AccessTest.php

Same filename in this branch
  1. 11.x core/modules/views/tests/src/Functional/Plugin/AccessTest.php
Same filename and directory in other branches
  1. 9 core/modules/file/tests/src/Kernel/AccessTest.php
  2. 9 core/modules/views/tests/src/Functional/Plugin/AccessTest.php
  3. 8.9.x core/modules/file/tests/src/Kernel/AccessTest.php
  4. 8.9.x core/modules/views/tests/src/Functional/Plugin/AccessTest.php
  5. 10 core/modules/file/tests/src/Kernel/AccessTest.php
  6. 10 core/modules/views/tests/src/Functional/Plugin/AccessTest.php

Namespace

Drupal\Tests\file\Kernel

File

core/modules/file/tests/src/Kernel/AccessTest.php

View on git.drupalcode.org
View source 
<?php

declare (strict_types=1);
namespace Drupal\Tests\file\Kernel;

use Drupal\file\Entity\File;
use Drupal\KernelTests\KernelTestBase;
use Drupal\Tests\TestFileCreationTrait;
use Drupal\Tests\user\Traits\UserCreationTrait;
use Drupal\user\Entity\User;

/**
 * Tests for the File access control.
 *
 * @group file
 */
class AccessTest extends KernelTestBase {
  use UserCreationTrait;
  use TestFileCreationTrait;
  
  /**
   * {@inheritdoc}
   */
  protected static $modules = [
    'file',
    'system',
    'user',
  ];
  
  /**
   * {@inheritdoc}
   */
  protected function setUp() : void {
    parent::setUp();
    $this->installEntitySchema('file');
    $this->installEntitySchema('user');
    $this->installSchema('file', [
      'file_usage',
    ]);
  }
  
  /**
   * Tests 'update' and 'delete' access to file entities.
   */
  public function testFileAccess() : void {
    // Create a user so the tested users do not have the magic ID of user 1.
    $this->createUser();
    $user_any = $this->createUser([
      'delete any file',
    ]);
    $this->assertGreaterThan(1, (int) $user_any->id());
    $user_own = $this->createUser([
      'delete own files',
    ]);
    $test_files = $this->getTestFiles('text');
    $file1 = File::create((array) $test_files[0]);
    $file1->set('uid', $user_any->id());
    $file1->save();
    $file2 = File::create((array) $test_files[1]);
    $file2->set('uid', $user_own->id());
    $file2->save();
    // User with "* any file" permissions should delete all files and update
    // their own.
    $this->assertTrue($file1->access('delete', $user_any));
    $this->assertTrue($file1->access('update', $user_any));
    $this->assertTrue($file2->access('delete', $user_any));
    $this->assertFalse($file2->access('update', $user_any));
    // User with "* own files" permissions should access only own files.
    $this->assertFalse($file1->access('delete', $user_own));
    $this->assertFalse($file1->access('update', $user_own));
    $this->assertTrue($file2->access('delete', $user_own));
    $this->assertTrue($file2->access('update', $user_own));
    // Ensure cacheability metadata is correct.
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('delete', $user_any, TRUE);
    $this->assertSame([
      'user.permissions',
    ], $access->getCacheContexts());
    $this->assertSame([], $access->getCacheTags());
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('delete', $user_own, TRUE);
    $this->assertSame([
      'user.permissions',
      'user',
    ], $access->getCacheContexts());
    $this->assertSame([
      'file:2',
    ], $access->getCacheTags());
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('update', $user_any, TRUE);
    $this->assertSame([], $access->getCacheContexts());
    $this->assertSame([], $access->getCacheTags());
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('update', $user_own, TRUE);
    $this->assertSame([], $access->getCacheContexts());
    $this->assertSame([], $access->getCacheTags());
    // User without permissions should not be able to delete files even if they
    // are the owner.
    $user_none = $this->createUser();
    $file3 = File::create([
      'uid' => $user_none->id(),
      'filename' => 'druplicon.txt',
      'filemime' => 'text/plain',
    ]);
    $this->assertFalse($file3->access('delete', $user_none));
    $this->assertTrue($file3->access('update', $user_none));
    // Create a file with no user entity.
    $file4 = File::create([
      'filename' => 'druplicon.txt',
      'filemime' => 'text/plain',
    ]);
    $this->assertFalse($file4->access('delete', $user_own));
    $this->assertFalse($file4->access('update', $user_own));
    $this->assertTrue($file4->access('delete', $user_any));
    $this->assertFalse($file4->access('update', $user_any));
  }
  
  /**
   * Tests file entity field access.
   *
   * @see \Drupal\file\FileAccessControlHandler::checkFieldAccess()
   */
  public function testCheckFieldAccess() : void {
    $this->setUpCurrentUser();
    /** @var \Drupal\file\FileInterface $file */
    $file = File::create([
      'uri' => 'public://test.png',
    ]);
    // While creating a file entity access will be allowed for create-only
    // fields.
    $this->assertTrue($file->get('uri')
      ->access('edit'));
    $this->assertTrue($file->get('filemime')
      ->access('edit'));
    $this->assertTrue($file->get('filesize')
      ->access('edit'));
    // Access to the status field is denied whilst creating a file entity.
    $this->assertFalse($file->get('status')
      ->access('edit'));
    $file->save();
    // After saving the entity is no longer new and, therefore, access to
    // create-only fields and the status field will be denied.
    $this->assertFalse($file->get('uri')
      ->access('edit'));
    $this->assertFalse($file->get('filemime')
      ->access('edit'));
    $this->assertFalse($file->get('filesize')
      ->access('edit'));
    $this->assertFalse($file->get('status')
      ->access('edit'));
  }
  
  /**
   * Tests create access is always denied even for user 1.
   *
   * @see \Drupal\file\FileAccessControlHandler::checkCreateAccess()
   */
  public function testCreateAccess() : void {
    $user1 = $this->createUser([
      'delete own files',
    ]);
    $this->assertSame('1', $user1->id());
    $file = File::create([
      'uid' => $user1->id(),
      'filename' => 'druplicon.txt',
      'filemime' => 'text/plain',
    ]);
    $this->assertFalse($file->access('create'));
    \Drupal::currentUser()->setAccount($user1);
    $this->assertFalse($file->access('create'));
  }
  
  /**
   * Tests cacheability metadata.
   */
  public function testFileCacheability() : void {
    $file = File::create([
      'filename' => 'green-scarf',
      'uri' => 'private://green-scarf',
      'filemime' => 'text/plain',
    ]);
    $file->setPermanent();
    $file->save();
    \Drupal::service('session')->set('anonymous_allowed_file_ids', [
      $file->id() => $file->id(),
    ]);
    $account = User::getAnonymousUser();
    $file->setOwnerId($account->id())
      ->save();
    $this->assertSame([
      'session',
      'user',
    ], $file->access('view', $account, TRUE)
      ->getCacheContexts());
    $this->assertSame([
      'session',
      'user',
    ], $file->access('download', $account, TRUE)
      ->getCacheContexts());
    $account = $this->createUser();
    $file->setOwnerId($account->id())
      ->save();
    $this->assertSame([
      'user',
    ], $file->access('view', $account, TRUE)
      ->getCacheContexts());
    $this->assertSame([
      'user',
    ], $file->access('download', $account, TRUE)
      ->getCacheContexts());
  }

}

Classes

Title Deprecated Summary
AccessTest Tests for the File access control.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.