You are here

Home » API reference » Views data export 7.3 » access.test » ViewsDataExportAccessTest

public function ViewsDataExportAccessTest::testExportedTempFileAccess in Views data export 7.3

Test that VDE export can only be downloaded by the user that created them.

File

tests/access.test, line 25

Class

ViewsDataExportAccessTest
Test class for access checks for VDE downloads.

Code

public function testExportedTempFileAccess() {
  $this->admin_user1 = $this
    ->drupalCreateUser();
  $this->admin_user2 = $this
    ->drupalCreateUser();

  // Run a batched export.
  $path = 'vde_test/' . $this
    ->randomName();
  list($view, $expected) = $this
    ->getExportView($path);
  $display =& $view->display['vde_test']->handler;

  // Set this view to be batched.
  $display
    ->override_option('use_batch', 'batch');

  // Save this view so we can hit the path.
  $view
    ->save();

  // Ensure that the menu router system is rebuilt on the next page load.
  variable_set('menu_rebuild_needed', TRUE);
  $this
    ->drupalLogin($this->admin_user1);

  // Catpure the session_id as the redirects in the request ditch it.
  $session_id = $this->session_id;
  $this
    ->assertBatchedExportEqual($path, $expected, 'Batched access export matched expected output.');

  // Remove all the test data, so future exports will be different.
  db_truncate('views_test')
    ->execute();
  $this
    ->resetAll();

  // Assert that we can re-download directly when supplying the token.
  // We rely on this being the first export in this test class.
  // Restore the session_id from above so we can use drupalGetToken.
  $this->session_id = $session_id;
  $token = $this
    ->drupalGetToken('views_data_export/1');
  $this
    ->drupalGet($path, array(
    'query' => array(
      'eid' => 1,
      'download' => 1,
      'token' => $token,
    ),
  ));
  $output = $this
    ->drupalGetContent();
  $this
    ->assertEqual($this
    ->normaliseString($output), $expected, 'Re-download of export file by original user is possible with session token.');

  // Assert that we cannot re-download directly without supplying the token.
  // We rely on this being the first export in this test class.
  $this
    ->drupalGet($path, array(
    'query' => array(
      'eid' => 1,
      'download' => 1,
    ),
  ));
  $output = $this
    ->drupalGetContent();
  $this
    ->assertEqual($this
    ->normaliseString($output), '', 'Re-download of export file by original user is not possible.');

  // Assert that someone else can't download our file.
  // We rely on this being the first export in this test class.
  $this
    ->drupalLogin($this->admin_user2);
  $this
    ->drupalGet($path, array(
    'query' => array(
      'eid' => 1,
      'download' => 1,
      'token' => $token,
    ),
  ));
  $output = $this
    ->drupalGetContent();
  $this
    ->assertEqual($this
    ->normaliseString($output), '', 'Re-download of export file by different user is not possible.');
}