Commit 7f6245ab authored by alexpott's avatar alexpott
Browse files

Issue #2426389 by olli, mikey_p, idebr, amateescu: Port SA-CONTRIB-2015-039 to D8 (views)

parent fc49a03a
......@@ -19,8 +19,9 @@ display:
position: 0
display_options:
access:
type: none
options: { }
type: perm
options:
perm: 'access news feeds'
cache:
type: none
options: { }
......
......@@ -113,7 +113,13 @@ public function testFeedPage() {
$cache_tags = explode(' ', $cache_tags_header);
$this->assertTrue(in_array('aggregator_feed:' . $feed->id(), $cache_tags));
// Check the rss aggregator page.
// Check the rss aggregator page as anonymous user.
$this->drupalLogout();
$this->drupalGet('aggregator/rss');
$this->assertResponse(403);
// Check the rss aggregator page as admin.
$this->drupalLogin($this->adminUser);
$this->drupalGet('aggregator/rss');
$this->assertResponse(200);
$this->assertEqual($this->drupalGetHeader('Content-type'), 'application/rss+xml; charset=utf-8');
......
......@@ -16,6 +16,13 @@
*/
abstract class AggregatorTestBase extends WebTestBase {
/**
* A user with permission to administer feeds and create content.
*
* @var \Drupal\user\Entity\User
*/
protected $adminUser;
/**
* Modules to install.
*
......@@ -31,8 +38,8 @@ protected function setUp() {
$this->drupalCreateContentType(array('type' => 'article', 'name' => 'Article'));
}
$web_user = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content'));
$this->drupalLogin($web_user);
$this->adminUser = $this->drupalCreateUser(array('access administration pages', 'administer news feeds', 'access news feeds', 'create article content'));
$this->drupalLogin($this->adminUser);
}
/**
......
......@@ -71,6 +71,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access comments';
// Add a relationship to nodes.
$display_options['relationships']['node']['id'] = 'node';
......
......@@ -26,4 +26,17 @@ class Watchdog extends WizardPluginBase {
*/
protected $createdColumn = 'timestamp';
/**
* {@inheritdoc}
*/
protected function defaultDisplayOptions() {
$display_options = parent::defaultDisplayOptions();
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access site reports';
return $display_options;
}
}
......@@ -28,8 +28,9 @@ display:
query_tags: { }
title: 'Monthly archive'
access:
type: none
options: { }
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }
......
......@@ -29,8 +29,9 @@ display:
query_tags: { }
use_ajax: true
access:
type: none
options: { }
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }
......
......@@ -77,6 +77,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access content';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);
......
......@@ -63,7 +63,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'view revisions';
$display_options['access']['options']['perm'] = 'view all revisions';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);
......
......@@ -28,8 +28,9 @@ display:
replica: false
query_tags: { }
access:
type: none
options: { }
type: perm
options:
perm: 'access content'
cache:
type: none
options: { }
......
......@@ -28,6 +28,7 @@ protected function defaultDisplayOptions() {
// Add permission-based access control.
$display_options['access']['type'] = 'perm';
$display_options['access']['options']['perm'] = 'access content';
// Remove the default fields, since we are customizing them here.
unset($display_options['fields']);
......
......@@ -9,7 +9,6 @@
use Drupal\Component\Utility\Unicode;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
use Drupal\Core\Language\Language;
use Drupal\language\Entity\ConfigurableLanguage;
use Drupal\user\Entity\Role;
use Drupal\views\Views;
......@@ -156,6 +155,16 @@ public function testTaxonomyTermView() {
// We only want to check the no. of conditions in the query.
unset($condition['#conjunction']);
$this->assertEqual(1, count($condition));
// Clear permissions for anonymous users to check access for default views.
Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save();
// Test the default views disclose no data by default.
$this->drupalLogout();
$this->drupalGet('taxonomy/term/' . $term->id());
$this->assertResponse(403);
$this->drupalGet('taxonomy/term/' . $term->id() . '/feed');
$this->assertResponse(403);
}
}
......@@ -8,6 +8,7 @@
namespace Drupal\views_ui\Tests;
use Drupal\Core\Url;
use Drupal\user\Entity\Role;
/**
* Tests enabling, disabling, and reverting default views via the listing page.
......@@ -66,6 +67,8 @@ function testDefaultViews() {
// editing.
$this->drupalGet('admin/structure/views');
$this->assertLinkByHref('admin/structure/views/view/archive/enable');
// Enable it again so it can be tested for access permissions.
$this->clickViewsOperationLink(t('Enable'), '/archive/');
// It should now be possible to revert the view. Do that, and make sure the
// view title we added above no longer is displayed.
......@@ -108,7 +111,18 @@ function testDefaultViews() {
$this->assertUrl('admin/structure/views');
$this->assertLinkByHref($edit_href);
// Clear permissions for anonymous users to check access for default views.
Role::load(DRUPAL_ANONYMOUS_RID)->revokePermission('access content')->save();
// Test the default views disclose no data by default.
$this->drupalLogout();
$this->drupalGet('glossary');
$this->assertResponse(403);
$this->drupalGet('archive');
$this->assertResponse(403);
// Test deleting a view.
$this->drupalLogin($this->fullAdminUser);
$this->drupalGet('admin/structure/views');
$this->clickViewsOperationLink(t('Delete'), '/glossary/');
// Submit the confirmation form.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment