Skip to content
This repository has been archived by the owner on Aug 18, 2024. It is now read-only.

Commit

Permalink
Further refactor and streamline the user access test before we extend…
Browse files Browse the repository at this point in the history
… this with a test for group entity operation permissions.
  • Loading branch information
pfrenssen committed Jul 31, 2020
1 parent 06ddf71 commit bdbde6a
Showing 1 changed file with 60 additions and 107 deletions.
167 changes: 60 additions & 107 deletions tests/src/Kernel/Access/OgUserAccessTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
use Drupal\KernelTests\KernelTestBase;
use Drupal\og\Entity\OgRole;
use Drupal\og\Og;
use Drupal\og\OgAccess;
use Drupal\og\OgRoleInterface;
use Drupal\user\Entity\User;

Expand All @@ -32,18 +31,18 @@ class OgUserAccessTest extends KernelTestBase {
];

/**
* A user object.
* The OgAccess service, this is the system under test.
*
* @var \Drupal\user\Entity\User
* @var \Drupal\og\OgAccessInterface
*/
protected $nonMemberUser;
protected $ogAccess;

/**
* An user object.
* A user object.
*
* @var \Drupal\user\Entity\User
*/
protected $updateUser;
protected $nonMemberUser;

/**
* The group owner.
Expand Down Expand Up @@ -80,34 +79,6 @@ class OgUserAccessTest extends KernelTestBase {
*/
protected $groupBundle;

/**
* The OG role that has the special permission 'update group'.
*
* @var \Drupal\og\Entity\OgRole
*/
protected $ogRoleWithUpdatePermission;

/**
* The OG role that doesn't have the permission we check for.
*
* @var \Drupal\og\Entity\OgRole
*/
protected $ogRoleWithoutPermission;

/**
* The OG role that doesn't have the permission we check for.
*
* @var \Drupal\og\Entity\OgRole
*/
protected $ogAdminRole;

/**
* A custom OG admin role.
*
* @var \Drupal\og\Entity\OgRole
*/
protected $ogAlternativeAdminRole;

/**
* {@inheritdoc}
*/
Expand All @@ -120,33 +91,19 @@ protected function setUp(): void {
$this->installEntitySchema('entity_test');
$this->installSchema('system', 'sequences');

$this->ogAccess = $this->container->get('og.access');

// Declare the test entity as being a group.
$this->groupBundle = mb_strtolower($this->randomMachineName());
Og::groupTypeManager()->addGroup('entity_test', $this->groupBundle);

// Create users, and make sure user ID 1 isn't used.
User::create(['name' => $this->randomString()])->save();

// Create a user that represents the group owner.
$this->ownerUser = User::create(['name' => $this->randomString()]);
$this->ownerUser->save();

// A non-member.
$this->nonMemberUser = User::create(['name' => $this->randomString()]);
$this->nonMemberUser->save();

// A group member the special permission 'update group'.
$this->updateUser = User::create(['name' => $this->randomString()]);
$this->updateUser->save();

// Admin user.
$this->adminUser = User::create(['name' => $this->randomString()]);
$this->adminUser->save();

// Second admin user which uses an alternative administration role.
$this->alternativeAdminUser = User::create(['name' => $this->randomString()]);
$this->alternativeAdminUser->save();

// Declare the test entity as being a group.
Og::groupTypeManager()->addGroup('entity_test', $this->groupBundle);

// Create a group and associate with the group owner.
$this->group = EntityTest::create([
'type' => $this->groupBundle,
Expand All @@ -155,52 +112,42 @@ protected function setUp(): void {
]);
$this->group->save();

$this->ogRoleWithUpdatePermission = OgRole::create();
$this->ogRoleWithUpdatePermission
->setName($this->randomMachineName())
->setLabel($this->randomString())
->setGroupType($this->group->getEntityTypeId())
->setGroupBundle($this->groupBundle)
->grantPermission(OgAccess::UPDATE_GROUP_PERMISSION)
->save();
// A non-member.
$this->nonMemberUser = User::create(['name' => $this->randomString()]);
$this->nonMemberUser->save();

$this->ogRoleWithoutPermission = OgRole::create();
$this->ogRoleWithoutPermission
->setName($this->randomMachineName())
->setLabel($this->randomString())
->setGroupType($this->group->getEntityTypeId())
->setGroupBundle($this->groupBundle)
->save();
// Admin user.
$this->adminUser = User::create(['name' => $this->randomString()]);
$this->adminUser->save();

// The administrator role is added automatically when the group is created.
// @see \Drupal\og\EventSubscriber\OgEventSubscriber::provideDefaultRoles()
$this->ogAdminRole = OgRole::loadByGroupAndName($this->group, OgRoleInterface::ADMINISTRATOR);
$admin_role = OgRole::loadByGroupAndName($this->group, OgRoleInterface::ADMINISTRATOR);

// Create a second administration role, since this is a supported use case.
// It is possible to have multiple administration roles.
$this->ogAlternativeAdminRole = OgRole::create();
$this->ogAlternativeAdminRole
$membership = Og::createMembership($this->group, $this->adminUser);
$membership
->addRole($admin_role)
->save();

// Create a second administration role and assign it to a test user. This is
// a supported use case: it is possible to have multiple administration
// roles.
/** @var \Drupal\og\OgRoleInterface $alternative_admin_role */
$alternative_admin_role = OgRole::create();
$alternative_admin_role
->setName($this->randomMachineName())
->setLabel($this->randomString())
->setGroupType($this->group->getEntityTypeId())
->setGroupBundle($this->groupBundle)
->setIsAdmin(TRUE)
->save();

// Check the special permission 'update group'.
$membership = Og::createMembership($this->group, $this->updateUser);
$membership
->addRole($this->ogRoleWithUpdatePermission)
->save();

$membership = Og::createMembership($this->group, $this->adminUser);
$membership
->addRole($this->ogAdminRole)
->save();
$this->alternativeAdminUser = User::create(['name' => $this->randomString()]);
$this->alternativeAdminUser->save();

$membership = Og::createMembership($this->group, $this->alternativeAdminUser);
$membership
->addRole($this->ogAlternativeAdminRole)
->addRole($alternative_admin_role)
->save();
}

Expand All @@ -212,23 +159,20 @@ protected function setUp(): void {
public function testUserAccessArbitraryPermissions() {
[$roles, $users] = $this->setupUserAccessArbitraryPermissions();

/** @var \Drupal\og\OgAccessInterface $og_access */
$og_access = $this->container->get('og.access');

// Check the user that has an arbitrary permission in both groups. It should
// have permission to the permission in group 1.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $users['has_permission_in_both_groups'])->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $users['has_permission_in_both_groups'])->isAllowed());
// This user should not have access to 'some_perm_2' as that was only
// assigned to group 2.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm_2', $users['has_permission_in_both_groups'])->isForbidden());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm_2', $users['has_permission_in_both_groups'])->isForbidden());
// Check the permission of group 1 again.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $users['has_permission_in_both_groups'])->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $users['has_permission_in_both_groups'])->isAllowed());

// A member user without the correct role.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $users['has_no_permission'])->isForbidden());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $users['has_no_permission'])->isForbidden());

// A non-member user.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isForbidden());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isForbidden());

// Grant the arbitrary permission to non-members and check that our
// non-member now has the permission.
Expand All @@ -237,48 +181,49 @@ public function testUserAccessArbitraryPermissions() {
$role
->grantPermission('some_perm')
->save();
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isAllowed());

// Revoke the arbitrary permission again for non-members and check that our
// poor non-member loses the permission.
$role
->revokePermission('some_perm')
->save();
$this->assertFalse($og_access->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isAllowed());
$this->assertFalse($this->ogAccess->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isAllowed());

// Make the non-member a member with the role. They should regain the
// permission.
$membership = Og::createMembership($this->group, $this->nonMemberUser);
$membership
->addRole($roles['arbitrary_permission'])
->save();
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $this->nonMemberUser)->isAllowed());

// Group admin user should have access regardless.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $this->adminUser)->isAllowed());
$this->assertTrue($og_access->userAccess($this->group, $this->randomMachineName(), $this->adminUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $this->adminUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, $this->randomMachineName(), $this->adminUser)->isAllowed());

// Also group admins that have a custom admin role should have access.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $this->alternativeAdminUser)->isAllowed());
$this->assertTrue($og_access->userAccess($this->group, $this->randomMachineName(), $this->alternativeAdminUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $this->alternativeAdminUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, $this->randomMachineName(), $this->alternativeAdminUser)->isAllowed());

// The admin user should no longer have access if the role is demoted from
// being an admin role.
$this->ogAdminRole->setIsAdmin(FALSE)->save();
$this->assertFalse($og_access->userAccess($this->group, 'some_perm', $this->adminUser)->isAllowed());
$this->assertFalse($og_access->userAccess($this->group, $this->randomMachineName(), $this->adminUser)->isAllowed());
$admin_role = OgRole::loadByGroupAndName($this->group, OgRoleInterface::ADMINISTRATOR);
$admin_role->setIsAdmin(FALSE)->save();
$this->assertFalse($this->ogAccess->userAccess($this->group, 'some_perm', $this->adminUser)->isAllowed());
$this->assertFalse($this->ogAccess->userAccess($this->group, $this->randomMachineName(), $this->adminUser)->isAllowed());

// The group owner should have access using the default configuration.
$this->assertTrue($og_access->userAccess($this->group, 'some_perm', $this->ownerUser)->isAllowed());
$this->assertTrue($this->ogAccess->userAccess($this->group, 'some_perm', $this->ownerUser)->isAllowed());

// Change the configuration to no longer grant full access to the group
// owner. This should revoke access.
$this->config('og.settings')->set('group_manager_full_access', FALSE)->save();
$this->assertFalse($og_access->userAccess($this->group, 'some_perm', $this->ownerUser)->isAllowed());
$this->assertFalse($this->ogAccess->userAccess($this->group, 'some_perm', $this->ownerUser)->isAllowed());
}

/**
* Sets up a matrix of users that have arbitrary permissions.
* Sets up a matrix of users and roles with arbitrary permissions.
*
* @return array[]
* A tuple containing the created test roles and users.
Expand Down Expand Up @@ -340,13 +285,21 @@ protected function setupUserAccessArbitraryPermissions() {

$users['has_permission_in_both_groups'] = $user;

// Create a user which is a member but has no special permissions.
// Create a user which is a member and has a role without any permissions.
$user = User::create(['name' => $this->randomString()]);
$user->save();

$role_without_permissions = OgRole::create();
$role_without_permissions
->setName($this->randomMachineName())
->setLabel($this->randomString())
->setGroupType($this->group->getEntityTypeId())
->setGroupBundle($this->groupBundle)
->save();

$membership = Og::createMembership($this->group, $user);
$membership
->addRole($this->ogRoleWithoutPermission)
->addRole($role_without_permissions)
->save();

$users['has_no_permission'] = $user;
Expand Down

0 comments on commit bdbde6a

Please sign in to comment.