3 namespace Drupal\Tests\Core\Route;
5 use Drupal\Core\Access\AccessResult;
6 use Drupal\Core\Cache\Context\CacheContextsManager;
7 use Drupal\Core\DependencyInjection\Container;
8 use Drupal\Core\Session\UserSession;
9 use Drupal\Tests\UnitTestCase;
10 use Drupal\user\Access\RoleAccessCheck;
11 use Symfony\Component\Routing\Route;
12 use Symfony\Component\Routing\RouteCollection;
15 * @coversDefaultClass \Drupal\user\Access\RoleAccessCheck
19 class RoleAccessCheckTest extends UnitTestCase {
22 * Generates the test route collection.
24 * @return \Symfony\Component\Routing\RouteCollection
25 * Returns the test route collection.
27 protected function getTestRouteCollection() {
28 $route_collection = new RouteCollection();
29 $route_collection->add('role_test_1', new Route('/role_test_1',
31 '_controller' => '\Drupal\router_test\TestControllers::test1',
34 '_role' => 'role_test_1',
37 $route_collection->add('role_test_2', new Route('/role_test_2',
39 '_controller' => '\Drupal\router_test\TestControllers::test1',
42 '_role' => 'role_test_2',
45 $route_collection->add('role_test_3', new Route('/role_test_3',
47 '_controller' => '\Drupal\router_test\TestControllers::test1',
50 '_role' => 'role_test_1,role_test_2',
53 // Ensure that trimming the values works on "OR" conjunctions.
54 $route_collection->add('role_test_4', new Route('/role_test_4',
56 '_controller' => '\Drupal\router_test\TestControllers::test1',
59 '_role' => 'role_test_1 , role_test_2',
62 $route_collection->add('role_test_5', new Route('/role_test_5',
64 '_controller' => '\Drupal\router_test\TestControllers::test1',
67 '_role' => 'role_test_1+role_test_2',
70 // Ensure that trimming the values works on "AND" conjunctions.
71 $route_collection->add('role_test_6', new Route('/role_test_6',
73 '_controller' => '\Drupal\router_test\TestControllers::test1',
76 '_role' => 'role_test_1 + role_test_2',
80 return $route_collection;
84 * Provides data for the role access test.
86 * @see \Drupal\Tests\Core\Route\RouterRoleTest::testRoleAccess
88 public function roleAccessProvider() {
89 // Setup two different roles used in the test.
90 $rid_1 = 'role_test_1';
91 $rid_2 = 'role_test_2';
93 // Setup one user with the first role, one with the second, one with both
94 // and one final without any of these two roles.
96 $account_1 = new UserSession([
101 $account_2 = new UserSession([
106 $account_12 = new UserSession([
108 'roles' => [$rid_1, $rid_2],
111 $account_none = new UserSession([
116 // Setup expected values; specify which paths can be accessed by which user.
118 ['role_test_1', [$account_1, $account_12], [$account_2, $account_none]],
119 ['role_test_2', [$account_2, $account_12], [$account_1, $account_none]],
120 ['role_test_3', [$account_12], [$account_1, $account_2, $account_none]],
121 ['role_test_4', [$account_12], [$account_1, $account_2, $account_none]],
122 ['role_test_5', [$account_1, $account_2, $account_12], []],
123 ['role_test_6', [$account_1, $account_2, $account_12], []],
128 * Tests role requirements on routes.
130 * @param string $path
131 * The path to check access for.
132 * @param array $grant_accounts
133 * A list of accounts which should have access to the given path.
134 * @param array $deny_accounts
135 * A list of accounts which should not have access to the given path.
137 * @see \Drupal\Tests\Core\Route\RouterRoleTest::getTestRouteCollection
138 * @see \Drupal\Tests\Core\Route\RouterRoleTest::roleAccessProvider
140 * @dataProvider roleAccessProvider
142 public function testRoleAccess($path, $grant_accounts, $deny_accounts) {
143 $cache_contexts_manager = $this->prophesize(CacheContextsManager::class);
144 $cache_contexts_manager->assertValidTokens()->willReturn(TRUE);
145 $cache_contexts_manager->reveal();
146 $container = new Container();
147 $container->set('cache_contexts_manager', $cache_contexts_manager);
148 \Drupal::setContainer($container);
150 $role_access_check = new RoleAccessCheck();
151 $collection = $this->getTestRouteCollection();
153 foreach ($grant_accounts as $account) {
154 $message = sprintf('Access granted for user with the roles %s on path: %s', implode(', ', $account->getRoles()), $path);
155 $this->assertEquals(AccessResult::allowed()->addCacheContexts(['user.roles']), $role_access_check->access($collection->get($path), $account), $message);
158 // Check all users which don't have access.
159 foreach ($deny_accounts as $account) {
160 $message = sprintf('Access denied for user %s with the roles %s on path: %s', $account->id(), implode(', ', $account->getRoles()), $path);
161 $has_access = $role_access_check->access($collection->get($path), $account);
162 $this->assertEquals(AccessResult::neutral()->addCacheContexts(['user.roles']), $has_access, $message);