UserCancelTest.php 23.5 KB
Newer Older
1 2 3 4 5 6 7 8 9
<?php

/**
 * @file
 * Definition of Drupal\user\Tests\UserCancelTest.
 */

namespace Drupal\user\Tests;

10
use Drupal\comment\Tests\CommentTestTrait;
11
use Drupal\simpletest\WebTestBase;
12
use Drupal\comment\CommentInterface;
13
use Drupal\comment\Entity\Comment;
14 15

/**
16 17 18
 * Ensure that account cancellation methods work as expected.
 *
 * @group user
19 20
 */
class UserCancelTest extends WebTestBase {
21

22 23
  use CommentTestTrait;

24 25 26 27 28
  /**
   * Modules to enable.
   *
   * @var array
   */
29
  public static $modules = array('node', 'comment');
30

31
  protected function setUp() {
32 33 34 35 36
    parent::setUp();

    $this->drupalCreateContentType(array('type' => 'page', 'name' => 'Basic page'));
  }

37 38 39 40
  /**
   * Attempt to cancel account without permission.
   */
  function testUserCancelWithoutPermission() {
41
    $node_storage = $this->container->get('entity.manager')->getStorage('node');
42
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
43 44 45 46 47

    // Create a user.
    $account = $this->drupalCreateUser(array());
    $this->drupalLogin($account);
    // Load real user object.
48
    $account = user_load($account->id(), TRUE);
49 50

    // Create a node.
51
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
52 53

    // Attempt to cancel account.
54
    $this->drupalGet('user/' . $account->id() . '/edit');
55
    $this->assertNoRaw(t('Cancel account'), 'No cancel account button displayed.');
56 57

    // Attempt bogus account cancellation request confirmation.
58
    $timestamp = $account->getLastLoginTime();
59
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime(), $account->id()));
60
    $this->assertResponse(403, 'Bogus cancelling request rejected.');
61
    $account = user_load($account->id());
62
    $this->assertTrue($account->isActive(), 'User account was not canceled.');
63 64

    // Confirm user's content has not been altered.
65 66
    $node_storage->resetCache(array($node->id()));
    $test_node = $node_storage->load($node->id());
67
    $this->assertTrue(($test_node->getOwnerId() == $account->id() && $test_node->isPublished()), 'Node of the user has not been altered.');
68 69
  }

70 71 72 73 74
  /**
   * Test ability to change the permission for canceling users.
   */
  public function testUserCancelChangePermission() {
    \Drupal::service('module_installer')->install(array('user_form_test'));
75
    \Drupal::service('router.builder')->rebuild();
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();

    // Create a regular user.
    $account = $this->drupalCreateUser(array());

    $admin_user = $this->drupalCreateUser(array('cancel other accounts'));
    $this->drupalLogin($admin_user);

    // Delete regular user.
    $this->drupalPostForm('user_form_test_cancel/' . $account->id(), array(), t('Cancel account'));

    // Confirm deletion.
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), 'User deleted.');
    $this->assertFalse(user_load($account->id()), 'User is not found in the database.');
  }

92 93 94 95 96 97 98
  /**
   * Tests that user account for uid 1 cannot be cancelled.
   *
   * This should never be possible, or the site owner would become unable to
   * administer the site.
   */
  function testUserCancelUid1() {
99
    \Drupal::service('module_installer')->install(array('views'));
100
    \Drupal::service('router.builder')->rebuild();
101 102 103 104
    // Update uid 1's name and password to we know it.
    $password = user_password();
    $account = array(
      'name' => 'user1',
105
      'pass' => $this->container->get('password')->hash(trim($password)),
106 107 108
    );
    // We cannot use $account->save() here, because this would result in the
    // password being hashed again.
109
    db_update('users_field_data')
110 111 112 113 114 115 116 117 118
      ->fields($account)
      ->condition('uid', 1)
      ->execute();

    // Reload and log in uid 1.
    $user1 = user_load(1, TRUE);
    $user1->pass_raw = $password;

    // Try to cancel uid 1's account with a different user.
119 120
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);
121
    $edit = array(
122 123
      'action' => 'user_cancel_user_action',
      'user_bulk_form[0]' => TRUE,
124
    );
125
    $this->drupalPostForm('admin/people', $edit, t('Apply'));
126 127 128

    // Verify that uid 1's account was not cancelled.
    $user1 = user_load(1, TRUE);
129
    $this->assertTrue($user1->isActive(), 'User #1 still exists and is not blocked.');
130 131 132 133 134 135
  }

  /**
   * Attempt invalid account cancellations.
   */
  function testUserCancelInvalid() {
136
    $node_storage = $this->container->get('entity.manager')->getStorage('node');
137
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
138 139 140 141 142

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($account);
    // Load real user object.
143
    $account = user_load($account->id(), TRUE);
144 145

    // Create a node.
146
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
147 148

    // Attempt to cancel account.
149
    $this->drupalPostForm('user/' . $account->id() . '/edit', NULL, t('Cancel account'));
150 151 152

    // Confirm account cancellation.
    $timestamp = time();
153
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
154
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
155 156 157

    // Attempt bogus account cancellation request confirmation.
    $bogus_timestamp = $timestamp + 60;
158
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->getPassword(), $bogus_timestamp, $account->getLastLoginTime(), $account->id()));
159
    $this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Bogus cancelling request rejected.');
160
    $account = user_load($account->id());
161
    $this->assertTrue($account->isActive(), 'User account was not canceled.');
162 163 164

    // Attempt expired account cancellation request confirmation.
    $bogus_timestamp = $timestamp - 86400 - 60;
165
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->getPassword(), $bogus_timestamp, $account->getLastLoginTime(), $account->id()));
166
    $this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Expired cancel account request rejected.');
167
    $account = user_load($account->id(), TRUE);
168
    $this->assertTrue($account->isActive(), 'User account was not canceled.');
169 170

    // Confirm user's content has not been altered.
171 172
    $node_storage->resetCache(array($node->id()));
    $test_node = $node_storage->load($node->id());
173
    $this->assertTrue(($test_node->getOwnerId() == $account->id() && $test_node->isPublished()), 'Node of the user has not been altered.');
174 175 176 177 178 179
  }

  /**
   * Disable account and keep all content.
   */
  function testUserBlock() {
180
    $this->config('user.settings')->set('cancel_method', 'user_cancel_block')->save();
181 182 183 184 185 186

    // Create a user.
    $web_user = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($web_user);

    // Load real user object.
187
    $account = user_load($web_user->id(), TRUE);
188 189

    // Attempt to cancel account.
190
    $this->drupalGet('user/' . $account->id() . '/edit');
191
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
192
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
193
    $this->assertText(t('Your account will be blocked and you will no longer be able to log in. All of your content will remain attributed to your username.'), 'Informs that all content will be remain as is.');
194
    $this->assertNoText(t('Select the method to cancel the account above.'), 'Does not allow user to select account cancellation method.');
195 196 197 198

    // Confirm account cancellation.
    $timestamp = time();

199
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
200
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
201 202

    // Confirm account cancellation request.
203
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime(), $account->id()));
204
    $account = user_load($account->id(), TRUE);
205
    $this->assertTrue($account->isBlocked(), 'User has been blocked.');
206

207
    // Confirm that the confirmation message made it through to the end user.
208
    $this->assertRaw(t('%name has been disabled.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
209 210 211 212 213 214
  }

  /**
   * Disable account and unpublish all content.
   */
  function testUserBlockUnpublish() {
215
    $node_storage = $this->container->get('entity.manager')->getStorage('node');
216
    $this->config('user.settings')->set('cancel_method', 'user_cancel_block_unpublish')->save();
217
    // Create comment field on page.
218
    $this->addDefaultCommentField('node', 'page');
219 220 221 222 223

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($account);
    // Load real user object.
224
    $account = user_load($account->id(), TRUE);
225 226

    // Create a node with two revisions.
227
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
228 229 230 231
    $settings = get_object_vars($node);
    $settings['revision'] = 1;
    $node = $this->drupalCreateNode($settings);

232
    // Add a comment to the page.
233 234
    $comment_subject = $this->randomMachineName(8);
    $comment_body = $this->randomMachineName(8);
235 236 237 238 239 240 241 242 243 244 245
    $comment = entity_create('comment', array(
      'subject' => $comment_subject,
      'comment_body' => $comment_body,
      'entity_id' => $node->id(),
      'entity_type' => 'node',
      'field_name' => 'comment',
      'status' => CommentInterface::PUBLISHED,
      'uid' => $account->id(),
    ));
    $comment->save();

246
    // Attempt to cancel account.
247
    $this->drupalGet('user/' . $account->id() . '/edit');
248
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
249 250
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
    $this->assertText(t('Your account will be blocked and you will no longer be able to log in. All of your content will be hidden from everyone but administrators.'), 'Informs that all content will be unpublished.');
251 252 253

    // Confirm account cancellation.
    $timestamp = time();
254
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
255
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
256 257

    // Confirm account cancellation request.
258
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime(), $account->id()));
259
    $account = user_load($account->id(), TRUE);
260
    $this->assertTrue($account->isBlocked(), 'User has been blocked.');
261 262

    // Confirm user's content has been unpublished.
263 264
    $node_storage->resetCache(array($node->id()));
    $test_node = $node_storage->load($node->id());
265 266 267
    $this->assertFalse($test_node->isPublished(), 'Node of the user has been unpublished.');
    $test_node = node_revision_load($node->getRevisionId());
    $this->assertFalse($test_node->isPublished(), 'Node revision of the user has been unpublished.');
268

269 270 271 272 273
    $storage = \Drupal::entityManager()->getStorage('comment');
    $storage->resetCache(array($comment->id()));
    $comment = $storage->load($comment->id());
    $this->assertFalse($comment->isPublished(), 'Comment of the user has been unpublished.');

274
    // Confirm that the confirmation message made it through to the end user.
275
    $this->assertRaw(t('%name has been disabled.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
276 277 278 279 280 281
  }

  /**
   * Delete account and anonymize all content.
   */
  function testUserAnonymize() {
282
    $node_storage = $this->container->get('entity.manager')->getStorage('node');
283
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
284 285 286 287 288

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($account);
    // Load real user object.
289
    $account = user_load($account->id(), TRUE);
290 291

    // Create a simple node.
292
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
293 294 295

    // Create a node with two revisions, the initial one belonging to the
    // cancelling user.
296
    $revision_node = $this->drupalCreateNode(array('uid' => $account->id()));
297
    $revision = $revision_node->getRevisionId();
298 299 300 301 302 303
    $settings = get_object_vars($revision_node);
    $settings['revision'] = 1;
    $settings['uid'] = 1; // Set new/current revision to someone else.
    $revision_node = $this->drupalCreateNode($settings);

    // Attempt to cancel account.
304
    $this->drupalGet('user/' . $account->id() . '/edit');
305
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
306
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
307
    $this->assertRaw(t('Your account will be removed and all account information deleted. All of your content will be assigned to the %anonymous-name user.', array('%anonymous-name' => $this->config('user.settings')->get('anonymous'))), 'Informs that all content will be attributed to anonymous account.');
308 309 310

    // Confirm account cancellation.
    $timestamp = time();
311
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
312
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
313 314

    // Confirm account cancellation request.
315
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime(), $account->id()));
316
    $this->assertFalse(user_load($account->id(), TRUE), 'User is not found in the database.');
317 318

    // Confirm that user's content has been attributed to anonymous user.
319 320
    $node_storage->resetCache(array($node->id()));
    $test_node = $node_storage->load($node->id());
321
    $this->assertTrue(($test_node->getOwnerId() == 0 && $test_node->isPublished()), 'Node of the user has been attributed to anonymous user.');
322
    $test_node = node_revision_load($revision, TRUE);
323
    $this->assertTrue(($test_node->getRevisionAuthor()->id() == 0 && $test_node->isPublished()), 'Node revision of the user has been attributed to anonymous user.');
324 325
    $node_storage->resetCache(array($revision_node->id()));
    $test_node = $node_storage->load($revision_node->id());
326
    $this->assertTrue(($test_node->getOwnerId() != 0 && $test_node->isPublished()), "Current revision of the user's node was not attributed to anonymous user.");
327

328
    // Confirm that the confirmation message made it through to the end user.
329
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
330 331 332 333 334 335
  }

  /**
   * Delete account and remove all content.
   */
  function testUserDelete() {
336
    $node_storage = $this->container->get('entity.manager')->getStorage('node');
337
    $this->config('user.settings')->set('cancel_method', 'user_cancel_delete')->save();
338
    \Drupal::service('module_installer')->install(array('comment'));
339
    $this->resetAll();
340
    $this->addDefaultCommentField('node', 'page');
341 342 343 344 345

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account', 'post comments', 'skip comment approval'));
    $this->drupalLogin($account);
    // Load real user object.
346
    $account = user_load($account->id(), TRUE);
347 348

    // Create a simple node.
349
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
350 351 352

    // Create comment.
    $edit = array();
353 354
    $edit['subject[0][value]'] = $this->randomMachineName(8);
    $edit['comment_body[0][value]'] = $this->randomMachineName(16);
355

356
    $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit, t('Preview'));
357
    $this->drupalPostForm(NULL, array(), t('Save'));
358
    $this->assertText(t('Your comment has been posted.'));
359
    $comments = entity_load_multiple_by_properties('comment', array('subject' => $edit['subject[0][value]']));
360
    $comment = reset($comments);
361
    $this->assertTrue($comment->id(), 'Comment found.');
362 363 364

    // Create a node with two revisions, the initial one belonging to the
    // cancelling user.
365
    $revision_node = $this->drupalCreateNode(array('uid' => $account->id()));
366
    $revision = $revision_node->getRevisionId();
367 368 369 370 371 372
    $settings = get_object_vars($revision_node);
    $settings['revision'] = 1;
    $settings['uid'] = 1; // Set new/current revision to someone else.
    $revision_node = $this->drupalCreateNode($settings);

    // Attempt to cancel account.
373
    $this->drupalGet('user/' . $account->id() . '/edit');
374
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
375 376
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
    $this->assertText(t('Your account will be removed and all account information deleted. All of your content will also be deleted.'), 'Informs that all content will be deleted.');
377 378 379

    // Confirm account cancellation.
    $timestamp = time();
380
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
381
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
382 383

    // Confirm account cancellation request.
384
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime(), $account->id()));
385
    $this->assertFalse(user_load($account->id(), TRUE), 'User is not found in the database.');
386 387

    // Confirm that user's content has been deleted.
388 389
    $node_storage->resetCache(array($node->id()));
    $this->assertFalse($node_storage->load($node->id()), 'Node of the user has been deleted.');
390
    $this->assertFalse(node_revision_load($revision), 'Node revision of the user has been deleted.');
391 392
    $node_storage->resetCache(array($revision_node->id()));
    $this->assertTrue($node_storage->load($revision_node->id()), "Current revision of the user's node was not deleted.");
393 394
    \Drupal::entityManager()->getStorage('comment')->resetCache(array($comment->id()));
    $this->assertFalse(Comment::load($comment->id()), 'Comment of the user has been deleted.');
395

396
    // Confirm that the confirmation message made it through to the end user.
397
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
398 399 400 401 402 403
  }

  /**
   * Create an administrative user and delete another user.
   */
  function testUserCancelByAdmin() {
404
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
405 406 407 408 409 410 411 412 413

    // Create a regular user.
    $account = $this->drupalCreateUser(array());

    // Create administrative user.
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);

    // Delete regular user.
414
    $this->drupalGet('user/' . $account->id() . '/edit');
415
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
416
    $this->assertRaw(t('Are you sure you want to cancel the account %name?', array('%name' => $account->getUsername())), 'Confirmation form to cancel account displayed.');
417
    $this->assertText(t('Select the method to cancel the account above.'), 'Allows to select account cancellation method.');
418 419

    // Confirm deletion.
420
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
421
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), 'User deleted.');
422
    $this->assertFalse(user_load($account->id()), 'User is not found in the database.');
423 424 425
  }

  /**
426
   * Tests deletion of a user account without an email address.
427 428
   */
  function testUserWithoutEmailCancelByAdmin() {
429
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
430 431 432

    // Create a regular user.
    $account = $this->drupalCreateUser(array());
433
    // This user has no email address.
434 435 436 437 438 439 440
    $account->mail = '';
    $account->save();

    // Create administrative user.
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);

441
    // Delete regular user without email address.
442
    $this->drupalGet('user/' . $account->id() . '/edit');
443
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
444
    $this->assertRaw(t('Are you sure you want to cancel the account %name?', array('%name' => $account->getUsername())), 'Confirmation form to cancel account displayed.');
445
    $this->assertText(t('Select the method to cancel the account above.'), 'Allows to select account cancellation method.');
446 447

    // Confirm deletion.
448
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
449
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), 'User deleted.');
450
    $this->assertFalse(user_load($account->id()), 'User is not found in the database.');
451 452 453 454 455 456
  }

  /**
   * Create an administrative user and mass-delete other users.
   */
  function testMassUserCancelByAdmin() {
457
    \Drupal::service('module_installer')->install(array('views'));
458
    \Drupal::service('router.builder')->rebuild();
459
    $this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
460
    // Enable account cancellation notification.
461
    $this->config('user.settings')->set('notify.status_canceled', TRUE)->save();
462 463 464 465 466 467 468 469 470

    // Create administrative user.
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);

    // Create some users.
    $users = array();
    for ($i = 0; $i < 3; $i++) {
      $account = $this->drupalCreateUser(array());
471
      $users[$account->id()] = $account;
472 473 474 475
    }

    // Cancel user accounts, including own one.
    $edit = array();
476 477 478
    $edit['action'] = 'user_cancel_user_action';
    for ($i = 0; $i <= 4; $i++) {
      $edit['user_bulk_form[' . $i . ']'] = TRUE;
479
    }
480
    $this->drupalPostForm('admin/people', $edit, t('Apply'));
481 482
    $this->assertText(t('Are you sure you want to cancel these user accounts?'), 'Confirmation form to cancel accounts displayed.');
    $this->assertText(t('When cancelling these accounts'), 'Allows to select account cancellation method.');
483 484
    $this->assertText(t('Require email confirmation to cancel account'), 'Allows to send confirmation mail.');
    $this->assertText(t('Notify user when account is canceled'), 'Allows to send notification mail.');
485 486

    // Confirm deletion.
487
    $this->drupalPostForm(NULL, NULL, t('Cancel accounts'));
488 489
    $status = TRUE;
    foreach ($users as $account) {
490
      $status = $status && (strpos($this->content, t('%name has been deleted.', array('%name' => $account->getUsername()))) !== FALSE);
491
      $status = $status && !user_load($account->id(), TRUE);
492
    }
493
    $this->assertTrue($status, 'Users deleted and not found in the database.');
494 495

    // Ensure that admin account was not cancelled.
496
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
497
    $admin_user = user_load($admin_user->id());
498
    $this->assertTrue($admin_user->isActive(), 'Administrative user is found in the database and enabled.');
499 500 501

    // Verify that uid 1's account was not cancelled.
    $user1 = user_load(1, TRUE);
502
    $this->assertTrue($user1->isActive(), 'User #1 still exists and is not blocked.');
503 504
  }
}