Issue #3003105 by czigor, bojanz: The views bundle (type) filter shows items...

Issue #3003105 by czigor, bojanz: The views bundle (type) filter shows items that the user doesn't have access to

Issue #3003105 by czigor, bojanz: The views bundle (type) filter shows items...
Issue #3003105 by czigor, bojanz: The views bundle (type) filter shows items that the user doesn't have access to
28eaaa80 · czigor · bojanz · 3766e406 · 28eaaa80 · 28eaaa80
Commit 28eaaa80 authored Dec 05, 2019 by czigor Committed by bojanz Dec 05, 2019
Showing with 67 additions and 13 deletions

modules/product/tests/src/Functional/ProductAdminTest.php modules/product/tests/src/Functional/ProductAdminTest.php +34 -13

src/Plugin/views/filter/EntityBundle.php src/Plugin/views/filter/EntityBundle.php +33 -0

No files found.
--- a/modules/product/tests/src/Functional/ProductAdminTest.php
+++ b/modules/product/tests/src/Functional/ProductAdminTest.php
@@ -10,6 +10,8 @@ use Drupal\Core\Entity\Entity\EntityFormDisplay;
 use Drupal\field\Entity\FieldConfig;
 use Drupal\field\Entity\FieldStorageConfig;
 use Drupal\Tests\TestFileCreationTrait;
+use Drupal\user\Entity\Role;
+use Drupal\user\RoleInterface;

 /**
 * Create, view, edit, delete, and change products.
@@ -188,10 +190,9 @@ class ProductAdminTest extends ProductBrowserTestBase {
    ]);

    $this->drupalGet('admin/commerce/products');
-    $this->assertSession()->statusCodeEquals(200);
    $this->assertSession()->pageTextNotContains('You are not authorized to access this page.');
    $row_count = $this->getSession()->getPage()->findAll('xpath', '//table/tbody/tr');
-    $this->assertEquals(3, count($row_count), 'Table has 3 rows.');
+    $this->assertEquals(3, count($row_count));

    // Confirm that product titles are displayed.
    $page = $this->getSession()->getPage();
@@ -218,9 +219,8 @@ class ProductAdminTest extends ProductBrowserTestBase {
    // and receive a 403 error code.
    $this->drupalLogout();
    $this->drupalGet('admin/commerce/products');
-    $this->assertSession()->statusCodeEquals(403);
    $this->assertSession()->pageTextContains('You are not authorized to access this page.');
-    $this->assertNotEmpty(!$this->getSession()->getPage()->hasLink('Add product'));
+    $this->assertEmpty($this->getSession()->getPage()->hasLink('Add product'));

    // Login and confirm access for 'access commerce_product overview'
    // permission. The second product should no longer be visible because
@@ -228,11 +228,11 @@ class ProductAdminTest extends ProductBrowserTestBase {
    $user = $this->drupalCreateUser(['access commerce_product overview']);
    $this->drupalLogin($user);
    $this->drupalGet('admin/commerce/products');
-    $this->assertSession()->statusCodeEquals(200);
    $this->assertSession()->pageTextNotContains('You are not authorized to access this page.');
-    $this->assertNotEmpty(!$this->getSession()->getPage()->hasLink('Add product'));
+    $this->assertEmpty($this->getSession()->getPage()->hasLink('Add product'));
+
    $row_count = $this->getSession()->getPage()->findAll('xpath', '//table/tbody/tr');
-    $this->assertEquals(2, count($row_count), 'Table has 3 rows.');
+    $this->assertEquals(2, count($row_count));

    // Confirm that product titles are displayed.
    $page = $this->getSession()->getPage();
@@ -241,18 +241,39 @@ class ProductAdminTest extends ProductBrowserTestBase {
    $product_count = $page->findAll('xpath', '//table/tbody/tr/td/a[text()="Third product"]');
    $this->assertEquals(1, count($product_count), 'Third product is displayed.');

-    // Confirm that product types are displayed.
-    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Default")]');
-    $this->assertEquals(1, count($product_count), 'Default product type exists in the table.');
-    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Random")]');
-    $this->assertEquals(1, count($product_count), 'Random product type exist in the table.');
-
    // Confirm that the right product statuses are displayed.
    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Unpublished")]');
    $this->assertEquals(0, count($product_count), 'Unpublished product do not exist in the table.');
    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Published")]');
    $this->assertEquals(2, count($product_count), 'Published products exist in the table.');

+    // Confirm that product types are displayed.
+    $this->assertSession()->optionExists('edit-type', 'default');
+    $this->assertSession()->optionExists('edit-type', 'random');
+    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Default")]');
+    $this->assertEquals(1, count($product_count));
+    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Random")]');
+    $this->assertEquals(1, count($product_count));
+
+    // Confirm that the product type filter respects view access.
+    $authenticated_role = Role::load(RoleInterface::AUTHENTICATED_ID);
+    $authenticated_role->revokePermission('view commerce_product');
+    $authenticated_role->save();
+    $this->drupalGet('admin/commerce/products');
+    $this->assertSession()->pageTextContains('No products available');
+    $this->assertSession()->optionNotExists('edit-type', 'default');
+    $this->assertSession()->optionNotExists('edit-type', 'random');
+
+    $authenticated_role->grantPermission('view default commerce_product');
+    $authenticated_role->save();
+    $this->drupalGet('admin/commerce/products');
+    $this->assertSession()->optionExists('edit-type', 'default');
+    $this->assertSession()->optionNotExists('edit-type', 'random');
+    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Default")]');
+    $this->assertEquals(1, count($product_count));
+    $product_count = $page->findAll('xpath', '//table/tbody/tr/td[starts-with(text(), "Random")]');
+    $this->assertEquals(0, count($product_count));
+
    // Login and confirm access for "view own unpublished commerce_product".
    $user = $this->drupalCreateUser([
      'access commerce_product overview',

--- a/src/Plugin/views/filter/EntityBundle.php
+++ b/src/Plugin/views/filter/EntityBundle.php
@@ -64,6 +64,39 @@ class EntityBundle extends Bundle {
    return parent::access($account);
  }

+  /**
+   * {@inheritdoc}
+   */
+  public function getValueOptions() {
+    if (!isset($this->valueOptions)) {
+      $types = $this->bundleInfoService->getBundleInfo($this->entityTypeId);
+      // When the filter is exposed, filter out bundles that the user is
+      // not allowed to see. Workaround for core issue #3099068.
+      $storage = $this->getEntityTypeManager()->getStorage($this->entityTypeId);
+      foreach ($types as $type => $info) {
+        if ($this->isExposed()) {
+          $stub_entity = $storage->create([
+            $this->entityType->getKey('bundle') => $type,
+          ]);
+          if (!$stub_entity->access('view')) {
+            unset($types[$type]);
+          }
+        }
+      }
+
+      $this->valueTitle = $this->t('@entity types', ['@entity' => $this->entityType->getLabel()]);
+      $options = [];
+      foreach ($types as $type => $info) {
+        $options[$type] = $info['label'];
+      }
+
+      asort($options);
+      $this->valueOptions = $options;
+    }
+
+    return $this->valueOptions;
+  }
+
  /**
   * {@inheritdoc}
   *