You are here

function FilePrivateTest::testPrivateFile in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/file/src/Tests/FilePrivateTest.php \Drupal\file\Tests\FilePrivateTest::testPrivateFile()

Tests file access for file uploaded to a private node.

File

core/modules/file/src/Tests/FilePrivateTest.php, line 39
Contains \Drupal\file\Tests\FilePrivateTest.

Class

FilePrivateTest
Uploads a test to a private node and checks access.

Namespace

Drupal\file\Tests

Code

function testPrivateFile() {
  $node_storage = $this->container
    ->get('entity.manager')
    ->getStorage('node');
  $type_name = 'article';
  $field_name = strtolower($this
    ->randomMachineName());
  $this
    ->createFileField($field_name, 'node', $type_name, array(
    'uri_scheme' => 'private',
  ));
  $test_file = $this
    ->getTestFile('text');
  $nid = $this
    ->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array(
    'private' => TRUE,
  ));
  \Drupal::entityManager()
    ->getStorage('node')
    ->resetCache(array(
    $nid,
  ));

  /* @var \Drupal\node\NodeInterface $node */
  $node = $node_storage
    ->load($nid);
  $node_file = File::load($node->{$field_name}->target_id);

  // Ensure the file can be viewed.
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertRaw($node_file
    ->getFilename(), 'File reference is displayed after attaching it');

  // Ensure the file can be downloaded.
  $this
    ->drupalGet(file_create_url($node_file
    ->getFileUri()));
  $this
    ->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
  $this
    ->drupalLogOut();
  $this
    ->drupalGet(file_create_url($node_file
    ->getFileUri()));
  $this
    ->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');

  // Create a field with no view access. See
  // field_test_entity_field_access().
  $no_access_field_name = 'field_no_view_access';
  $this
    ->createFileField($no_access_field_name, 'node', $type_name, array(
    'uri_scheme' => 'private',
  ));

  // Test with the field that should deny access through field access.
  $this
    ->drupalLogin($this->adminUser);
  $nid = $this
    ->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, array(
    'private' => TRUE,
  ));
  \Drupal::entityManager()
    ->getStorage('node')
    ->resetCache(array(
    $nid,
  ));
  $node = $node_storage
    ->load($nid);
  $node_file = File::load($node->{$no_access_field_name}->target_id);

  // Ensure the file cannot be downloaded.
  $file_url = file_create_url($node_file
    ->getFileUri());
  $this
    ->drupalGet($file_url);
  $this
    ->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission.');

  // Attempt to reuse the file when editing a node.
  $edit = array();
  $edit['title[0][value]'] = $this
    ->randomMachineName();
  $this
    ->drupalPostForm('node/add/' . $type_name, $edit, t('Save and publish'));
  $new_node = $this
    ->drupalGetNodeByTitle($edit['title[0][value]']);
  $edit[$field_name . '[0][fids]'] = $node_file
    ->id();
  $this
    ->drupalPostForm('node/' . $new_node
    ->id() . '/edit', $edit, t('Save and keep published'));

  // Make sure the form submit failed - we stayed on the edit form.
  $this
    ->assertUrl('node/' . $new_node
    ->id() . '/edit');

  // Check that we got the expected constraint form error.
  $constraint = new ReferenceAccessConstraint();
  $this
    ->assertRaw(SafeMarkup::format($constraint->message, array(
    '%type' => 'file',
    '%id' => $node_file
      ->id(),
  )));

  // Attempt to reuse the existing file when creating a new node, and confirm
  // that access is still denied.
  $edit = array();
  $edit['title[0][value]'] = $this
    ->randomMachineName();
  $edit[$field_name . '[0][fids]'] = $node_file
    ->id();
  $this
    ->drupalPostForm('node/add/' . $type_name, $edit, t('Save and publish'));
  $new_node = $this
    ->drupalGetNodeByTitle($edit['title[0][value]']);
  $this
    ->assertTrue(empty($new_node), 'Node was not created.');
  $this
    ->assertUrl('node/add/' . $type_name);
  $this
    ->assertRaw(SafeMarkup::format($constraint->message, array(
    '%type' => 'file',
    '%id' => $node_file
      ->id(),
  )));

  // Now make file_test_file_download() return everything.
  \Drupal::state()
    ->set('file_test.allow_all', TRUE);

  // Delete the node.
  $node
    ->delete();

  // Ensure the file can still be downloaded by the owner.
  $this
    ->drupalGet($file_url);
  $this
    ->assertResponse(200, 'Confirmed that the owner still has access to the temporary file.');

  // Ensure the file cannot be downloaded by an anonymous user.
  $this
    ->drupalLogout();
  $this
    ->drupalGet($file_url);
  $this
    ->assertResponse(403, 'Confirmed that access is denied for an anonymous user to the temporary file.');

  // Ensure the file cannot be downloaded by another user.
  $account = $this
    ->drupalCreateUser();
  $this
    ->drupalLogin($account);
  $this
    ->drupalGet($file_url);
  $this
    ->assertResponse(403, 'Confirmed that access is denied for another user to the temporary file.');
}