Commit 59788e3f authored by alexpott's avatar alexpott
Browse files

Issue #2029855 by klausi, benjy, fgm, hussainweb, Cottser, pfrenssen,...

Issue #2029855 by klausi, benjy, fgm, hussainweb, Cottser, pfrenssen, kim.pepper | moshe weitzman: Fixed Missing access control for user base fields.
parent 331f2878
......@@ -10,6 +10,8 @@
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
use Drupal\Core\Session\AccountInterface;
/**
......@@ -60,4 +62,68 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
// Fields that are not implicitly allowed to administrative users.
$explicit_check_fields = array(
'password',
);
// Administrative users are allowed to edit and view all fields.
if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
return AccessResult::allowed()->cachePerRole();
}
// Flag to indicate if this user entity is the own user account.
$is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE;
switch ($field_definition->getName()) {
case 'name':
// Allow view access to anyone with access to the entity.
if ($operation == 'view') {
return AccessResult::allowed()->cachePerRole();
}
// Allow edit access for the own user name if the permission is
// satisfied.
if ($is_own_account && $account->hasPermission('change own username')) {
return AccessResult::allowed()->cachePerRole()->cachePerUser();
}
else {
return AccessResult::forbidden();
}
case 'preferred_langcode':
case 'preferred_admin_langcode':
case 'signature':
case 'signature_format':
case 'timezone':
case 'mail':
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::forbidden();
}
// Anyone that can edit the user can also edit this field.
return AccessResult::allowed()->cachePerRole();
case 'pass':
// Allow editing the password, but not viewing it.
return ($operation == 'edit') ? AccessResult::allowed() : AccessResult::forbidden();
case 'created':
// Allow viewing the created date, but not editing it.
return ($operation == 'view') ? AccessResult::allowed() : AccessResult::forbidden();
case 'roles':
case 'status':
case 'access':
case 'login':
case 'init':
return AccessResult::forbidden();
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
}
<?php
/**
* @file
* Contains \Drupal\Tests\user\Unit\UserAccessControlHandlerTest.
*/
namespace Drupal\Tests\user\Unit;
use Drupal\Component\Utility\String;
use Drupal\Core\Access\AccessResult;
use Drupal\Tests\UnitTestCase;
use Drupal\user\UserAccessControlHandler;
/**
* Tests the user access controller.
*
* @group Drupal
* @group User
*
* @coversDefaultClass \Drupal\user\UserAccessControlHandler
*/
class UserAccessControlHandlerTest extends UnitTestCase {
/**
* The user access controller to test.
*
* @var \Drupal\user\UserAccessControlHandler
*/
protected $accessControlHandler;
/**
* The mock user account with view access.
*
* @var \Drupal\Core\Session\AccountInterface
*/
protected $viewer;
/**
* The mock user account that is able to change their own account name.
*
* @var \Drupal\Core\Session\AccountInterface
*/
protected $owner;
/**
* The mock administrative test user.
*
* @var \Drupal\Core\Session\AccountInterface
*/
protected $admin;
/**
* The mocked test field items.
*
* @var \Drupal\Core\Field\FieldItemList
*/
protected $items;
/**
* {@inheritdoc}
*/
public static function getInfo() {
return array(
'name' => 'User access controller',
'description' => 'Tests the user access controller.',
'group' => 'User',
);
}
/**
* {@inheritdoc}
*/
public function setUp() {
parent::setUp();
$this->viewer = $this->getMock('\Drupal\Core\Session\AccountInterface');
$this->viewer
->expects($this->any())
->method('hasPermission')
->will($this->returnValue(FALSE));
$this->viewer
->expects($this->any())
->method('id')
->will($this->returnValue(1));
$this->owner = $this->getMock('\Drupal\Core\Session\AccountInterface');
$this->owner
->expects($this->any())
->method('hasPermission')
->will($this->returnValueMap(array(
array('administer users', FALSE),
array('change own username', TRUE),
)));
$this->owner
->expects($this->any())
->method('id')
->will($this->returnValue(2));
$this->admin = $this->getMock('\Drupal\Core\Session\AccountInterface');
$this->admin
->expects($this->any())
->method('hasPermission')
->will($this->returnValue(TRUE));
$entity_type = $this->getMock('Drupal\Core\Entity\EntityTypeInterface');
$this->accessControlHandler = new UserAccessControlHandler($entity_type);
$module_handler = $this->getMock('Drupal\Core\Extension\ModuleHandlerInterface');
$module_handler->expects($this->any())
->method('getImplementations')
->will($this->returnValue(array()));
$this->accessControlHandler->setModuleHandler($module_handler);
$this->items = $this->getMockBuilder('Drupal\Core\Field\FieldItemList')
->disableOriginalConstructor()
->getMock();
$this->items
->expects($this->any())
->method('defaultAccess')
->will($this->returnValue(AccessResult::allowed()));
}
/**
* Asserts correct field access grants for a field.
*/
public function assertFieldAccess($field, $viewer, $target, $view, $edit) {
$field_definition = $this->getMock('Drupal\Core\Field\FieldDefinitionInterface');
$field_definition->expects($this->any())
->method('getName')
->will($this->returnValue($field));
$this->items
->expects($this->any())
->method('getEntity')
->will($this->returnValue($this->{$target}));
foreach (array('view' => $view, 'edit' => $edit) as $operation => $result) {
$message = String::format("User @field field access returns @result with operation '@op' for @account accessing @target", array(
'@field' => $field,
'@result' => !isset($result) ? 'null' : ($result ? 'true' : 'false'),
'@op' => $operation,
'@account' => $viewer,
'@target' => $target,
));
$this->assertSame($result, $this->accessControlHandler->fieldAccess($operation, $field_definition, $this->{$viewer}, $this->items), $message);
}
}
/**
* Ensures user name access is working properly.
*
* @dataProvider userNameProvider
*/
public function testUserNameAccess($viewer, $target, $view, $edit) {
$this->assertFieldAccess('name', $viewer, $target, $view, $edit);
}
/**
* Provides test data for estUserNameAccess().
*/
public function userNameProvider() {
$name_access = array(
// The viewer user is allowed to see user names on all accounts.
array(
'viewer' => 'viewer',
'target' => 'viewer',
'view' => TRUE,
'edit' => FALSE,
),
array(
'viewer' => 'owner',
'target' => 'viewer',
'view' => TRUE,
'edit' => FALSE,
),
array(
'viewer' => 'viewer',
'target' => 'owner',
'view' => TRUE,
'edit' => FALSE,
),
// The owner user is allowed to change its own user name.
array(
'viewer' => 'owner',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
),
// The users-administrator user has full access.
array(
'viewer' => 'admin',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
),
);
return $name_access;
}
/**
* Tests that private user settings cannot be viewed by other users.
*
* @dataProvider hiddenUserSettingsProvider
*/
public function testHiddenUserSettings($field, $viewer, $target, $view, $edit) {
$this->assertFieldAccess($field, $viewer, $target, $view, $edit);
}
/**
* Provides test data for testHiddenUserSettings().
*/
public function hiddenUserSettingsProvider() {
$access_info = array();
$fields = array(
'preferred_langcode',
'preferred_admin_langcode',
'signature',
'signature_format',
'timezone',
'mail',
);
foreach ($fields as $field) {
$access_info[] = array(
'field' => $field,
'viewer' => 'viewer',
'target' => 'viewer',
'view' => TRUE,
'edit' => TRUE,
);
$access_info[] = array(
'field' => $field,
'viewer' => 'viewer',
'target' => 'owner',
'view' => FALSE,
// Anyone with edit access to the user can also edit these fields. In
// reality edit access will already be checked on entity level and the
// user without view access will typically not be able to edit.
'edit' => TRUE,
);
$access_info[] = array(
'field' => $field,
'viewer' => 'owner',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
);
$access_info[] = array(
'field' => $field,
'viewer' => 'admin',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
);
}
return $access_info;
}
/**
* Tests that private user settings cannot be viewed by other users.
*
* @dataProvider adminFieldAccessProvider
*/
public function testAdminFieldAccess($field, $viewer, $target, $view, $edit) {
$this->assertFieldAccess($field, $viewer, $target, $view, $edit);
}
/**
* Provides test data for testAdminFieldAccess().
*/
public function adminFieldAccessProvider() {
$access_info = array();
$fields = array(
'roles',
'status',
'access',
'login',
'init',
);
foreach ($fields as $field) {
$access_info[] = array(
'field' => $field,
'viewer' => 'viewer',
'target' => 'viewer',
'view' => FALSE,
'edit' => FALSE,
);
$access_info[] = array(
'field' => $field,
'viewer' => 'viewer',
'target' => 'owner',
'view' => FALSE,
'edit' => FALSE,
);
$access_info[] = array(
'field' => $field,
'viewer' => 'admin',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
);
}
return $access_info;
}
/**
* Tests that passwords cannot be viewed, just edited.
*
* @dataProvider passwordAccessProvider
*/
public function testPasswordAccess($viewer, $target, $view, $edit) {
$this->assertFieldAccess('pass', $viewer, $target, $view, $edit);
}
/**
* Provides test data for passwordAccessProvider().
*/
public function passwordAccessProvider() {
$pass_access = array(
array(
'viewer' => 'viewer',
'target' => 'viewer',
'view' => FALSE,
'edit' => TRUE,
),
array(
'viewer' => 'viewer',
'target' => 'owner',
'view' => FALSE,
// Anyone with edit access to the user can also edit these fields. In
// reality edit access will already be checked on entity level and the
// user without view access will typically not be able to edit.
'edit' => TRUE,
),
array(
'viewer' => 'owner',
'target' => 'viewer',
'view' => FALSE,
'edit' => TRUE,
),
array(
'viewer' => 'admin',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
),
);
return $pass_access;
}
/**
* Tests the user created field access.
*
* @dataProvider createdAccessProvider
*/
public function testCreatedAccess($viewer, $target, $view, $edit) {
$this->assertFieldAccess('created', $viewer, $target, $view, $edit);
}
/**
* Provides test data for testCreatedAccess().
*/
public function createdAccessProvider() {
$created_access = array(
array(
'viewer' => 'viewer',
'target' => 'viewer',
'view' => TRUE,
'edit' => FALSE,
),
array(
'viewer' => 'owner',
'target' => 'viewer',
'view' => TRUE,
'edit' => FALSE,
),
array(
'viewer' => 'admin',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
),
);
return $created_access;
}
/**
* Tests access to a non-existing base field.
*
* @dataProvider NonExistingFieldAccessProvider
*/
public function testNonExistingFieldAccess($viewer, $target, $view, $edit) {
// By default everyone has access to all fields that do not have explicit
// access control.
// @see EntityAccessControlHandler::checkFieldAccess()
$this->assertFieldAccess('some_non_existing_field', $viewer, $target, $view, $edit);
}
/**
* Provides test data for testNonExistingFieldAccess().
*/
public function NonExistingFieldAccessProvider() {
$created_access = array(
array(
'viewer' => 'viewer',
'target' => 'viewer',
'view' => TRUE,
'edit' => TRUE,
),
array(
'viewer' => 'owner',
'target' => 'viewer',
'view' => TRUE,
'edit' => TRUE,
),
array(
'viewer' => 'admin',
'target' => 'owner',
'view' => TRUE,
'edit' => TRUE,
),
);
return $created_access;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment