1
|
<?php
|
2
|
|
3
|
/**
|
4
|
* @file
|
5
|
* Tests for field_permissions.module.
|
6
|
*/
|
7
|
|
8
|
/**
|
9
|
* Tests the Field Permissions module.
|
10
|
*/
|
11
|
class FieldPermissionsTestCase extends DrupalWebTestCase {
|
12
|
private $admin_user = NULL;
|
13
|
private $limited_user = NULL;
|
14
|
private $admin_rid = NULL;
|
15
|
private $limited_rid = NULL;
|
16
|
|
17
|
public static function getInfo() {
|
18
|
return array(
|
19
|
'name' => 'Field permissions functionality',
|
20
|
'description' => 'Test field permissions.',
|
21
|
'group' => 'Field permissions'
|
22
|
);
|
23
|
}
|
24
|
|
25
|
function setUp() {
|
26
|
parent::setUp('field_ui', 'field_permissions');
|
27
|
|
28
|
// Create test user.
|
29
|
$admin_permissions = array('access content', 'administer nodes', 'bypass node access', 'administer content types', 'administer taxonomy', 'administer permissions', 'create page content', 'administer fields');
|
30
|
$this->limited_user = $this->drupalCreateUser($admin_permissions);
|
31
|
$all_rids = array_keys($this->limited_user->roles);
|
32
|
sort($all_rids);
|
33
|
$this->limited_rid = array_pop($all_rids);
|
34
|
|
35
|
$admin_permissions[] = 'administer field permissions';
|
36
|
$admin_permissions[] = 'administer users';
|
37
|
$this->admin_user = $this->drupalCreateUser($admin_permissions);
|
38
|
$all_rids = array_keys($this->admin_user->roles);
|
39
|
sort($all_rids);
|
40
|
$this->admin_rid = array_pop($all_rids);
|
41
|
|
42
|
$this->drupalLogin($this->limited_user);
|
43
|
}
|
44
|
|
45
|
function testPermissionsUI() {
|
46
|
// This depends on a page node type with a body field, standard install.
|
47
|
// Could alternatively extend field_ui.test classes, but would be much
|
48
|
// slower to run. Tradeoffs.
|
49
|
$field_info = array(
|
50
|
'admin_path' => 'admin/structure/types/manage/page/fields/body',
|
51
|
'machine_name' => 'body',
|
52
|
'add_path' => 'node/add/page',
|
53
|
'name' => 'Body',
|
54
|
'form_field' => 'body[und][0][value]',
|
55
|
'value' => $this->randomName(),
|
56
|
);
|
57
|
|
58
|
// Check if we can see the field on the entity creation form.
|
59
|
$this->drupalGet($field_info['add_path']);
|
60
|
$this->assertText($field_info['name']);
|
61
|
|
62
|
// Admin users cannot access field permissions without specifically being
|
63
|
// granted the permission to do so.
|
64
|
$this->drupalGet($field_info['admin_path']);
|
65
|
$this->assertNoText(t('Field visibility and permissions'));
|
66
|
|
67
|
// Switch to admin user who can see the field permissions UI.
|
68
|
$this->drupalGet('user/logout');
|
69
|
$this->drupalLogin($this->admin_user);
|
70
|
$this->drupalGet($field_info['admin_path']);
|
71
|
$this->assertText(t('Field visibility and permissions'));
|
72
|
|
73
|
// == PUBLIC FIELD =========================================================
|
74
|
|
75
|
$this->assertFieldChecked('edit-field-field-permissions-type-0');
|
76
|
|
77
|
// Although simpletest could create a node for us, we are doing this directly
|
78
|
// to ensure we have full control over the process. Given that we work with
|
79
|
// field permissions.
|
80
|
$this->drupalGet('user/logout');
|
81
|
$this->drupalLogin($this->limited_user);
|
82
|
$node1_values = array(
|
83
|
'title' => $this->randomName(),
|
84
|
$field_info['form_field'] => $field_info['value'],
|
85
|
);
|
86
|
$this->drupalPost($field_info['add_path'], $node1_values, t('Save'));
|
87
|
$this->assertText($node1_values['title']);
|
88
|
$this->assertText($field_info['value']);
|
89
|
$url = $this->getUrl();
|
90
|
$nid1 = preg_replace('!^.*node/(\d+)$!', '\1', $url);
|
91
|
|
92
|
// Switch to admin user to check we can see the body.
|
93
|
$this->drupalGet('user/logout');
|
94
|
$this->drupalLogin($this->admin_user);
|
95
|
$this->drupalGet('node/' . $nid1);
|
96
|
$this->assertText($node1_values['title']);
|
97
|
$this->assertText($field_info['value']);
|
98
|
|
99
|
// And we can edit the title and body.
|
100
|
$this->drupalGet('node/' . $nid1 . '/edit');
|
101
|
$this->assertText('Title');
|
102
|
$this->assertText($node1_values['title']);
|
103
|
$this->assertText($field_info['name']);
|
104
|
$this->assertText($field_info['value']);
|
105
|
|
106
|
// == PRIVATE FIELD ========================================================
|
107
|
|
108
|
// Switch to admin user to set field to private.
|
109
|
$edit = array(
|
110
|
'field[field_permissions][type]' => 1,
|
111
|
);
|
112
|
$this->drupalPost($field_info['admin_path'], $edit, t('Save settings'));
|
113
|
|
114
|
// Now we should not have access to see or edit this field.
|
115
|
$this->drupalGet('node/' . $nid1);
|
116
|
$this->assertText($node1_values['title']);
|
117
|
$this->assertNoText($field_info['value']);
|
118
|
$this->drupalGet($field_info['add_path']);
|
119
|
$this->assertText('Title');
|
120
|
$this->assertText($field_info['name']);
|
121
|
$this->drupalGet('node/' . $nid1 . '/edit');
|
122
|
$this->assertText('Title');
|
123
|
$this->assertNoText($field_info['name']);
|
124
|
$this->assertNoText($field_info['value']);
|
125
|
|
126
|
// Grant this user the Drupal core administrator role. This will give them
|
127
|
// the 'access private fields' permission (tested here), and it also means
|
128
|
// that when custom field permissions are created later on in this test,
|
129
|
// the admin user will automatically get those permissions granted also.
|
130
|
$user_admin_rid = variable_get('user_admin_role', 0);
|
131
|
$edit = array(
|
132
|
"roles[$user_admin_rid]" => TRUE,
|
133
|
);
|
134
|
$this->drupalPost('user/' . $this->admin_user->uid . '/edit', $edit, t('Save'));
|
135
|
|
136
|
// Now we should have access to see or submit or edit this field again.
|
137
|
$this->drupalGet('node/' . $nid1);
|
138
|
$this->assertText($node1_values['title']);
|
139
|
$this->assertText($field_info['value']);
|
140
|
$this->drupalGet($field_info['add_path']);
|
141
|
$this->assertText('Title');
|
142
|
$this->assertText($field_info['name']);
|
143
|
$this->drupalGet('node/' . $nid1 . '/edit');
|
144
|
$this->assertText('Title');
|
145
|
$this->assertText($field_info['name']);
|
146
|
$this->assertText($field_info['value']);
|
147
|
|
148
|
// == CUSTOM PERMISSIONS ===================================================
|
149
|
|
150
|
// Introduce body creation permission.
|
151
|
$edit = array(
|
152
|
'field[field_permissions][type]' => 2,
|
153
|
);
|
154
|
$this->drupalPost($field_info['admin_path'], $edit, t('Save settings'));
|
155
|
$this->drupalGet($field_info['admin_path']);
|
156
|
$this->assertRaw(t('Create own value for field %field', array('%field' => $field_info['name'])));
|
157
|
$this->assertRaw(t('Edit own value for field %field', array('%field' => $field_info['name'])));
|
158
|
$this->assertRaw(t("Edit anyone's value for field %field", array('%field' => $field_info['name'])));
|
159
|
$this->assertRaw(t('View own value for field %field', array('%field' => $field_info['name'])));
|
160
|
$this->assertRaw(t("View anyone's value for field %field", array('%field' => $field_info['name'])));
|
161
|
|
162
|
// See if we have that exposed on the permissions UI as well now.
|
163
|
$this->drupalGet('admin/people/permissions');
|
164
|
$this->assertText(t('Field Permissions'));
|
165
|
$this->assertRaw(t('Create own value for field %field', array('%field' => $field_info['machine_name'])));
|
166
|
$this->assertRaw(t('Edit own value for field %field', array('%field' => $field_info['machine_name'])));
|
167
|
$this->assertRaw(t("Edit anyone's value for field %field", array('%field' => $field_info['machine_name'])));
|
168
|
$this->assertRaw(t('View own value for field %field', array('%field' => $field_info['machine_name'])));
|
169
|
$this->assertRaw(t("View anyone's value for field %field", array('%field' => $field_info['machine_name'])));
|
170
|
|
171
|
// == CREATE ===============================================================
|
172
|
|
173
|
// The admin user should have been automatically granted the create
|
174
|
// permission, but the limited user shouldn't have it yet.
|
175
|
$this->assertUserHasPermission($this->admin_user, 'create ' . $field_info['machine_name'], t('Admin user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
176
|
$this->assertUserDoesNotHavePermission($this->limited_user, 'create ' . $field_info['machine_name'], t('Limited user does not have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
177
|
|
178
|
// Should not see the field on the entity creation form anymore for limited_user.
|
179
|
$this->drupalGet('user/logout');
|
180
|
$this->drupalLogin($this->limited_user);
|
181
|
$this->drupalGet($field_info['add_path']);
|
182
|
$this->assertNoText($field_info['name']);
|
183
|
|
184
|
// Grant body creation permission to limited users too.
|
185
|
$edit = array(
|
186
|
$this->limited_rid .'[create '. $field_info['machine_name'] .']' => TRUE,
|
187
|
);
|
188
|
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
|
189
|
$this->assertUserHasPermission($this->admin_user, 'create ' . $field_info['machine_name'], t('Admin user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
190
|
$this->assertUserHasPermission($this->limited_user, 'create ' . $field_info['machine_name'], t('Limited user does have "create @field" permission.', array('@field' => $field_info['machine_name'])));
|
191
|
|
192
|
// Should see the field again on the entity creation form.
|
193
|
$this->drupalGet($field_info['add_path']);
|
194
|
$this->assertText($field_info['name']);
|
195
|
|
196
|
// Although simpletest could create a node for us, we are doing this directly
|
197
|
// to ensure we have full control over the process. Given that we work with
|
198
|
// field permissions.
|
199
|
$node2_values = array(
|
200
|
'title' => $this->randomName(),
|
201
|
$field_info['form_field'] => $field_info['value'],
|
202
|
);
|
203
|
$this->drupalPost($field_info['add_path'], $node2_values, t('Save'));
|
204
|
$this->assertText($node2_values['title']);
|
205
|
// The body will not yet be visible to this user.
|
206
|
$this->assertNoText($field_info['value']);
|
207
|
$url = $this->getUrl();
|
208
|
$nid2 = preg_replace('!^.*node/(\d+)$!', '\1', $url);
|
209
|
|
210
|
// Switch to admin user and prove she has access to body.
|
211
|
$this->drupalGet('user/logout');
|
212
|
$this->drupalLogin($this->admin_user);
|
213
|
$this->drupalGet('node/' . $nid2);
|
214
|
$this->assertText($node2_values['title']);
|
215
|
$this->assertText($field_info['value']);
|
216
|
|
217
|
// == VIEW =================================================================
|
218
|
|
219
|
// Grant body view permission to limited users too.
|
220
|
$edit = array(
|
221
|
$this->limited_rid .'[view '. $field_info['machine_name'] .']' => TRUE,
|
222
|
);
|
223
|
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
|
224
|
$this->assertUserHasPermission($this->admin_user, 'view ' . $field_info['machine_name'], t('Admin user does have "view @field" permission.', array('@field' => $field_info['machine_name'])));
|
225
|
$this->assertUserHasPermission($this->limited_user, 'view ' . $field_info['machine_name'], t('Limited user does have "view @field" permission.', array('@field' => $field_info['machine_name'])));
|
226
|
|
227
|
// Limited user can now see the field.
|
228
|
$this->drupalGet('user/logout');
|
229
|
$this->drupalLogin($this->limited_user);
|
230
|
$this->drupalGet('node/' . $nid2);
|
231
|
$this->assertText($node2_values['title']);
|
232
|
$this->assertText($field_info['value']);
|
233
|
|
234
|
// == EDIT =================================================================
|
235
|
|
236
|
// We still don't have access to edit our field.
|
237
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
238
|
$this->assertNoText($field_info['value']);
|
239
|
|
240
|
// Switch to admin user to configure edit permissions.
|
241
|
$this->drupalGet('user/logout');
|
242
|
$this->drupalLogin($this->admin_user);
|
243
|
|
244
|
// Ensure the editing screen now has the body.
|
245
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
246
|
$this->assertText($field_info['value']);
|
247
|
|
248
|
// Grant body editing permission for the limited role.
|
249
|
$edit = array(
|
250
|
$this->limited_rid .'[edit '. $field_info['machine_name'] .']' => TRUE,
|
251
|
);
|
252
|
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
|
253
|
$this->assertUserHasPermission($this->admin_user, 'edit ' . $field_info['machine_name'], t('Admin user does have "edit @field" permission.', array('@field' => $field_info['machine_name'])));
|
254
|
$this->assertUserHasPermission($this->limited_user, 'edit ' . $field_info['machine_name'], t('Limited user does have "edit @field" permission.', array('@field' => $field_info['machine_name'])));
|
255
|
|
256
|
// Ensure the editing screen still has the body.
|
257
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
258
|
$this->assertText($field_info['value']);
|
259
|
|
260
|
// Switch to limited user to check that we can edit body now.
|
261
|
$this->drupalGet('user/logout');
|
262
|
$this->drupalLogin($this->limited_user);
|
263
|
$this->drupalGet('node/' . $nid2 . '/edit');
|
264
|
$this->assertText($field_info['value']);
|
265
|
}
|
266
|
|
267
|
function testUserFields() {
|
268
|
// Create a field attached to users and make it appear on the user
|
269
|
// registration form with (default) custom permissions.
|
270
|
$this->drupalLogin($this->admin_user);
|
271
|
$label = 'Field attached to users';
|
272
|
$edit = array(
|
273
|
'fields[_add_new_field][label]' => $label,
|
274
|
'fields[_add_new_field][field_name]' => 'attached_to_users',
|
275
|
'fields[_add_new_field][type]' => 'text',
|
276
|
'fields[_add_new_field][widget_type]' => 'text_textfield',
|
277
|
);
|
278
|
$this->drupalPost('admin/config/people/accounts/fields', $edit, t('Save'));
|
279
|
$this->drupalPost(NULL, array(), t('Save field settings'));
|
280
|
$edit = array(
|
281
|
'field[field_permissions][type]' => 2,
|
282
|
'instance[settings][user_register_form]' => TRUE,
|
283
|
);
|
284
|
$this->drupalPost(NULL, $edit, t('Save settings'));
|
285
|
|
286
|
// Log out, go to the registration form and make sure the field appears
|
287
|
// there for anonymous users.
|
288
|
$this->drupalLogout();
|
289
|
$this->drupalGet('user/register');
|
290
|
$this->assertText($label);
|
291
|
|
292
|
// Log in and make sure the user does not have access to edit the field
|
293
|
// (i.e., there are only default permissions to create it).
|
294
|
$this->drupalLogin($this->limited_user);
|
295
|
$this->drupalGet('user/' . $this->limited_user->uid . '/edit');
|
296
|
$this->assertResponse(200);
|
297
|
$this->assertNoText($label);
|
298
|
}
|
299
|
|
300
|
/**
|
301
|
* Asserts that a user account has a permission.
|
302
|
*/
|
303
|
protected function assertUserHasPermission($account, $permission, $message) {
|
304
|
$this->_assertUserPermissionState($account, $permission, $message, TRUE);
|
305
|
}
|
306
|
|
307
|
/**
|
308
|
* Asserts that a user account does not have a permission.
|
309
|
*/
|
310
|
protected function assertUserDoesNotHavePermission($account, $permission, $message) {
|
311
|
$this->_assertUserPermissionState($account, $permission, $message, FALSE);
|
312
|
}
|
313
|
|
314
|
/**
|
315
|
* Helper function for asserting user permissions.
|
316
|
*/
|
317
|
protected function _assertUserPermissionState($account, $permission, $message, $should_have_permission) {
|
318
|
// We need to clear static caches since the tests may have recently changed
|
319
|
// the permissions via the UI (i.e., in a different thread than the one
|
320
|
// running the tests).
|
321
|
drupal_static_reset('user_access');
|
322
|
drupal_static_reset('user_role_permissions');
|
323
|
|
324
|
// Load the full user account, since we may have been provided an out of
|
325
|
// date pseudo-account of the kind SimpleTest uses (e.g. as returned by
|
326
|
// drupalCreateUser()), rather than an up to date object that actually
|
327
|
// contains the full list of roles this user has been assigned.
|
328
|
$full_account = user_load($account->uid);
|
329
|
|
330
|
// Now check the permission.
|
331
|
$has_permission = user_access($permission, $full_account);
|
332
|
if ($should_have_permission) {
|
333
|
$this->assertTrue($has_permission, $message);
|
334
|
}
|
335
|
else {
|
336
|
$this->assertFalse($has_permission, $message);
|
337
|
}
|
338
|
}
|
339
|
}
|