WidgetStable/ParagraphsAccessTest.php, line 86

Class

ParagraphsAccessTest
Tests the access check of paragraphs.

Namespace

Drupal\Tests\paragraphs\Functional\WidgetStable

Code

public function testParagraphAccessCheck() {
  $permissions = [
    'administer site configuration',
    'administer node display',
    'administer paragraph display',
    'create paragraphed_content_demo content',
    'edit any paragraphed_content_demo content',
  ];
  $this
    ->loginAsAdmin($permissions);

  // Remove the "access content" for anonymous users. That results in
  // anonymous users not being able to "view" the host entity.

  /* @var Role $role */
  $role = \Drupal::entityTypeManager()
    ->getStorage('user_role')
    ->load(RoleInterface::ANONYMOUS_ID);
  $role
    ->revokePermission('access content');
  $role
    ->save();

  // Set field_images from demo to private file storage.
  $edit = array(
    'settings[uri_scheme]' => 'private',
  );
  $this
    ->drupalGet('admin/structure/paragraphs_type/images/fields/paragraph.images.field_images_demo/storage');
  $this
    ->submitForm($edit, 'Save field settings');

  // Use the stable widget.
  $form_display = EntityFormDisplay::load('node.paragraphed_content_demo.default')
    ->setComponent('field_paragraphs_demo', [
    'type' => 'paragraphs',
  ]);
  $form_display
    ->save();

  // Create a new demo node.
  $this
    ->drupalGet('node/add/paragraphed_content_demo');

  // Add a new Paragraphs images item.
  $this
    ->submitForm([], 'Add images');
  $images = $this
    ->getTestFiles('image');

  // Create a file, upload it.
  $file_system = \Drupal::service('file_system');
  $file_system
    ->copy($images[0]->uri, 'temporary://privateImage.jpg');
  $file_path = $this->container
    ->get('file_system')
    ->realpath('temporary://privateImage.jpg');

  // Create a file, upload it.
  $file_system
    ->copy($images[1]->uri, 'temporary://privateImage2.jpg');
  $file_path_2 = $this->container
    ->get('file_system')
    ->realpath('temporary://privateImage2.jpg');
  $edit = array(
    'title[0][value]' => 'Security test node',
    'files[field_paragraphs_demo_0_subform_field_images_demo_0][]' => $file_path,
  );
  $this
    ->submitForm($edit, 'Upload');
  $edit = array(
    'files[field_paragraphs_demo_0_subform_field_images_demo_1][]' => $file_path_2,
  );
  $this
    ->submitForm($edit, 'Upload');
  $this
    ->submitForm([], 'Preview');
  $image_style = ImageStyle::load('medium');
  $img1_url = $image_style
    ->buildUrl('private://' . date('Y-m') . '/privateImage.jpg');
  $image_url = file_url_transform_relative($img1_url);
  $this
    ->assertSession()
    ->responseContains($image_url);
  $this
    ->clickLink('Back to content editing');
  $this
    ->submitForm([], 'Save');
  $node = $this
    ->drupalGetNodeByTitle('Security test node');
  $this
    ->drupalGet('node/' . $node
    ->id());

  // Check the text and image after publish.
  $this
    ->assertSession()
    ->responseContains($image_url);
  $this
    ->drupalGet($img1_url);
  $this
    ->assertSession()
    ->statusCodeEquals(200);

  // Logout to become anonymous.
  $this
    ->drupalLogout();

  // @todo Requesting the same $img_url again triggers a caching problem on
  // drupal.org test bot, thus we request a different file here.
  $img_url = $image_style
    ->buildUrl('private://' . date('Y-m') . '/privateImage2.jpg');
  $image_url = file_url_transform_relative($img_url);

  // Check the text and image after publish. Anonymous should not see content.
  $this
    ->assertSession()
    ->responseNotContains($image_url);
  $this
    ->drupalGet($img_url);
  $this
    ->assertSession()
    ->statusCodeEquals(403);

  // Login as admin with no delete permissions.
  $this
    ->loginAsAdmin($permissions);

  // Create a new demo node.
  $this
    ->drupalGet('node/add/paragraphed_content_demo');
  $this
    ->submitForm([], 'Add text');
  $this
    ->assertSession()
    ->pageTextContains('Text');
  $edit = [
    'title[0][value]' => 'delete_permissions',
    'field_paragraphs_demo[0][subform][field_text_demo][0][value]' => 'Test',
  ];
  $this
    ->submitForm($edit, 'Save');

  // Edit the node.
  $this
    ->clickLink('Edit');

  // Check the remove button is present.
  $this
    ->assertNotNull($this
    ->xpath('//*[@name="field_paragraphs_demo_0_remove"]'));

  // Delete the Paragraph and save.
  $this
    ->submitForm([], 'field_paragraphs_demo_0_remove');
  $this
    ->submitForm([], 'Save');
  $node = $this
    ->getNodeByTitle('delete_permissions');
  $this
    ->assertSession()
    ->addressEquals('node/' . $node
    ->id());

  // Create an unpublished Paragraph and assert if it is displayed for the
  // user.
  $permissions = [
    'create paragraphed_content_demo content',
    'edit any paragraphed_content_demo content',
    'view unpublished paragraphs',
    'administer paragraph form display',
  ];
  $this
    ->loginAsAdmin($permissions);
  $edit = [
    'fields[status][region]' => 'content',
    'fields[status][type]' => 'boolean_checkbox',
  ];
  $this
    ->drupalGet('admin/structure/paragraphs_type/text/form-display');
  $this
    ->submitForm($edit, 'Save');
  $this
    ->drupalGet('node/add/paragraphed_content_demo');
  $this
    ->submitForm([], 'Add text');
  $this
    ->assertSession()
    ->pageTextContains('Text');
  $edit = [
    'title[0][value]' => 'unpublished_permissions',
    'field_paragraphs_demo[0][subform][field_text_demo][0][value]' => 'recognizable_test',
    'field_paragraphs_demo[0][subform][status][value]' => FALSE,
  ];
  $this
    ->submitForm($edit, 'Save');
  $this
    ->assertSession()
    ->pageTextContains('recognizable_test');
  $this
    ->assertSession()
    ->responseContains('paragraph--unpublished');
  $this
    ->drupalLogout();
  $node = $this
    ->drupalGetNodeByTitle('unpublished_permissions');

  // Login as an user without the view unpublished Paragraph permission.
  $user = $this
    ->drupalCreateUser([
    'administer nodes',
    'edit any paragraphed_content_demo content',
  ]);
  $this
    ->drupalLogin($user);

  // Assert that the Paragraph is not displayed.
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertSession()
    ->pageTextNotContains('recognizable_test');
  $this
    ->assertSession()
    ->responseNotContains('paragraph--unpublished');

  // Grant to the user the view unpublished Paragraph permission.
  $this
    ->grantPermissions(Role::load(Role::AUTHENTICATED_ID), [
    'view unpublished paragraphs',
  ]);

  // Assert that the Paragraph is displayed.
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertSession()
    ->pageTextContains('recognizable_test');
  $this
    ->assertSession()
    ->responseContains('paragraph--unpublished');

  // Grant to the user the administer Paragraphs settings permission.
  $this
    ->grantPermissions(Role::load(Role::AUTHENTICATED_ID), [
    'administer paragraphs settings',
  ]);

  // Disable the show unpublished Paragraphs setting.
  $this
    ->drupalGet('admin/config/content/paragraphs');
  $this
    ->submitForm([
    'show_unpublished' => FALSE,
  ], 'Save configuration');

  // Assert that the Paragraph is not displayed even if the user has the
  // permission to do so.
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertSession()
    ->pageTextNotContains('recognizable_test');
  $this
    ->assertSession()
    ->responseNotContains('paragraph--unpublished');

  // Enable the show unpublished Paragraphs setting.
  $this
    ->drupalGet('admin/config/content/paragraphs');
  $this
    ->submitForm([
    'show_unpublished' => TRUE,
  ], 'Save configuration');

  // Assert that the Paragraph is displayed when the user has the permission
  // to do so.
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertSession()
    ->pageTextContains('recognizable_test');
  $this
    ->assertSession()
    ->responseContains('paragraph--unpublished');
}