3 namespace Drupal\Tests\node\Functional;
6 * Tests that node access queries are properly altered by the node module.
10 class NodeQueryAlterTest extends NodeTestBase {
17 public static $modules = ['node_access_test'];
20 * User with permission to view content.
22 protected $accessUser;
25 * User without permission to view content.
27 protected $noAccessUser;
29 protected function setUp() {
32 node_access_rebuild();
34 // Create some content.
35 $this->drupalCreateNode();
36 $this->drupalCreateNode();
37 $this->drupalCreateNode();
38 $this->drupalCreateNode();
40 // Create user with simple node access permission. The 'node test view'
41 // permission is implemented and granted by the node_access_test module.
42 $this->accessUser = $this->drupalCreateUser(['access content overview', 'access content', 'node test view']);
43 $this->noAccessUser = $this->drupalCreateUser(['access content overview', 'access content']);
44 $this->noAccessUser2 = $this->drupalCreateUser(['access content overview', 'access content']);
48 * Tests 'node_access' query alter, for user with access.
50 * Verifies that a non-standard table alias can be used, and that a user with
51 * node access can view the nodes.
53 public function testNodeQueryAlterLowLevelWithAccess() {
54 // User with access should be able to view 4 nodes.
56 $query = db_select('node', 'mytab')
58 $query->addTag('node_access');
59 $query->addMetaData('op', 'view');
60 $query->addMetaData('account', $this->accessUser);
62 $result = $query->execute()->fetchAll();
63 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
65 catch (\Exception $e) {
66 $this->fail(t('Altered query is malformed'));
71 * Tests 'node_access' query alter with revision-enabled nodes.
73 public function testNodeQueryAlterWithRevisions() {
74 // Execute a query that only deals with the 'node_revision' table.
76 $query = \Drupal::entityTypeManager()->getStorage('node')->getQuery();
81 $this->assertEqual(count($result), 4, 'User with access can see correct nodes');
83 catch (\Exception $e) {
84 $this->fail('Altered query is malformed');
89 * Tests 'node_access' query alter, for user without access.
91 * Verifies that a non-standard table alias can be used, and that a user
92 * without node access cannot view the nodes.
94 public function testNodeQueryAlterLowLevelNoAccess() {
95 // User without access should be able to view 0 nodes.
97 $query = db_select('node', 'mytab')
99 $query->addTag('node_access');
100 $query->addMetaData('op', 'view');
101 $query->addMetaData('account', $this->noAccessUser);
103 $result = $query->execute()->fetchAll();
104 $this->assertEqual(count($result), 0, 'User with no access cannot see nodes');
106 catch (\Exception $e) {
107 $this->fail(t('Altered query is malformed'));
112 * Tests 'node_access' query alter, for edit access.
114 * Verifies that a non-standard table alias can be used, and that a user with
115 * view-only node access cannot edit the nodes.
117 public function testNodeQueryAlterLowLevelEditAccess() {
118 // User with view-only access should not be able to edit nodes.
120 $query = db_select('node', 'mytab')
122 $query->addTag('node_access');
123 $query->addMetaData('op', 'update');
124 $query->addMetaData('account', $this->accessUser);
126 $result = $query->execute()->fetchAll();
127 $this->assertEqual(count($result), 0, 'User with view-only access cannot edit nodes');
129 catch (\Exception $e) {
130 $this->fail($e->getMessage());
131 $this->fail((string) $query);
132 $this->fail(t('Altered query is malformed'));
137 * Tests 'node_access' query alter override.
139 * Verifies that node_access_view_all_nodes() is called from
140 * node_query_node_access_alter(). We do this by checking that a user who
141 * normally would not have view privileges is able to view the nodes when we
142 * add a record to {node_access} paired with a corresponding privilege in
143 * hook_node_grants().
145 public function testNodeQueryAlterOverride() {
149 'realm' => 'node_access_all',
154 db_insert('node_access')->fields($record)->execute();
156 // Test that the noAccessUser still doesn't have the 'view'
157 // privilege after adding the node_access record.
158 drupal_static_reset('node_access_view_all_nodes');
160 $query = db_select('node', 'mytab')
162 $query->addTag('node_access');
163 $query->addMetaData('op', 'view');
164 $query->addMetaData('account', $this->noAccessUser);
166 $result = $query->execute()->fetchAll();
167 $this->assertEqual(count($result), 0, 'User view privileges are not overridden');
169 catch (\Exception $e) {
170 $this->fail(t('Altered query is malformed'));
173 // Have node_test_node_grants return a node_access_all privilege,
174 // to grant the noAccessUser 'view' access. To verify that
175 // node_access_view_all_nodes is properly checking the specified
176 // $account instead of the current user, we will log in as
178 $this->drupalLogin($this->noAccessUser2);
179 \Drupal::state()->set('node_access_test.no_access_uid', $this->noAccessUser->id());
180 drupal_static_reset('node_access_view_all_nodes');
182 $query = db_select('node', 'mytab')
184 $query->addTag('node_access');
185 $query->addMetaData('op', 'view');
186 $query->addMetaData('account', $this->noAccessUser);
188 $result = $query->execute()->fetchAll();
189 $this->assertEqual(count($result), 4, 'User view privileges are overridden');
191 catch (\Exception $e) {
192 $this->fail(t('Altered query is malformed'));
194 \Drupal::state()->delete('node_access_test.no_access_uid');