Issue #2462589 by dawehner, jhodgdon: Provide test coverage for access checking of all views fields

core/lib/Drupal/Core/Field/Plugin/Field/FieldType/EntityReferenceItem.php

@@ -31,6 +31,7 @@
  *   description = @Translation("An entity field containing an entity reference."),
  *   category = @Translation("Reference"),
  *   no_ui = TRUE,
+ *   default_formatter = "entity_reference_label",
  *   list_class = "\Drupal\Core\Field\EntityReferenceFieldItemList",
  *   constraints = {"ValidReference" = {}}
  * )

core/modules/aggregator/src/Tests/Views/AggregatorFeedViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\aggregator\Tests\Views\AggregatorFeedViewsFieldAccessTest.
+ */
+
+namespace Drupal\aggregator\Tests\Views;
+
+use Drupal\aggregator\Entity\Feed;
+use Drupal\views\Tests\Handler\FieldFieldAccessTestBase;
+
+/**
+ * Tests base field access in Views for the aggregator_feed entity.
+ *
+ * @group aggregator
+ */
+class AggregatorFeedViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['aggregator', 'entity_test', 'options'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('aggregator_feed');
+  }
+
+  /**
+   * Checks access for aggregator_feed fields.
+   */
+  public function testAggregatorFeedFields() {
+    $feed = Feed::create([
+      'title' => 'Drupal org',
+      'url' => 'https://www.drupal.org/rss.xml',
+      'link' => 'https://www.drupal.org/rss.xml',
+    ]);
+    $feed->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    // $this->assertFieldAccess('aggregator_feed', 'title', $feed->label());
+    $this->assertFieldAccess('aggregator_feed', 'langcode', $feed->language()->getName());
+    $this->assertFieldAccess('aggregator_feed', 'url', $feed->getUrl());
+  }
+
+}

core/modules/aggregator/src/Tests/Views/AggregatorItemViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\aggregator\Tests\Views\AggregatorItemViewsFieldAccessTest.
+ */
+
+namespace Drupal\aggregator\Tests\Views;
+
+use Drupal\aggregator\Entity\Feed;
+use Drupal\aggregator\Entity\Item;
+use Drupal\views\Tests\Handler\FieldFieldAccessTestBase;
+
+/**
+ * Tests base field access in Views for the aggregator_item entity.
+ *
+ * @group aggregator
+ */
+class AggregatorItemViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['aggregator', 'entity_test', 'options'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('aggregator_feed');
+    $this->installEntitySchema('aggregator_item');
+  }
+
+  /**
+   * Checks access for aggregator_item fields.
+   */
+  public function testAggregatorItemFields() {
+    $feed = Feed::create([
+      'title' => 'Drupal org',
+      'url' => 'https://www.drupal.org/rss.xml',
+    ]);
+    $feed->save();
+    $item = Item::create([
+      'title' => 'Test title',
+      'fid' => $feed->id(),
+      'description' => 'Test description',
+    ]);
+
+    $item->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    // $this->assertFieldAccess('aggregator_item', 'title', $item->getTitle());
+    $this->assertFieldAccess('aggregator_item', 'langcode', $item->language()->getName());
+    // $this->assertFieldAccess('aggregator_item', 'description', $item->getDescription());
+  }
+
+}

core/modules/comment/src/Tests/Views/CommentViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\comment\Tests\Views\CommentViewsFieldAccessTest.
+ */
+
+namespace Drupal\comment\Tests\Views;
+
+use Drupal\comment\Entity\Comment;
+use Drupal\user\Entity\User;
+use Drupal\views\Tests\Handler\FieldFieldAccessTestBase;
+
+/**
+ * Tests base field access in Views for the comment entity.
+ *
+ * @group comment
+ */
+class CommentViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['comment', 'entity_test'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('comment');
+  }
+
+  /**
+   * Check access for comment fields.
+   */
+  public function testCommentFields() {
+    $user = User::create([
+      'name' => 'test user',
+    ]);
+    $user->save();
+
+    $comment = Comment::create([
+      'subject' => 'My comment title',
+      'uid' => $user->id(),
+      'entity_type' => 'entity_test',
+      'comment_type' => 'entity_test',
+    ]);
+    $comment->save();
+
+    $comment_anonymous = Comment::create([
+      'subject' => 'Anonymous comment title',
+      'uid' => 0,
+      'name' => 'anonymous',
+      'mail' => 'test@example.com',
+      'homepage' => 'https://example.com',
+      'entity_type' => 'entity_test',
+      'comment_type' => 'entity_test',
+      'created' => 123456,
+      'status' => 1,
+    ]);
+    $comment_anonymous->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    // $this->assertFieldAccess('comment', 'cid', $comment->id());
+    // $this->assertFieldAccess('comment', 'cid', $comment_anonymous->id());
+    // $this->assertFieldAccess('comment', 'uuid', $comment->uuid());
+    // $this->assertFieldAccess('comment', 'subject', 'My comment title');
+    // $this->assertFieldAccess('comment', 'subject', 'Anonymous comment title');
+    // $this->assertFieldAccess('comment', 'name', 'anonymous');
+    $this->assertFieldAccess('comment', 'mail', 'test@example.com');
+    $this->assertFieldAccess('comment', 'homepage', 'https://example.com');
+    // $this->assertFieldAccess('comment', 'uid', $comment->uid->target_id);
+    // $this->assertFieldAccess('comment', 'created', \Drupal::service('date.formatter')->format(123456));
+    // $this->assertFieldAccess('comment', 'changed', \Drupal::service('date.formatter')->format(REQUEST_TIME));
+    $this->assertFieldAccess('comment', 'status', 'On');
+  }
+
+}

core/modules/file/src/Tests/Views/FileViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\file\Tests\Views\FileViewsFieldAccessTest.
+ */
+
+namespace Drupal\file\Tests\Views;
+
+use Drupal\file\Entity\File;
+use Drupal\language\Entity\ConfigurableLanguage;
+use Drupal\node\Entity\Node;
+use Drupal\node\Entity\NodeType;
+use Drupal\user\Entity\User;
+use Drupal\views\Tests\Handler\FieldFieldAccessTestBase;
+
+/**
+ * Tests base field access in Views for the file entity.
+ *
+ * @group File
+ */
+class FileViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['file', 'entity_test', 'language', 'user'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('file');
+  }
+
+  /**
+   * Check access for file fields.
+   */
+  public function testFileFields() {
+    ConfigurableLanguage::create([
+      'id' => 'fr',
+      'name' => 'French',
+    ])->save();
+
+    $user = User::create([
+      'name' => 'test user',
+    ]);
+    $user->save();
+
+    file_put_contents('public://test.txt', 'test');
+    $file = File::create([
+      'filename' => 'test.txt',
+      'uri' => 'public://test.txt',
+      'status' => TRUE,
+      'langcode' => 'fr',
+      'uid' => $user->id()
+    ]);
+    $file->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    // $this->assertFieldAccess('file', 'fid', $file->id());
+    // $this->assertFieldAccess('file', 'uuid', $file->uuid());
+    $this->assertFieldAccess('file', 'langcode', $file->language()->getName());
+    $this->assertFieldAccess('file', 'uid', 'test user');
+    // $this->assertFieldAccess('file', 'filename', $file->getFilename());
+    // $this->assertFieldAccess('file', 'uri', $file->getFileUri());
+    // $this->assertFieldAccess('file', 'filemime', $file->filemime->value);
+    // $this->assertFieldAccess('file', 'size', '4 Bytes');
+    // $this->assertFieldAccess('file', 'status', 'On');
+    // $this->assertFieldAccess('file', 'created', \Drupal::service('date.formatter')->format(123456));
+    // $this->assertFieldAccess('file', 'changed', \Drupal::service('date.formatter')->format(REQUEST_TIME));
+  }
+
+}

core/modules/node/src/Tests/Views/NodeViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\node\Tests\Views\NodeViewsFieldAccessTest.
+ */
+
+namespace Drupal\node\Tests\Views;
+
+use Drupal\node\Entity\Node;
+use Drupal\node\Entity\NodeType;
+use Drupal\user\Entity\User;
+use Drupal\views\Tests\Handler\FieldFieldAccessTestBase;
+
+/**
+ * Tests base field access in Views for the node entity.
+ *
+ * @group Node
+ */
+class NodeViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['node', 'entity_test'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('node');
+  }
+
+  /**
+   * Check access for node fields.
+   */
+  public function testNodeFields() {
+    $user = User::create([
+      'name' => 'test user',
+    ]);
+    $user->save();
+    NodeType::create([
+      'type' => 'article',
+      'name' => 'Article',
+    ])->save();
+    $node = Node::create([
+      'type' => 'article',
+      'title' => 'Test title',
+      'status' => 1,
+      'promote' => 1,
+      'sticky' => 0,
+      'created' => 123456,
+    ]);
+
+    $node->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    $this->assertFieldAccess('node', 'nid', $node->id());
+    // $this->assertFieldAccess('node', 'uuid', $node->uuid());
+    $this->assertFieldAccess('node', 'vid', $node->id());
+    $this->assertFieldAccess('node', 'type', $node->type->entity->label());
+    $this->assertFieldAccess('node', 'langcode', $node->language()->getName());
+    $this->assertFieldAccess('node', 'title', 'Test title');
+    // $this->assertFieldAccess('node', 'uid', $user->getUsername());
+    // @todo Don't we want to display Published / Unpublished by default,
+    //   see https://www.drupal.org/node/2465623
+    $this->assertFieldAccess('node', 'status', 'On');
+    $this->assertFieldAccess('node', 'promote', 'On');
+    $this->assertFieldAccess('node', 'sticky', 'Off');
+
+    // $this->assertFieldAccess('node', 'created', \Drupal::service('date.formatter')->format(123456));
+    // $this->assertFieldAccess('node', 'changed', \Drupal::service('date.formatter')->format(REQUEST_TIME));
+  }
+
+}

core/modules/node/tests/modules/node_access_test/node_access_test.module

@@ -145,7 +145,8 @@ function node_access_test_add_field(NodeTypeInterface $type) {
  * Implements hook_node_access().
  */
 function node_access_test_node_access(\Drupal\node\NodeInterface $node, $op, \Drupal\Core\Session\AccountInterface $account, $langcode) {
-  $secret_catalan = \Drupal::state()->get('node_access_test_secret_catalan') ?: 0;
+  $secret_catalan = \Drupal::state()
+    ->get('node_access_test_secret_catalan') ?: 0;
   if ($secret_catalan && $langcode == 'ca') {
     // Make all Catalan content secret.
     return AccessResult::forbidden()->setCacheMaxAge(0);

core/modules/system/tests/modules/entity_test/entity_test.module

@@ -348,6 +348,17 @@ function entity_test_entity_field_access($operation, FieldDefinitionInterface $f
       }
     }
   }
+  if ($field = \Drupal::state()->get('views_field_access_test-field')) {
+    if ($field_definition->getName() === $field) {
+      $result = AccessResult::allowedIfHasPermission($account, 'view test entity field');
+      // For test purposes we want to actively deny access.
+      if ($result->isNeutral()) {
+        $result = AccessResult::forbidden();
+      }
+      return $result;
+    }
+  }
+
   // No opinion.
   return AccessResult::neutral();
 }

core/modules/system/tests/modules/entity_test/entity_test.permissions.yml

@@ -5,3 +5,5 @@ view test entity:
   title: 'View test entities'
 view test entity translations:
   title: 'View translations of test entities'
+view test entity field:
+  title: 'View test entity field'

core/modules/user/src/Tests/Views/UserViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\user\Tests\Views\userViewsFieldAccessTest.
+ */
+
+namespace Drupal\user\Tests\Views;
+
+use Drupal\language\Entity\ConfigurableLanguage;
+use Drupal\user\Entity\user;
+use Drupal\views\Tests\Handler\FieldFieldAccessTestBase;
+
+/**
+ * Tests base field access in Views for the user entity.
+ *
+ * @group user
+ */
+class UserViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['user', 'entity_test', 'language'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('user');
+  }
+
+  public function testUserFields() {
+    ConfigurableLanguage::create([
+      'id' => 'es',
+      'name' => 'Spanish',
+    ])->save();
+    ConfigurableLanguage::create([
+      'id' => 'fr',
+      'name' => 'French',
+    ])->save();
+
+    $user = User::create([
+      'name' => 'test user',
+      'mail' => 'druplicon@drop.org',
+      'status' => 1,
+      'preferred_langcode' => 'es',
+      'preferred_admin_langcode' => 'fr',
+      'timezone' => 'ut1',
+      'created' => 123456,
+    ]);
+
+    $user->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    // $this->assertFieldAccess('user', 'uid', $user->id());
+    // $this->assertFieldAccess('user', 'uuid', $user->uuid());
+    $this->assertFieldAccess('user', 'langcode', $user->language()->getName());
+    $this->assertFieldAccess('user', 'preferred_langcode', 'Spanish');
+    $this->assertFieldAccess('user', 'preferred_admin_langcode', 'French');
+    // $this->assertFieldAccess('user', 'name', 'test user');
+    // $this->assertFieldAccess('user', 'mail', 'druplicon@drop.org');
+    $this->assertFieldAccess('user', 'timezone', 'ut1');
+    $this->assertFieldAccess('user', 'status', 'On');
+    // $this->assertFieldAccess('user', 'created', \Drupal::service('date.formatter')->format(123456));
+    // $this->assertFieldAccess('user', 'changed', \Drupal::service('date.formatter')->format(REQUEST_TIME));
+  }
+
+}

core/modules/views/src/Tests/Handler/EntityTestViewsFieldAccessTest.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\views\Tests\Handler\EntityTestViewsFieldAccessTest.
+ */
+
+namespace Drupal\views\Tests\Handler;
+use Drupal\entity_test\Entity\EntityTest;
+
+/**
+ * Tests base field access in Views for the entity_test entity.
+ *
+ * @group entity_test
+ */
+class EntityTestViewsFieldAccessTest extends FieldFieldAccessTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['entity_test'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('entity_test');
+  }
+
+  public function testEntityTestFields() {
+    $entity_test = EntityTest::create([
+      'name' => 'test entity name',
+    ]);
+    $entity_test->save();
+
+    // @todo Expand the test coverage in https://www.drupal.org/node/2464635
+
+    $this->assertFieldAccess('entity_test', 'id', $entity_test->id());
+    $this->assertFieldAccess('entity_test', 'langcode', $entity_test->language()->getName());
+    $this->assertFieldAccess('entity_test', 'name', $entity_test->getName());
+  }
+
+}

core/modules/views/src/Tests/Handler/FieldFieldAccessTestBase.php

+<?php
+
+/**
+ * @file
+ * Contains \Drupal\views\Tests\Handler\FieldFieldAccessTest.
+ */
+
+namespace Drupal\views\Tests\Handler;
+
+use Drupal\user\Entity\Role;
+use Drupal\user\Entity\User;
+use Drupal\views\Entity\View;
+use Drupal\views\Tests\ViewUnitTestBase;
+use Drupal\views\Views;
+
+/**
+ * Provides a base class for base field access in views.
+ */
+abstract class FieldFieldAccessTestBase extends ViewUnitTestBase {
+
+  /**
+   * Stores an user entity with access to fields.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $userWithAccess;
+
+  /**
+   * Stores an user entity without access to fields.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $userWithoutAccess;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['user'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp($import_test_views = TRUE) {
+    parent::setUp($import_test_views);
+
+    $this->installEntitySchema('user');
+
+    $role_with_access = Role::create([
+      'id' => 'with_access',
+      'permissions' => ['view test entity field'],
+    ]);
+    $role_with_access->save();
+    $role_without_access = Role::create([
+      'id' => 'without_access',
+      'permissions' => [],
+    ]);
+    $role_without_access->save();
+
+    $this->userWithAccess = User::create([
+      'name' => $this->randomMachineName(),
+      'roles' => [$role_with_access->id()],
+    ]);
+    $this->userWithAccess->save();
+    $this->userWithoutAccess = User::create([
+      'name' => $this->randomMachineName(),
+      'roles' => [$role_without_access->id()],
+    ]);
+    $this->userWithoutAccess->save();
+  }
+
+  /**
+   * Checks views field access for a given entity type and field name.
+   *
+   * To use this method, set up an entity of type $entity_type_id, with field
+   * $field_name. Create an entity instance that contains content $field_content
+   * in that field.
+   *
+   * This method will check that a user with permission can see the content in a
+   * view, and a user without access permission on that field cannot.
+   *
+   * @param string $entity_type_id
+   *   The entity type ID.
+   * @param string $field_name
+   *   The field name.
+   * @param string $field_content
+   *   The expected field content.
+   */
+  protected function assertFieldAccess($entity_type_id, $field_name, $field_content) {
+    \Drupal::state()->set('views_field_access_test-field', $field_name);
+
+    $entity_type = \Drupal::entityManager()->getDefinition($entity_type_id);
+    $view_id = $this->randomMachineName();
+    $base_table = $entity_type->getDataTable() ?: $entity_type->getBaseTable();
+    $entity = View::create([
+      'id' => $view_id,
+      'base_table' => $base_table,
+      'display' => [
+        'default' => [