UserCancelTest.php 21.5 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
<?php

/**
 * @file
 * Definition of Drupal\user\Tests\UserCancelTest.
 */

namespace Drupal\user\Tests;

use Drupal\simpletest\WebTestBase;
11
use Drupal\comment\CommentInterface;
12
use Drupal\comment\Entity\Comment;
13
14

/**
15
16
17
 * Ensure that account cancellation methods work as expected.
 *
 * @group user
18
19
 */
class UserCancelTest extends WebTestBase {
20

21
22
23
24
25
  /**
   * Modules to enable.
   *
   * @var array
   */
26
  public static $modules = array('node', 'comment');
27

28
29
30
31
32
33
  function setUp() {
    parent::setUp();

    $this->drupalCreateContentType(array('type' => 'page', 'name' => 'Basic page'));
  }

34
35
36
37
  /**
   * Attempt to cancel account without permission.
   */
  function testUserCancelWithoutPermission() {
38
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
39
40
41
42
43

    // Create a user.
    $account = $this->drupalCreateUser(array());
    $this->drupalLogin($account);
    // Load real user object.
44
    $account = user_load($account->id(), TRUE);
45
46

    // Create a node.
47
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
48
49

    // Attempt to cancel account.
50
    $this->drupalGet('user/' . $account->id() . '/edit');
51
    $this->assertNoRaw(t('Cancel account'), 'No cancel account button displayed.');
52
53

    // Attempt bogus account cancellation request confirmation.
54
55
    $timestamp = $account->getLastLoginTime();
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime()));
56
    $this->assertResponse(403, 'Bogus cancelling request rejected.');
57
    $account = user_load($account->id());
58
    $this->assertTrue($account->isActive(), 'User account was not canceled.');
59
60

    // Confirm user's content has not been altered.
61
    $test_node = node_load($node->id(), TRUE);
62
    $this->assertTrue(($test_node->getOwnerId() == $account->id() && $test_node->isPublished()), 'Node of the user has not been altered.');
63
64
65
66
67
68
69
70
71
  }

  /**
   * Tests that user account for uid 1 cannot be cancelled.
   *
   * This should never be possible, or the site owner would become unable to
   * administer the site.
   */
  function testUserCancelUid1() {
72
    \Drupal::moduleHandler()->install(array('views'));
73
74
75
76
    // Update uid 1's name and password to we know it.
    $password = user_password();
    $account = array(
      'name' => 'user1',
77
      'pass' => $this->container->get('password')->hash(trim($password)),
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
    );
    // We cannot use $account->save() here, because this would result in the
    // password being hashed again.
    db_update('users')
      ->fields($account)
      ->condition('uid', 1)
      ->execute();

    // Reload and log in uid 1.
    $user1 = user_load(1, TRUE);
    $user1->pass_raw = $password;

    // Try to cancel uid 1's account with a different user.
    $this->admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($this->admin_user);
    $edit = array(
94
95
      'action' => 'user_cancel_user_action',
      'user_bulk_form[0]' => TRUE,
96
    );
97
    $this->drupalPostForm('admin/people', $edit, t('Apply'));
98
99
100

    // Verify that uid 1's account was not cancelled.
    $user1 = user_load(1, TRUE);
101
    $this->assertTrue($user1->isActive(), 'User #1 still exists and is not blocked.');
102
103
104
105
106
107
  }

  /**
   * Attempt invalid account cancellations.
   */
  function testUserCancelInvalid() {
108
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
109
110
111
112
113

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($account);
    // Load real user object.
114
    $account = user_load($account->id(), TRUE);
115
116

    // Create a node.
117
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
118
119

    // Attempt to cancel account.
120
    $this->drupalPostForm('user/' . $account->id() . '/edit', NULL, t('Cancel account'));
121
122
123

    // Confirm account cancellation.
    $timestamp = time();
124
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
125
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
126
127
128

    // Attempt bogus account cancellation request confirmation.
    $bogus_timestamp = $timestamp + 60;
129
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->getPassword(), $bogus_timestamp, $account->getLastLoginTime()));
130
    $this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Bogus cancelling request rejected.');
131
    $account = user_load($account->id());
132
    $this->assertTrue($account->isActive(), 'User account was not canceled.');
133
134
135

    // Attempt expired account cancellation request confirmation.
    $bogus_timestamp = $timestamp - 86400 - 60;
136
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->getPassword(), $bogus_timestamp, $account->getLastLoginTime()));
137
    $this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Expired cancel account request rejected.');
138
    $account = user_load($account->id(), TRUE);
139
    $this->assertTrue($account->isActive(), 'User account was not canceled.');
140
141

    // Confirm user's content has not been altered.
142
    $test_node = node_load($node->id(), TRUE);
143
    $this->assertTrue(($test_node->getOwnerId() == $account->id() && $test_node->isPublished()), 'Node of the user has not been altered.');
144
145
146
147
148
149
  }

  /**
   * Disable account and keep all content.
   */
  function testUserBlock() {
150
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_block')->save();
151
152
153
154
155
156

    // Create a user.
    $web_user = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($web_user);

    // Load real user object.
157
    $account = user_load($web_user->id(), TRUE);
158
159

    // Attempt to cancel account.
160
    $this->drupalGet('user/' . $account->id() . '/edit');
161
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
162
163
164
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
    $this->assertText(t('Your account will be blocked and you will no longer be able to log in. All of your content will remain attributed to your user name.'), 'Informs that all content will be remain as is.');
    $this->assertNoText(t('Select the method to cancel the account above.'), 'Does not allow user to select account cancellation method.');
165
166
167
168

    // Confirm account cancellation.
    $timestamp = time();

169
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
170
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
171
172

    // Confirm account cancellation request.
173
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime()));
174
    $account = user_load($account->id(), TRUE);
175
    $this->assertTrue($account->isBlocked(), 'User has been blocked.');
176

177
    // Confirm that the confirmation message made it through to the end user.
178
    $this->assertRaw(t('%name has been disabled.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
179
180
181
182
183
184
  }

  /**
   * Disable account and unpublish all content.
   */
  function testUserBlockUnpublish() {
185
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_block_unpublish')->save();
186
187
    // Create comment field on page.
    \Drupal::service('comment.manager')->addDefaultField('node', 'page');
188
189
190
191
192

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($account);
    // Load real user object.
193
    $account = user_load($account->id(), TRUE);
194
195

    // Create a node with two revisions.
196
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
197
198
199
200
    $settings = get_object_vars($node);
    $settings['revision'] = 1;
    $node = $this->drupalCreateNode($settings);

201
202
203
204
205
206
207
208
209
210
211
212
213
214
    // Add a comment to the page.
    $comment_subject = $this->randomName(8);
    $comment_body = $this->randomName(8);
    $comment = entity_create('comment', array(
      'subject' => $comment_subject,
      'comment_body' => $comment_body,
      'entity_id' => $node->id(),
      'entity_type' => 'node',
      'field_name' => 'comment',
      'status' => CommentInterface::PUBLISHED,
      'uid' => $account->id(),
    ));
    $comment->save();

215
    // Attempt to cancel account.
216
    $this->drupalGet('user/' . $account->id() . '/edit');
217
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
218
219
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
    $this->assertText(t('Your account will be blocked and you will no longer be able to log in. All of your content will be hidden from everyone but administrators.'), 'Informs that all content will be unpublished.');
220
221
222

    // Confirm account cancellation.
    $timestamp = time();
223
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
224
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
225
226

    // Confirm account cancellation request.
227
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime()));
228
    $account = user_load($account->id(), TRUE);
229
    $this->assertTrue($account->isBlocked(), 'User has been blocked.');
230
231

    // Confirm user's content has been unpublished.
232
    $test_node = node_load($node->id(), TRUE);
233
234
235
    $this->assertFalse($test_node->isPublished(), 'Node of the user has been unpublished.');
    $test_node = node_revision_load($node->getRevisionId());
    $this->assertFalse($test_node->isPublished(), 'Node revision of the user has been unpublished.');
236

237
238
239
240
241
    $storage = \Drupal::entityManager()->getStorage('comment');
    $storage->resetCache(array($comment->id()));
    $comment = $storage->load($comment->id());
    $this->assertFalse($comment->isPublished(), 'Comment of the user has been unpublished.');

242
    // Confirm that the confirmation message made it through to the end user.
243
    $this->assertRaw(t('%name has been disabled.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
244
245
246
247
248
249
  }

  /**
   * Delete account and anonymize all content.
   */
  function testUserAnonymize() {
250
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
251
252
253
254
255

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account'));
    $this->drupalLogin($account);
    // Load real user object.
256
    $account = user_load($account->id(), TRUE);
257
258

    // Create a simple node.
259
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
260
261
262

    // Create a node with two revisions, the initial one belonging to the
    // cancelling user.
263
    $revision_node = $this->drupalCreateNode(array('uid' => $account->id()));
264
    $revision = $revision_node->getRevisionId();
265
266
267
268
269
270
    $settings = get_object_vars($revision_node);
    $settings['revision'] = 1;
    $settings['uid'] = 1; // Set new/current revision to someone else.
    $revision_node = $this->drupalCreateNode($settings);

    // Attempt to cancel account.
271
    $this->drupalGet('user/' . $account->id() . '/edit');
272
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
273
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
274
    $this->assertRaw(t('Your account will be removed and all account information deleted. All of your content will be assigned to the %anonymous-name user.', array('%anonymous-name' => \Drupal::config('user.settings')->get('anonymous'))), 'Informs that all content will be attributed to anonymous account.');
275
276
277

    // Confirm account cancellation.
    $timestamp = time();
278
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
279
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
280
281

    // Confirm account cancellation request.
282
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime()));
283
    $this->assertFalse(user_load($account->id(), TRUE), 'User is not found in the database.');
284
285

    // Confirm that user's content has been attributed to anonymous user.
286
    $test_node = node_load($node->id(), TRUE);
287
    $this->assertTrue(($test_node->getOwnerId() == 0 && $test_node->isPublished()), 'Node of the user has been attributed to anonymous user.');
288
    $test_node = node_revision_load($revision, TRUE);
289
    $this->assertTrue(($test_node->getRevisionAuthor()->id() == 0 && $test_node->isPublished()), 'Node revision of the user has been attributed to anonymous user.');
290
    $test_node = node_load($revision_node->id(), TRUE);
291
    $this->assertTrue(($test_node->getOwnerId() != 0 && $test_node->isPublished()), "Current revision of the user's node was not attributed to anonymous user.");
292

293
    // Confirm that the confirmation message made it through to the end user.
294
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
295
296
297
298
299
300
  }

  /**
   * Delete account and remove all content.
   */
  function testUserDelete() {
301
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_delete')->save();
302
    \Drupal::moduleHandler()->install(array('comment'));
303
    $this->resetAll();
304
    $this->container->get('comment.manager')->addDefaultField('node', 'page');
305
306
307
308
309

    // Create a user.
    $account = $this->drupalCreateUser(array('cancel account', 'post comments', 'skip comment approval'));
    $this->drupalLogin($account);
    // Load real user object.
310
    $account = user_load($account->id(), TRUE);
311
312

    // Create a simple node.
313
    $node = $this->drupalCreateNode(array('uid' => $account->id()));
314
315
316

    // Create comment.
    $edit = array();
317
    $edit['subject[0][value]'] = $this->randomName(8);
318
    $edit['comment_body[0][value]'] = $this->randomName(16);
319

320
    $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit, t('Preview'));
321
    $this->drupalPostForm(NULL, array(), t('Save'));
322
    $this->assertText(t('Your comment has been posted.'));
323
    $comments = entity_load_multiple_by_properties('comment', array('subject' => $edit['subject[0][value]']));
324
    $comment = reset($comments);
325
    $this->assertTrue($comment->id(), 'Comment found.');
326
327
328

    // Create a node with two revisions, the initial one belonging to the
    // cancelling user.
329
    $revision_node = $this->drupalCreateNode(array('uid' => $account->id()));
330
    $revision = $revision_node->getRevisionId();
331
332
333
334
335
336
    $settings = get_object_vars($revision_node);
    $settings['revision'] = 1;
    $settings['uid'] = 1; // Set new/current revision to someone else.
    $revision_node = $this->drupalCreateNode($settings);

    // Attempt to cancel account.
337
    $this->drupalGet('user/' . $account->id() . '/edit');
338
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
339
340
    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
    $this->assertText(t('Your account will be removed and all account information deleted. All of your content will also be deleted.'), 'Informs that all content will be deleted.');
341
342
343

    // Confirm account cancellation.
    $timestamp = time();
344
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
345
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
346
347

    // Confirm account cancellation request.
348
    $this->drupalGet("user/" . $account->id() . "/cancel/confirm/$timestamp/" . user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime()));
349
    $this->assertFalse(user_load($account->id(), TRUE), 'User is not found in the database.');
350
351

    // Confirm that user's content has been deleted.
352
    $this->assertFalse(node_load($node->id(), TRUE), 'Node of the user has been deleted.');
353
    $this->assertFalse(node_revision_load($revision), 'Node revision of the user has been deleted.');
354
    $this->assertTrue(node_load($revision_node->id(), TRUE), "Current revision of the user's node was not deleted.");
355
356
    \Drupal::entityManager()->getStorage('comment')->resetCache(array($comment->id()));
    $this->assertFalse(Comment::load($comment->id()), 'Comment of the user has been deleted.');
357

358
    // Confirm that the confirmation message made it through to the end user.
359
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), "Confirmation message displayed to user.");
360
361
362
363
364
365
  }

  /**
   * Create an administrative user and delete another user.
   */
  function testUserCancelByAdmin() {
366
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
367
368
369
370
371
372
373
374
375

    // Create a regular user.
    $account = $this->drupalCreateUser(array());

    // Create administrative user.
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);

    // Delete regular user.
376
    $this->drupalGet('user/' . $account->id() . '/edit');
377
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
378
    $this->assertRaw(t('Are you sure you want to cancel the account %name?', array('%name' => $account->getUsername())), 'Confirmation form to cancel account displayed.');
379
    $this->assertText(t('Select the method to cancel the account above.'), 'Allows to select account cancellation method.');
380
381

    // Confirm deletion.
382
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
383
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), 'User deleted.');
384
    $this->assertFalse(user_load($account->id()), 'User is not found in the database.');
385
386
387
  }

  /**
388
   * Tests deletion of a user account without an email address.
389
390
   */
  function testUserWithoutEmailCancelByAdmin() {
391
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
392
393
394

    // Create a regular user.
    $account = $this->drupalCreateUser(array());
395
    // This user has no email address.
396
397
398
399
400
401
402
    $account->mail = '';
    $account->save();

    // Create administrative user.
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);

403
    // Delete regular user without email address.
404
    $this->drupalGet('user/' . $account->id() . '/edit');
405
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
406
    $this->assertRaw(t('Are you sure you want to cancel the account %name?', array('%name' => $account->getUsername())), 'Confirmation form to cancel account displayed.');
407
    $this->assertText(t('Select the method to cancel the account above.'), 'Allows to select account cancellation method.');
408
409

    // Confirm deletion.
410
    $this->drupalPostForm(NULL, NULL, t('Cancel account'));
411
    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), 'User deleted.');
412
    $this->assertFalse(user_load($account->id()), 'User is not found in the database.');
413
414
415
416
417
418
  }

  /**
   * Create an administrative user and mass-delete other users.
   */
  function testMassUserCancelByAdmin() {
419
    \Drupal::moduleHandler()->install(array('views'));
420
    \Drupal::config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
421
    // Enable account cancellation notification.
422
    \Drupal::config('user.settings')->set('notify.status_canceled', TRUE)->save();
423
424
425
426
427
428
429
430
431

    // Create administrative user.
    $admin_user = $this->drupalCreateUser(array('administer users'));
    $this->drupalLogin($admin_user);

    // Create some users.
    $users = array();
    for ($i = 0; $i < 3; $i++) {
      $account = $this->drupalCreateUser(array());
432
      $users[$account->id()] = $account;
433
434
435
436
    }

    // Cancel user accounts, including own one.
    $edit = array();
437
438
439
    $edit['action'] = 'user_cancel_user_action';
    for ($i = 0; $i <= 4; $i++) {
      $edit['user_bulk_form[' . $i . ']'] = TRUE;
440
    }
441
    $this->drupalPostForm('admin/people', $edit, t('Apply'));
442
443
    $this->assertText(t('Are you sure you want to cancel these user accounts?'), 'Confirmation form to cancel accounts displayed.');
    $this->assertText(t('When cancelling these accounts'), 'Allows to select account cancellation method.');
444
    $this->assertText(t('Require email confirmation to cancel account.'), 'Allows to send confirmation mail.');
445
    $this->assertText(t('Notify user when account is canceled.'), 'Allows to send notification mail.');
446
447

    // Confirm deletion.
448
    $this->drupalPostForm(NULL, NULL, t('Cancel accounts'));
449
450
    $status = TRUE;
    foreach ($users as $account) {
451
      $status = $status && (strpos($this->content, t('%name has been deleted.', array('%name' => $account->getUsername()))) !== FALSE);
452
      $status = $status && !user_load($account->id(), TRUE);
453
    }
454
    $this->assertTrue($status, 'Users deleted and not found in the database.');
455
456

    // Ensure that admin account was not cancelled.
457
    $this->assertText(t('A confirmation request to cancel your account has been sent to your email address.'), 'Account cancellation request mailed message displayed.');
458
    $admin_user = user_load($admin_user->id());
459
    $this->assertTrue($admin_user->isActive(), 'Administrative user is found in the database and enabled.');
460
461
462

    // Verify that uid 1's account was not cancelled.
    $user1 = user_load(1, TRUE);
463
    $this->assertTrue($user1->isActive(), 'User #1 still exists and is not blocked.');
464
465
  }
}