Commit 20cab6d9 authored by catch's avatar catch
Browse files

Issue #2799209 by Lendude, Manuel Garcia, Berdir, dawehner: Incorrect...

Issue #2799209 by Lendude, Manuel Garcia, Berdir, dawehner: Incorrect permission check in views node access filter
parent fa34234e
......@@ -25,7 +25,7 @@ public function canExpose() {
*/
public function query() {
$account = $this->view->getUser();
if (!$account->hasPermission('administer nodes')) {
if (!$account->hasPermission('bypass node access')) {
$table = $this->ensureMyTable();
$grants = db_or();
foreach (node_access_grants('view', $account) as $realm => $gids) {
......
<?php
namespace Drupal\node\Tests\Views;
use Drupal\node\Entity\NodeType;
/**
* Tests the node_access filter handler.
*
* @group node
* @see \Drupal\node\Plugin\views\filter\Access
*/
class FilterNodeAccessTest extends NodeTestBase {
/**
* An array of users.
*
* @var \Drupal\user\Entity\User[]
*/
protected $users;
/**
* {@inheritdoc}
*/
public static $modules = ['node_access_test'];
/**
* Views used by this test.
*
* @var array
*/
public static $testViews = ['test_filter_node_access'];
protected function setUp() {
parent::setUp();
$this->drupalCreateContentType(['type' => 'article', 'name' => 'Article']);
node_access_test_add_field(NodeType::load('article'));
node_access_rebuild();
\Drupal::state()->set('node_access_test.private', TRUE);
$num_simple_users = 2;
$this->users = [];
for ($i = 0; $i < $num_simple_users; $i++) {
$this->users[$i] = $this->drupalCreateUser(['access content', 'create article content']);
}
foreach ($this->users as $web_user) {
$this->drupalLogin($web_user);
foreach ([0 => 'Public', 1 => 'Private'] as $is_private => $type) {
$settings = [
'body' => [[
'value' => $type . ' node',
'format' => filter_default_format(),
]],
'title' => t('@private_public Article created by @user', ['@private_public' => $type, '@user' => $web_user->getUsername()]),
'type' => 'article',
'uid' => $web_user->id(),
'private' => (bool) $is_private,
];
$node = $this->drupalCreateNode($settings);
$this->assertEqual($is_private, (int) $node->private->value, 'The private status of the node was properly set in the node_access_test table.');
}
}
}
/**
* Tests the node access filter.
*/
public function testFilterNodeAccess() {
$this->drupalLogin($this->users[0]);
$this->drupalGet('test_filter_node_access');
// Test that the private node of the current user is shown.
$this->assertText('Private Article created by ' . $this->users[0]->getUsername());
// Test that the private node of the other use isn't shown.
$this->assertNoText('Private Article created by ' . $this->users[1]->getUsername());
// Test that both public nodes are shown.
$this->assertText('Public Article created by ' . $this->users[0]->getUsername());
$this->assertText('Public Article created by ' . $this->users[1]->getUsername());
// Switch users and test the other private node is shown.
$this->drupalLogin($this->users[1]);
$this->drupalGet('test_filter_node_access');
// Test that the private node of the current user is shown.
$this->assertText('Private Article created by ' . $this->users[1]->getUsername());
// Test that the private node of the other use isn't shown.
$this->assertNoText('Private Article created by ' . $this->users[0]->getUsername());
// Test that a user with administer nodes permission can't see all nodes.
$administer_nodes_user = $this->drupalCreateUser(['access content', 'administer nodes']);
$this->drupalLogin($administer_nodes_user);
$this->drupalGet('test_filter_node_access');
$this->assertNoText('Private Article created by ' . $this->users[0]->getUsername());
$this->assertNoText('Private Article created by ' . $this->users[1]->getUsername());
$this->assertText('Public Article created by ' . $this->users[0]->getUsername());
$this->assertText('Public Article created by ' . $this->users[1]->getUsername());
// Test that a user with bypass node access can see all nodes.
$bypass_access_user = $this->drupalCreateUser(['access content', 'bypass node access']);
$this->drupalLogin($bypass_access_user);
$this->drupalGet('test_filter_node_access');
$this->assertText('Private Article created by ' . $this->users[0]->getUsername());
$this->assertText('Private Article created by ' . $this->users[1]->getUsername());
$this->assertText('Public Article created by ' . $this->users[0]->getUsername());
$this->assertText('Public Article created by ' . $this->users[1]->getUsername());
}
}
langcode: en
status: true
dependencies:
module:
- node
- user
id: test_filter_node_access
label: test_filter_node_access
module: views
description: ''
tag: ''
base_table: node_field_data
base_field: nid
core: 8.x
display:
default:
display_plugin: default
id: default
display_title: Master
position: 0
display_options:
access:
type: perm
options:
perm: 'access content'
cache:
type: tag
options: { }
query:
type: views_query
options:
disable_sql_rewrite: true
distinct: false
replica: false
query_comment: ''
query_tags: { }
exposed_form:
type: basic
options:
submit_button: Apply
reset_button: false
reset_button_label: Reset
exposed_sorts_label: 'Sort by'
expose_sort_order: true
sort_asc_label: Asc
sort_desc_label: Desc
pager:
type: some
options:
items_per_page: 10
offset: 0
style:
type: default
row:
type: fields
options:
default_field_elements: true
inline: { }
separator: ''
hide_empty: false
fields:
title:
id: title
table: node_field_data
field: title
entity_type: node
entity_field: title
label: ''
alter:
alter_text: false
make_link: false
absolute: false
trim: false
word_boundary: false
ellipsis: false
strip_tags: false
html: false
hide_empty: false
empty_zero: false
settings:
link_to_entity: true
plugin_id: field
relationship: none
group_type: group
admin_label: ''
exclude: false
element_type: ''
element_class: ''
element_label_type: ''
element_label_class: ''
element_label_colon: true
element_wrapper_type: ''
element_wrapper_class: ''
element_default_classes: true
empty: ''
hide_alter_empty: true
click_sort_column: value
type: string
group_column: value
group_columns: { }
group_rows: true
delta_limit: 0
delta_offset: 0
delta_reversed: false
delta_first_last: false
multi_type: separator
separator: ', '
field_api_classes: false
filters:
status:
value: '1'
table: node_field_data
field: status
plugin_id: boolean
entity_type: node
entity_field: status
id: status
expose:
operator: ''
group: 1
nid:
id: nid
table: node_access
field: nid
relationship: none
group_type: group
admin_label: ''
operator: '='
value: ''
group: 1
exposed: false
expose:
operator_id: ''
label: ''
description: ''
use_operator: false
operator: ''
identifier: ''
required: false
remember: false
multiple: false
remember_roles:
authenticated: authenticated
is_grouped: false
group_info:
label: ''
description: ''
identifier: ''
optional: true
widget: select
multiple: false
remember: false
default_group: All
default_group_multiple: { }
group_items: { }
plugin_id: node_access
sorts:
created:
id: created
table: node_field_data
field: created
order: DESC
entity_type: node
entity_field: created
plugin_id: date
relationship: none
group_type: group
admin_label: ''
exposed: false
expose:
label: ''
granularity: second
title: test_filter_node_access
header: { }
footer: { }
empty: { }
relationships: { }
arguments: { }
display_extenders: { }
cache_metadata:
max-age: -1
contexts:
- 'languages:language_content'
- 'languages:language_interface'
- 'user.node_grants:view'
- user.permissions
tags: { }
page_1:
display_plugin: page
id: page_1
display_title: Page
position: 1
display_options:
display_extenders: { }
path: test_filter_node_access
cache_metadata:
max-age: -1
contexts:
- 'languages:language_content'
- 'languages:language_interface'
- 'user.node_grants:view'
- user.permissions
tags: { }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment