Issue #3410098 by andypost, shalini_jha, Akhil Babu, Liam Morland,...

Issue #3410098 by andypost, shalini_jha, Akhil Babu, Liam Morland, kristiaanvandeneynde, smustgrave, alexpott: Deprecate passing non-strings to UserSession::hasPermission() and User::hasPermission() (cherry picked from commit a9f3b751)

Issue #3410098 by andypost, shalini_jha, Akhil Babu, Liam Morland,...
1122c8d3 · Alex Pott · 3400d1e6 · 1122c8d3 · 1122c8d3 · 1122c8d3
Verified Commit 1122c8d3 authored 1 year ago by Alex Pott
--- a/core/lib/Drupal/Core/Session/AccountInterface.php
+++ b/core/lib/Drupal/Core/Session/AccountInterface.php
@@ -50,7 +50,7 @@ public function getRoles($exclude_locked_roles = FALSE);
   * @return bool
   *   TRUE if the user has the permission, FALSE otherwise.
   */
-  public function hasPermission($permission);
+  public function hasPermission(/* string */$permission);

  /**
   * Returns TRUE if the account is authenticated.

--- a/core/lib/Drupal/Core/Session/UserSession.php
+++ b/core/lib/Drupal/Core/Session/UserSession.php
@@ -119,7 +119,11 @@ public function hasRole(string $rid): bool {
  /**
   * {@inheritdoc}
   */
-  public function hasPermission($permission) {
+  public function hasPermission(/* string */$permission) {
+    if (!is_string($permission)) {
+      @trigger_error('Calling ' . __METHOD__ . '() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485', E_USER_DEPRECATED);
+      return FALSE;
+    }
    return \Drupal::service('permission_checker')->hasPermission($permission, $this);
  }


--- a/core/modules/user/src/Entity/User.php
+++ b/core/modules/user/src/Entity/User.php
@@ -224,7 +224,11 @@ public function removeRole($rid) {
  /**
   * {@inheritdoc}
   */
-  public function hasPermission($permission) {
+  public function hasPermission(/* string */$permission) {
+    if (!is_string($permission)) {
+      @trigger_error('Calling ' . __METHOD__ . '() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485', E_USER_DEPRECATED);
+      return FALSE;
+    }
    return \Drupal::service('permission_checker')->hasPermission($permission, $this);
  }


--- a/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Session\PermissionChecker;
 use Drupal\Core\Session\UserSession;
 use Drupal\Tests\UnitTestCase;
+use Drupal\user\Entity\User;
 use Drupal\user\RoleInterface;

 /**
@@ -180,4 +181,19 @@ public function testHasRole() {
    $this->assertTrue($this->users['user_last']->hasRole(RoleInterface::ANONYMOUS_ID));
  }

+  /**
+   * Tests deprecation when permission is not a string.
+   *
+   * @covers ::hasPermission
+   * @group legacy
+   */
+  public function testHasPermissionLegacy() {
+    $this->expectDeprecation('Calling Drupal\Core\Session\UserSession::hasPermission() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485');
+    $this->assertFalse((new UserSession())->hasPermission(NULL));
+    $this->expectDeprecation('Calling Drupal\user\Entity\User::hasPermission() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485');
+    $reflection = new \ReflectionClass(User::class);
+    $user = $reflection->newInstanceWithoutConstructor();
+    $this->assertFalse($user->hasPermission(NULL));
+  }
+
 }