1 |
85ad3d82
|
Assos Assos
|
<?php
|
2 |
|
|
|
3 |
|
|
/**
|
4 |
|
|
* @file
|
5 |
|
|
* Tests for field_permissions.module.
|
6 |
|
|
*/
|
7 |
|
|
|
8 |
|
|
/**
|
9 |
|
|
* Tests the Field Permissions module.
|
10 |
|
|
*/
|
11 |
|
|
class FieldPermissionsTestCase extends DrupalWebTestCase {
|
12 |
|
|
private $admin_user = NULL;
|
13 |
|
|
private $limited_user = NULL;
|
14 |
|
|
private $admin_rid = NULL;
|
15 |
|
|
private $limited_rid = NULL;
|
16 |
|
|
|
17 |
|
|
public static function getInfo() {
|
18 |
|
|
return array(
|
19 |
|
|
'name' => 'Field permissions functionality',
|
20 |
|
|
'description' => 'Test field permissions.',
|
21 |
|
|
'group' => 'Field permissions'
|
22 |
|
|
);
|
23 |
|
|
}
|
24 |
|
|
|
25 |
|
|
function setUp() {
|
26 |
|
|
parent::setUp('field_ui', 'field_permissions');
|
27 |
|
|
|
28 |
|
|
// Create test user.
|
29 |
|
|
$admin_permissions = array('access content', 'administer nodes', 'bypass node access', 'administer content types', 'administer taxonomy', 'administer permissions', 'create page content');
|
30 |
|
|
$this->limited_user = $this->drupalCreateUser($admin_permissions);
|
31 |
|
|
$all_rids = array_keys($this->limited_user->roles);
|
32 |
|
|
sort($all_rids);
|
33 |
|
|
$this->limited_rid = array_pop($all_rids);
|
34 |
|
|
|
35 |
|
|
$admin_permissions[] = 'administer field permissions';
|
36 |
|
|
$admin_permissions[] = 'administer users';
|
37 |
|
|
$this->admin_user = $this->drupalCreateUser($admin_permissions);
|
38 |
|
|
$all_rids = array_keys($this->admin_user->roles);
|
39 |
|
|
sort($all_rids);
|
40 |
|
|
$this->admin_rid = array_pop($all_rids);
|
41 |
|
|
|
42 |
|
|
$this->drupalLogin($this->limited_user);
|
43 |
|
|
}
|
44 |
|
|
|
45 |
|
|
function testPermissionsUI() {
|
46 |
|
|
// This depends on a page node type with a body field, standard install.
|
47 |
|
|
// Could alternatively extend field_ui.test classes, but would be much
|
48 |
|
|
// slower to run. Tradeoffs.
|
49 |
|
|
$field_info = array(
|
50 |
|
|
'admin_path' => 'admin/structure/types/manage/page/fields/body',
|
51 |
|
|
'machine_name' => 'body',
|
52 |
|
|
'add_path' => 'node/add/page',
|
53 |
|
|
'name' => 'Body',
|
54 |
|
|
'form_field' => 'body[und][0][value]',
|
55 |
|
|
'value' => $this->randomName(),
|
56 |
|
|
);
|
57 |
|
|
|
58 |
|
|
// Check if we can see the field on the entity creation form.
|
59 |
|
|
$this->drupalGet($field_info['add_path']);
|
60 |
|
|
$this->assertText($field_info['name']);
|
61 |
|
|
|
62 |
|
|
// Admin users cannot access field permissions without specifically being
|
63 |
|
|
// granted the permission to do so.
|
64 |
|
|
$this->drupalGet($field_info['admin_path']);
|
65 |
|
|
$this->assertNoText(t('Field visibility and permissions'));
|
66 |
|
|
|
67 |
|
|
// Switch to admin user who can see the field permissions UI.
|
68 |
|
|
$this->drupalGet('user/logout');
|
69 |
|
|
$this->drupalLogin($this->admin_user);
|
70 |
|
|
$this->drupalGet($field_info['admin_path']);
|
71 |
|
|
$this->assertText(t('Field visibility and permissions'));
|
72 |
|
|
|
73 |
|
|
// == PUBLIC FIELD =========================================================
|
74 |
|
|
|
75 |
|
|
$this->assertFieldChecked('edit-field-field-permissions-type-0');
|
76 |
|
|
|
77 |
|
|
// Although simpletest could create a node for us, we are doing this directly
|
78 |
|
|
// to ensure we have full control over the process. Given that we work with
|
79 |
|
|
// field permissions.
|
80 |
|
|
$this->drupalGet('user/logout');
|
81 |
|
|
$this->drupalLogin($this->limited_user);
|
82 |
|
|
$node1_values = array(
|
83 |
|
|
'title' => $this->randomName(),
|
84 |
|
|
$field_info['form_field'] => $field_info['value'],
|
85 |
|
|
);
|
86 |
|
|
$this->drupalPost($field_info['add_path'], $node1_values, t('Save'));
|
87 |
|
|
$this->assertText($node1_values['title']);
|
88 |
|
|
$this->assertText($field_info['value']);
|
89 |
|
|
$url = $this->getUrl();
|
90 |
|
|
$nid1 = preg_replace('!^.*node/(\d+)$!', '\1', $url);
|
91 |
|
|
|
92 |
|
|
// Switch to admin user to check we can see the body.
|
93 |
|
|
$this->drupalGet('user/logout');
|
94 |
|
|
$this->drupalLogin($this->admin_user);
|
95 |
|
|
$this->drupalGet('node/' . $nid1);
|
96 |
|
|
$this->assertText($node1_values['title']);
|
97 |
|
|
$this->assertText($field_info['value']);
|
98 |
|
|
|
99 |
|
|
// And we can edit the title and body.
|
100 |
|
|
$this->drupalGet('node/' . $nid1 . '/edit');
|
101 |
|
|
$this->assertText('Title');
|
102 |
|
|
$this->assertText($node1_values['title']);
|
103 |
|
|
$this->assertText($field_info['name']);
|
104 |
|
|
$this->assertText($field_info['value']);
|
105 |
|
|
|
106 |
|
|
// == PRIVATE FIELD ========================================================
|
107 |
|
|
|
108 |
|
|
// Switch to admin user to set field to private.
|
109 |
|
|
$edit = array(
|
110 |
|
|
'field[field_permissions][type]' => 1,
|
111 |
|
|
);
|
112 |
|
|
$this->drupalPost($field_info['admin_path'], $edit, t('Save settings'));
|
113 |
|
|
|
114 |
|
|
// Now we should not have access to see or edit this field.
|
115 |
|
|
$this->drupalGet('node/' . $nid1);
|
116 |
|
|
$this->assertText($node1_values['title']);
|
117 |
|
|
$this->assertNoText($field_info['value']);
|
118 |
|
|
$this->drupalGet($field_info['add_path']);
|
119 |
|
|
$this->assertText('Title');
|
120 |
|
|
$this->assertText($field_info['name']);
|
121 |
|
|
$this->drupalGet('node/' . $nid1 . '/edit');
|
122 |
|
|
$this->assertText('Title');
|
123 |
|
|
$this->assertNoText($field_info['name']);
|
124 |
|
|
$this->assertNoText($field_info['value']);
|
125 |
|
|
|
126 |
|
|
// Grant this user the Drupal core administrator role. This will give them
|
127 |
|
|
// the 'access private fields' permission (tested here), and it also means
|
128 |
|
|
// that when custom field permissions are created later on in this test,
|
129 |
|
|
// the admin user will automatically get those permissions granted also.
|
130 |
|
|
$user_admin_rid = variable_get('user_admin_role', 0);
|
131 |
|
|
$edit = array(
|
132 |
|
|
"roles[$user_admin_rid]" => TRUE,
|
133 |
|
|
);
|
134 |
|
|
$this->drupalPost('user/' . $this->admin_user->uid . '/edit', $edit, t('Save'));
|
135 |
|
|
|
136 |
|
|
// Now we should have access to see or submit or edit this field again.
|
137 |
|
|
$this->drupalGet('node/' . $nid1);
|
138 |
|
|
$this->assertText($node1_values['title']);
|
139 |
|
|
$this->assertText($field_info['value']);
|
140 |
|
|
$this->drupalGet($field_info['add_path']);
|
141 |
|
|
$this->assertText('Title');
|
142 |
|
|
$this->assertText($field_info['name']);
|
143 |
|
|
$this->drupalGet('node/' . $nid1 . '/edit');
|
144 |
|
|
$this->assertText('Title');
|
145 |
|
|
$this->assertText($field_info['name']);
|
146 |
|
|
$this->assertText($field_info['value']);
|
147 |
|
|
|
148 |
|
|
// == CUSTOM PERMISSIONS ===================================================
|
149 |
|
|
|
150 |
|
|
// Introduce body creation permission.
|
151 |
|
|
$edit = array(
|
152 |
|
|
'field[field_permissions][type]' => 2,
|
153 |
|
|
);
|
154 |
|
|
$this->drupalPost($field_info['admin_path'], $edit, t('Save settings'));
|
155 |
|
|
$this->drupalGet($field_info['admin_path']);
|
156 |
|
|
$this->assertRaw(t('Create own value for field %field', array('%field' => $field_info['name'])));
|
157 |
|
|
$this->assertRaw(t('Edit own value for field %field', array('%field' => $field_info['name'])));
|
158 |
|
|
$this->assertRaw(t("Edit anyone's value for field %field", array('%field' => $field_info['name'])));
|
159 |
|
|
$this->assertRaw(t('View own value for field %field', array('%field' => $field_info['name'])));
|
160 |
|
|
$this->assertRaw(t("View anyone's value for field %field", array('%field' => $field_info['name'])));
|
161 |
|
|
|
162 |
|
|
// See if we have that exposed on the permissions UI as well now.
|
163 |
|
|
$this->drupalGet('admin/people/permissions');
|
164 |
|
|
$this->assertText(t('Field Permissions'));
|
165 |
|
|
$this->assertRaw(t('Create own value for field %field', array('%field' => $field_info['name'])));
|
166 |
|
|
$this->assertRaw(t('Edit own value for field %field', array('%field' => $field_info['name'])));
|
167 |
|
|
$this->assertRaw(t("Edit anyone's value for field %field", array('%field' => $field_info['name'])));
|
168 |
|
|
$this->assertRaw(t('View own value for field %field', array('%field' => $field_info['name'])));
|
169 |
|
|
$this->assertRaw(t("View anyone's value for field %field", array('%field' => $field_info['name'])));
|
170 |
|
|
|
171 |
|
|
// == CREATE ===============================================================
|
172 |
|
|
|
173 |
|
|
// The admin user should have been automatically granted the create
|
174 |
|
|
// permission, but the limited user shouldn't have it yet.
|
175 |
|
|
$this->assertUserHasPermission($this->admin_user, 'create ' . $field_info['machine_name'], t('Admin user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
176 |
|
|
$this->assertUserDoesNotHavePermission($this->limited_user, 'create ' . $field_info['machine_name'], t('Limited user does not have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
177 |
|
|
|
178 |
|
|
// Should not see the field on the entity creation form anymore for limited_user.
|
179 |
|
|
$this->drupalGet('user/logout');
|
180 |
|
|
$this->drupalLogin($this->limited_user);
|
181 |
|
|
$this->drupalGet($field_info['add_path']);
|
182 |
|
|
$this->assertNoText($field_info['name']);
|
183 |
|
|
|
184 |
|
|
// Grant body creation permission to limited users too.
|
185 |
|
|
$edit = array(
|
186 |
|
|
$this->limited_rid .'[create '. $field_info['machine_name'] .']' => TRUE,
|
187 |
|
|
);
|
188 |
|
|
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
|
189 |
|
|
$this->assertUserHasPermission($this->admin_user, 'create ' . $field_info['machine_name'], t('Admin user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
190 |
|
|
$this->assertUserHasPermission($this->limited_user, 'create ' . $field_info['machine_name'], t('Limited user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
191 |
|
|
|
192 |
|
|
// Should see the field again on the entity creation form.
|
193 |
|
|
$this->drupalGet($field_info['add_path']);
|
194 |
|
|
$this->assertText($field_info['name']);
|
195 |
|
|
|
196 |
|
|
// Although simpletest could create a node for us, we are doing this directly
|
197 |
|
|
// to ensure we have full control over the process. Given that we work with
|
198 |
|
|
// field permissions.
|
199 |
|
|
$node2_values = array(
|
200 |
|
|
'title' => $this->randomName(),
|
201 |
|
|
$field_info['form_field'] => $field_info['value'],
|
202 |
|
|
);
|
203 |
|
|
$this->drupalPost($field_info['add_path'], $node2_values, t('Save'));
|
204 |
|
|
$this->assertText($node2_values['title']);
|
205 |
|
|
// The body will not yet be visible to this user.
|
206 |
|
|
$this->assertNoText($field_info['value']);
|
207 |
|
|
$url = $this->getUrl();
|
208 |
|
|
$nid2 = preg_replace('!^.*node/(\d+)$!', '\1', $url);
|
209 |
|
|
|
210 |
|
|
// Switch to admin user and prove she has access to body.
|
211 |
|
|
$this->drupalGet('user/logout');
|
212 |
|
|
$this->drupalLogin($this->admin_user);
|
213 |
|
|
$this->drupalGet('node/' . $nid2);
|
214 |
|
|
$this->assertText($node2_values['title']);
|
215 |
|
|
$this->assertText($field_info['value']);
|
216 |
|
|
|
217 |
|
|
// == VIEW =================================================================
|
218 |
|
|
|
219 |
|
|
// Grant body view permission to limited users too.
|
220 |
|
|
$edit = array(
|
221 |
|
|
$this->limited_rid .'[view '. $field_info['machine_name'] .']' => TRUE,
|
222 |
|
|
);
|
223 |
|
|
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
|
224 |
|
|
$this->assertUserHasPermission($this->admin_user, 'view ' . $field_info['machine_name'], t('Admin user does have "view @field" permission.', array('@field' => $field_info['machine_name'])));
|
225 |
|
|
$this->assertUserHasPermission($this->limited_user, 'view ' . $field_info['machine_name'], t('Limited user does have "view @field" permission.', array('@field' => $field_info['machine_name'])));
|
226 |
|
|
|
227 |
|
|
// Limited user can now see the field.
|
228 |
|
|
$this->drupalGet('user/logout');
|
229 |
|
|
$this->drupalLogin($this->limited_user);
|
230 |
|
|
$this->drupalGet('node/' . $nid2);
|
231 |
|
|
$this->assertText($node2_values['title']);
|
232 |
|
|
$this->assertText($field_info['value']);
|
233 |
|
|
|
234 |
|
|
// == EDIT =================================================================
|
235 |
|
|
|
236 |
|
|
// We still don't have access to edit our field.
|
237 |
|
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
238 |
|
|
$this->assertNoText($field_info['value']);
|
239 |
|
|
|
240 |
|
|
// Switch to admin user to configure edit permissions.
|
241 |
|
|
$this->drupalGet('user/logout');
|
242 |
|
|
$this->drupalLogin($this->admin_user);
|
243 |
|
|
|
244 |
|
|
// Ensure the editing screen now has the body.
|
245 |
|
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
246 |
|
|
$this->assertText($field_info['value']);
|
247 |
|
|
|
248 |
|
|
// Grant body editing permission for the limited role.
|
249 |
|
|
$edit = array(
|
250 |
|
|
$this->limited_rid .'[edit '. $field_info['machine_name'] .']' => TRUE,
|
251 |
|
|
);
|
252 |
|
|
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
|
253 |
|
|
$this->assertUserHasPermission($this->admin_user, 'edit ' . $field_info['machine_name'], t('Admin user does have "edit @field" permission.', array('@field' => $field_info['machine_name'])));
|
254 |
|
|
$this->assertUserHasPermission($this->limited_user, 'edit ' . $field_info['machine_name'], t('Limited user does have "edit @field" permission.', array('@field' => $field_info['machine_name'])));
|
255 |
|
|
|
256 |
|
|
// Ensure the editing screen still has the body.
|
257 |
|
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
258 |
|
|
$this->assertText($field_info['value']);
|
259 |
|
|
|
260 |
|
|
// Switch to limited user to check that we can edit body now.
|
261 |
|
|
$this->drupalGet('user/logout');
|
262 |
|
|
$this->drupalLogin($this->limited_user);
|
263 |
|
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
264 |
|
|
$this->assertText($field_info['value']);
|
265 |
|
|
}
|
266 |
|
|
|
267 |
|
|
function testUserFields() {
|
268 |
|
|
// Create a field attached to users and make it appear on the user
|
269 |
|
|
// registration form with (default) custom permissions.
|
270 |
|
|
$this->drupalLogin($this->admin_user);
|
271 |
|
|
$label = 'Field attached to users';
|
272 |
|
|
$edit = array(
|
273 |
|
|
'fields[_add_new_field][label]' => $label,
|
274 |
|
|
'fields[_add_new_field][field_name]' => 'attached_to_users',
|
275 |
|
|
'fields[_add_new_field][type]' => 'text',
|
276 |
|
|
'fields[_add_new_field][widget_type]' => 'text_textfield',
|
277 |
|
|
);
|
278 |
|
|
$this->drupalPost('admin/config/people/accounts/fields', $edit, t('Save'));
|
279 |
|
|
$this->drupalPost(NULL, array(), t('Save field settings'));
|
280 |
|
|
$edit = array(
|
281 |
|
|
'field[field_permissions][type]' => 2,
|
282 |
|
|
'instance[settings][user_register_form]' => TRUE,
|
283 |
|
|
);
|
284 |
|
|
$this->drupalPost(NULL, $edit, t('Save settings'));
|
285 |
|
|
|
286 |
|
|
// Log out, go to the registration form and make sure the field appears
|
287 |
|
|
// there for anonymous users.
|
288 |
|
|
$this->drupalLogout();
|
289 |
|
|
$this->drupalGet('user/register');
|
290 |
|
|
$this->assertText($label);
|
291 |
|
|
|
292 |
|
|
// Log in and make sure the user does not have access to edit the field
|
293 |
|
|
// (i.e., there are only default permissions to create it).
|
294 |
|
|
$this->drupalLogin($this->limited_user);
|
295 |
|
|
$this->drupalGet('user/' . $this->limited_user->uid . '/edit');
|
296 |
|
|
$this->assertResponse(200);
|
297 |
|
|
$this->assertNoText($label);
|
298 |
|
|
}
|
299 |
|
|
|
300 |
|
|
/**
|
301 |
|
|
* Asserts that a user account has a permission.
|
302 |
|
|
*/
|
303 |
|
|
protected function assertUserHasPermission($account, $permission, $message) {
|
304 |
|
|
$this->_assertUserPermissionState($account, $permission, $message, TRUE);
|
305 |
|
|
}
|
306 |
|
|
|
307 |
|
|
/**
|
308 |
|
|
* Asserts that a user account does not have a permission.
|
309 |
|
|
*/
|
310 |
|
|
protected function assertUserDoesNotHavePermission($account, $permission, $message) {
|
311 |
|
|
$this->_assertUserPermissionState($account, $permission, $message, FALSE);
|
312 |
|
|
}
|
313 |
|
|
|
314 |
|
|
/**
|
315 |
|
|
* Helper function for asserting user permissions.
|
316 |
|
|
*/
|
317 |
|
|
protected function _assertUserPermissionState($account, $permission, $message, $should_have_permission) {
|
318 |
|
|
// We need to clear static caches since the tests may have recently changed
|
319 |
|
|
// the permissions via the UI (i.e., in a different thread than the one
|
320 |
|
|
// running the tests).
|
321 |
|
|
drupal_static_reset('user_access');
|
322 |
|
|
drupal_static_reset('user_role_permissions');
|
323 |
|
|
|
324 |
|
|
// Load the full user account, since we may have been provided an out of
|
325 |
|
|
// date pseudo-account of the kind SimpleTest uses (e.g. as returned by
|
326 |
|
|
// drupalCreateUser()), rather than an up to date object that actually
|
327 |
|
|
// contains the full list of roles this user has been assigned.
|
328 |
|
|
$full_account = user_load($account->uid);
|
329 |
|
|
|
330 |
|
|
// Now check the permission.
|
331 |
|
|
$has_permission = user_access($permission, $full_account);
|
332 |
|
|
if ($should_have_permission) {
|
333 |
|
|
$this->assertTrue($has_permission, $message);
|
334 |
|
|
}
|
335 |
|
|
else {
|
336 |
|
|
$this->assertFalse($has_permission, $message);
|
337 |
|
|
}
|
338 |
|
|
}
|
339 |
|
|
} |