drupalCreateUser(); $this->drupalLogin($author); // Create a content type with a body field. $this->drupalCreateContentType(['type' => 'page', 'name' => 'Basic page']); // Create a file in the 'private:// ' stream. $filename = 'test.png'; $src = '/system/files/' . $filename; /** @var \Drupal\file\FileInterface $file */ $file = File::create([ 'uri' => 'private://' . $filename, ]); $file->setTemporary(); $file->setOwner($author); // Create the file itself. file_put_contents($file->getFileUri(), $this->randomString()); $file->save(); // The image should be visible for its author. $this->drupalGet($src); $this->assertSession()->statusCodeEquals(200); // The not-yet-permanent image should NOT be visible for anonymous. $this->drupalLogout(); $this->drupalGet($src); $this->assertSession()->statusCodeEquals(403); // Resave the file to be permanent. $file->setPermanent(); $file->save(); // Create some nodes to ensure file usage count does not match the ID's // of the nodes we are going to check. for ($i = 0; $i < 5; $i++) { $this->drupalCreateNode([ 'type' => 'page', 'uid' => $author->id(), ]); } // Create a node with its body field properly pointing to the just-created // file. $published_node = $this->drupalCreateNode([ 'type' => 'page', 'body' => [ 'value' => ' alt

', 'format' => 'private_images', ], 'uid' => $author->id(), ]); // Create an unpublished node with its body field properly pointing to the // just-created file. $unpublished_node = $this->drupalCreateNode([ 'type' => 'page', 'status' => NODE_NOT_PUBLISHED, 'body' => [ 'value' => ' alt

', 'format' => 'private_images', ], 'uid' => $author->id(), ]); // Do the actual test. The image should be visible for anonymous users, // because they can view the published node. Even though they can't view // the unpublished node. $this->drupalGet($published_node->toUrl()); $this->assertSession()->statusCodeEquals(200); $this->drupalGet($unpublished_node->toUrl()); $this->assertSession()->statusCodeEquals(403); $this->drupalGet($src); $this->assertSession()->statusCodeEquals(200); // When the published node is also unpublished, the image should also // become inaccessible to anonymous users. $published_node->setPublished(FALSE)->save(); $this->drupalGet($published_node->toUrl()); $this->assertSession()->statusCodeEquals(403); $this->drupalGet($src); $this->assertSession()->statusCodeEquals(403); // Disallow anonymous users to view the entity, which then should also // disallow them to view the image. $published_node->setPublished(TRUE)->save(); Role::load(RoleInterface::ANONYMOUS_ID) ->revokePermission('access content') ->save(); $this->drupalGet($published_node->toUrl()); $this->assertSession()->statusCodeEquals(403); $this->drupalGet($src); $this->assertSession()->statusCodeEquals(403); } }