You are here

role_delegation.test in Role Delegation 7

Tests for the Role Delegation module.

File

role_delegation.test
View source
<?php

/**
 * @file
 * Tests for the Role Delegation module.
 */

/**
 * Base class for Role Delegation tests.
 */
class RoleDelegationTestCase extends DrupalWebTestCase {
  protected $rid_high, $rid_low, $user_high, $user_low;

  /**
   * Assign or remove one role to/from one user.
   *
   * The logged in user must have the "administer users"
   * permission in order for this function to succeed.
   *
   * @param $rid
   *   The role id of the role to assign or remove.
   * @param $user
   *   The user object of the user to assign/remove the role to.
   * @param $assign
   *   TRUE (the default) to assign the role, or
   *   FALSE to remove it.
   *
   * @return
   *   TRUE or FALSE depending on whether the role was
   *   successfully assigned or removed.
   */
  protected function assignRoleToUser($rid, $user, $assign = TRUE) {
    $this
      ->drupalGet("user/{$user->uid}/edit");
    if (count($this
      ->xpath("//input[@name='roles[{$rid}]']"))) {
      $name = "roles[{$rid}]";
    }
    elseif (count($this
      ->xpath("//input[@name='roles_change[{$rid}]']"))) {
      $name = "roles_change[{$rid}]";
    }
    else {
      return FALSE;
    }
    $this
      ->drupalPost(NULL, array(
      $name => $assign,
    ), t('Save'));
    $elements = $this
      ->xpath("//input[@name='{$name}']");
    return isset($elements[0]) && ($assign xor empty($elements[0]['checked']));
  }

  /**
   * Assign or remove one permission to/from one role, and assert
   * that the result succeeded.
   *
   * @param $permission
   *   The name of the permission to assign or remove.
   * @param $rid
   *   The role id of the role to assign/remove the permission to/from.
   * @param $assign
   *   TRUE (the default) to assign the permission, or
   *   FALSE to remove it.
   *
   * @return
   *   TRUE or FALSE depending on whether the permission was
   *   successfully assigned or removed.
   */
  protected function assignPermissionToRole($permission, $rid, $assign = TRUE) {
    $name = "{$rid}[{$permission}]";
    $this
      ->drupalPost("admin/people/permissions/{$rid}", array(
      $name => $assign,
    ), t('Save permissions'));
    $elements = $this
      ->xpath("//input[@name='{$name}']");
    $this
      ->assertTrue(isset($elements[0]) && ($assign xor empty($elements[0]['checked'])), ($assign ? 'Assign' : 'Remove') . ' permission "' . $permission . '" ' . ($assign ? 'to' : 'from') . " role {$rid}.");
  }
  public function setUp(array $modules = array(
    'role_delegation',
  )) {

    // Enable modules
    parent::setUp($modules);

    // Create roles
    $this->rid_high = $this
      ->drupalCreateRole(array(), 'high');
    $this->rid_low = $this
      ->drupalCreateRole(array(), 'low');

    // Create users
    $this->user_high = $this
      ->drupalCreateUser(array(
      'administer users',
      'access user profiles',
    ));
    $this->user_low = $this
      ->drupalCreateUser(array(
      'administer users',
    ));

    // Create privileged user and log in
    $this
      ->drupalLogin($this
      ->drupalCreateUser(array(
      'administer users',
      'administer permissions',
      'access user profiles',
    )));

    // Assign permissions to roles
    $this
      ->assignPermissionToRole('assign low role', $this->rid_high);

    // 'high' can assign 'low'
    // Assign roles to users
    $this
      ->assertTrue($this
      ->assignRoleToUser($this->rid_high, $this->user_high), 'Assign high role to high user');
  }

}

/**
 * Functional tests for permissions.
 */
class RoleDelegationPermissionsTestCase extends RoleDelegationTestCase {
  public static function getInfo() {
    return array(
      'name' => t('Permissions'),
      'description' => t('Check that role assignment permissions are enforced.'),
      'group' => t('Role Delegation'),
    );
  }

  /**
   * Check that high role can assign low role.
   */
  public function testHighLow() {
    $this
      ->drupalLogin($this->user_high);
    $this
      ->assertTrue($this
      ->assignRoleToUser($this->rid_low, $this->user_low), t('!role1 role can assign !role2 role.', array(
      '!role1' => 'High',
      '!role2' => 'low',
    )), t('Role Delegation'));
  }

  /**
   * Check that high role can't assign high role.
   */
  public function testHighHigh() {
    $this
      ->drupalLogin($this->user_high);

    // Just check that no option is presented to the user.
    $this
      ->assertFalse($this
      ->assignRoleToUser($this->rid_high, $this->user_high), t("!role1 role can't assign !role2 role.", array(
      '!role1' => 'High',
      '!role2' => 'high',
    )), t('Role Delegation'));
  }

  /**
   * Check that roles can't be assigned by forgery.
   */
  public function testRoleForgery() {
    $this
      ->drupalLogin($this->user_high);

    // Have the nefarious high user forge an option to assign the high role...
    $this
      ->drupalGet("user/{$this->user_low->uid}/edit");
    $name = "roles_change[{$this->rid_low}]";
    $input = $this
      ->xpath("//input[@name='{$name}']");
    $dome = dom_import_simplexml($input[0]);
    $dome
      ->setAttribute('value', $this->rid_high);

    // ... then submit the form, and check that he didn't get the role.
    $this
      ->drupalPost(NULL, array(
      $name => TRUE,
    ), t('Save'));
    $this
      ->assertRaw(t('An illegal choice has been detected. Please contact the site administrator.'), t('Role assignment forgery is blocked.') . ' (#1)', t('Role Delegation'));
    $this
      ->assertFieldByName($name, $this->rid_low, t('Role assignment forgery is blocked.') . ' (#2)', t('Role Delegation'));
  }

  /**
   * Check access to the role delegation page.
   */
  public function testRoleDelegationPageAccess() {

    // Users with 'administer permissions' can view the page.
    $this
      ->drupalGet("user/{$this->user_low->uid}/roles");
    $this
      ->assertResponse(200, t('Users with \'administer permissions\' can view the page.'));

    // Anonymous users can never access the roles page.
    $this
      ->drupalLogout();
    $this
      ->drupalGet("user/{$this->user_low->uid}/roles");
    $this
      ->assertResponse(403, t('Anonymous users can never access the roles page.'));

    // Users with only 'administer users' cannot view the page.
    $this
      ->drupalLogin($this
      ->drupalCreateUser(array(
      'administer users',
    )));
    $this
      ->drupalGet("user/{$this->user_low->uid}/roles");
    $this
      ->assertResponse(403, t('Users with only \'administer users\' cannot view the page.'));
    $this
      ->drupalLogout();
    $this
      ->drupalLogin($this->user_high);
    $this
      ->drupalGet("user/{$this->user_low->uid}/roles");
    $this
      ->assertResponse(200, t('Users with assign role permissions should be able to access the page.'));
    $this
      ->drupalLogout();
    $this
      ->drupalLogin($this->user_low);
    $this
      ->drupalGet("user/{$this->user_low->uid}/roles");
    $this
      ->assertResponse(403, t('Users without assign role permissions should not be able to access the page.'));
  }

}

/**
 * Functional tests for operations.
 */
class RoleDelegationOperationsTestCase extends RoleDelegationTestCase {
  public static function getInfo() {
    return array(
      'name' => t('Operations'),
      'description' => t('Check that role assignment bulk operations are available and work as intended.'),
      'group' => t('Role Delegation'),
    );
  }

  /**
   * Check that the right combination of Add and Remove role
   * operations is present in the user bulk update form.
   */
  public function testOperationsExist() {
    $this
      ->drupalLogin($this->user_high);
    $this
      ->drupalGet('admin/people');
    $this
      ->assertFieldByXPath('//select[@name="operation"]//option', "role_delegation_add_role-{$this->rid_low}", t("!user user can use Add !role role operation.", array(
      '!user' => 'High',
      '!role' => 'low',
    )), t('Role Delegation'));
    $this
      ->assertFieldByXPath('//select[@name="operation"]//option', "role_delegation_remove_role-{$this->rid_low}", t("!user user can use Remove !role role operation.", array(
      '!user' => 'High',
      '!role' => 'low',
    )), t('Role Delegation'));
    $this
      ->assertNoFieldByXPath('//select[@name="operation"]//option', "role_delegation_add_role-{$this->rid_high}", t("!user user can't use Add !role role operation.", array(
      '!user' => 'High',
      '!role' => 'high',
    )), t('Role Delegation'));
    $this
      ->assertNoFieldByXPath('//select[@name="operation"]//option', "role_delegation_remove_role-{$this->rid_high}", t("!user user can't use Remove !role role operation.", array(
      '!user' => 'High',
      '!role' => 'high',
    )), t('Role Delegation'));
  }

  /**
   * Check that Add and Remove role operations work as intended.
   */
  public function testOperationsWork() {
    $uids_to_test = array(
      $this->user_high->uid,
      $this->user_low->uid,
    );
    $edit = array();
    foreach ($uids_to_test as $uid) {
      $edit["accounts[{$uid}]"] = TRUE;
    }
    $this
      ->drupalLogin($this->user_high);
    $this
      ->drupalGet('admin/people');

    // Add low role
    $edit['operation'] = "role_delegation_add_role-{$this->rid_low}";
    $this
      ->drupalPost(NULL, $edit, t('Update'));
    foreach ($uids_to_test as $uid) {
      $this
        ->assertFieldByXPath("//tbody/tr[{$uid}]/td[4]//li", 'low', t('!user user assigned !role role to user !uid.', array(
        '!user' => 'High',
        '!role' => 'low',
        '!uid' => $uid,
      )), t('Role Delegation'));
    }

    // Remove low role
    $edit['operation'] = "role_delegation_remove_role-{$this->rid_low}";
    $this
      ->drupalPost(NULL, $edit, t('Update'));
    foreach ($uids_to_test as $uid) {
      $this
        ->assertNoFieldByXPath("//tbody/tr[{$uid}]/td[4]//li", 'low', t('!user user removed !role role from user !uid.', array(
        '!user' => 'High',
        '!role' => 'low',
        '!uid' => $uid,
      )), t('Role Delegation'));
    }
  }

  /**
   * Check that operations can't be forged.
   */
  public function testOperationsForgery() {
    $this
      ->drupalLogin($this->user_high);
    $this
      ->drupalGet('admin/people');

    // Forge an operation to add the high role...
    $option = $this
      ->xpath("//select[@name='operation']//option[@value='role_delegation_add_role-{$this->rid_low}']");
    if (count($option) == 0) {
      return;
    }
    $dome = dom_import_simplexml($option[0]);
    $dome
      ->setAttribute('value', "role_delegation_add_role-{$this->rid_high}");

    // ... then submit the form, and check that it wasn't granted.
    $edit = array(
      "accounts[{$this->user_low->uid}]" => TRUE,
      "operation" => "role_delegation_add_role-{$this->rid_high}",
    );
    $this
      ->drupalPost(NULL, $edit, t('Update'));
    $this
      ->assertRaw(t('An illegal choice has been detected. Please contact the site administrator.'), t('Role assignment forgery is blocked.') . ' (#1)', t('Role Delegation'));
    $this
      ->assertNoFieldByXPath("//tbody/tr[{$this->user_high->uid}]/td[4]//li", 'high', t('Role assignment forgery is blocked.') . ' (#2)', t('Role Delegation'));
  }

}

/**
 * Functional tests for editing roles.
 */
class RoleDelegationRoleEditingTestCase extends RoleDelegationTestCase {
  public static function getInfo() {
    return array(
      'name' => t('Role editing'),
      'description' => t('Check that role assignment permissions are updated correctly when roles are renamed or deleted.'),
      'group' => t('Role Delegation'),
    );
  }

  /**
   * Rename a role, and check that users that had permission to assign
   * the old role now have permission to assign the new one.
   */
  public function testRenameRole() {
    $this
      ->drupalPost("admin/people/permissions/roles/edit/{$this->rid_low}", array(
      'name' => 'new low',
    ), t('Save role'));
    $this
      ->drupalGet('admin/people/permissions');
    $this
      ->assertFieldChecked("edit-{$this->rid_high}-assign-new-low-role", t('Permissions are updated when role is renamed.'), t('Role Delegation'));
  }

  /**
   * Delete a role, then create a new one with the same name.
   * Check that no users have permission to assign the new role.
   */
  public function testDeleteRole() {
    $this
      ->drupalPost("admin/people/permissions/roles/delete/{$this->rid_low}", NULL, t('Delete'));
    $this
      ->drupalPost('admin/people/permissions/roles', array(
      'name' => 'low',
    ), t('Add role'));
    $this
      ->drupalGet('admin/people/permissions');
    $this
      ->assertNoFieldChecked("edit-{$this->rid_high}-assign-low-role", t('Permissions are updated when role is deleted.'), t('Role Delegation'));
  }

}

Classes

Namesort descending Description
RoleDelegationOperationsTestCase Functional tests for operations.
RoleDelegationPermissionsTestCase Functional tests for permissions.
RoleDelegationRoleEditingTestCase Functional tests for editing roles.
RoleDelegationTestCase Base class for Role Delegation tests.