diff --git a/core/core.services.yml b/core/core.services.yml
index d5482e4fa1c912f2f031b836e7e1b504582340d8..22cb21e24deaca9a7f965e2bb69e10efbce5f4de 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -1576,13 +1576,24 @@ services:
tags:
- { name: service_collector, call: addAccessPolicy, tag: access_policy }
Drupal\Core\Session\AccessPolicyChainInterface: '@access_policy_processor'
+ access_policy.super_user:
+ class: Drupal\Core\Session\SuperUserAccessPolicy
+ tags:
+ - { name: access_policy }
+ Drupal\Core\Session\SuperUserAccessPolicy: '@access_policy.super_user'
+ access_policy.user_roles:
+ class: Drupal\Core\Session\UserRolesAccessPolicy
+ arguments: ['@entity_type.manager']
+ tags:
+ - { name: access_policy }
+ Drupal\Core\Session\UserRolesAccessPolicy: '@access_policy.user_roles'
permission_checker:
class: Drupal\Core\Session\PermissionChecker
- arguments: ['@entity_type.manager']
+ arguments: ['@access_policy_processor']
Drupal\Core\Session\PermissionCheckerInterface: '@permission_checker'
user_permissions_hash_generator:
class: Drupal\Core\Session\PermissionsHashGenerator
- arguments: ['@private_key', '@cache.bootstrap', '@cache.static', '@entity_type.manager']
+ arguments: ['@private_key', '@cache.static', '@access_policy_processor']
Drupal\Core\Session\PermissionsHashGeneratorInterface: '@user_permissions_hash_generator'
current_user:
class: Drupal\Core\Session\AccountProxy
diff --git a/core/lib/Drupal/Core/Cache/Context/AccountPermissionsCacheContext.php b/core/lib/Drupal/Core/Cache/Context/AccountPermissionsCacheContext.php
index c101968663c1f0b185b3f9c6608bb68143e637eb..af2766469c50048a95ed90f6b96d1a91c13ec27e 100644
--- a/core/lib/Drupal/Core/Cache/Context/AccountPermissionsCacheContext.php
+++ b/core/lib/Drupal/Core/Cache/Context/AccountPermissionsCacheContext.php
@@ -2,7 +2,6 @@
namespace Drupal\Core\Cache\Context;
-use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Session\PermissionsHashGeneratorInterface;
@@ -51,17 +50,7 @@ public function getContext() {
* {@inheritdoc}
*/
public function getCacheableMetadata() {
- $cacheable_metadata = new CacheableMetadata();
-
- // The permissions hash changes when:
- // - a user is updated to have different roles;
- $tags = ['user:' . $this->user->id()];
- // - a role is updated to have different permissions.
- foreach ($this->user->getRoles() as $rid) {
- $tags[] = "config:user.role.$rid";
- }
-
- return $cacheable_metadata->setCacheTags($tags);
+ return $this->permissionsHashGenerator->getCacheableMetadata($this->user);
}
}
diff --git a/core/lib/Drupal/Core/Session/PermissionChecker.php b/core/lib/Drupal/Core/Session/PermissionChecker.php
index 7c4c259efb03c624b34c388eab6dcf3bd427c57e..e46b546bc8de8ad0d08e99518cd17b37f3fa9e96 100644
--- a/core/lib/Drupal/Core/Session/PermissionChecker.php
+++ b/core/lib/Drupal/Core/Session/PermissionChecker.php
@@ -9,24 +9,19 @@
*/
class PermissionChecker implements PermissionCheckerInterface {
- /**
- * Constructs a PermissionChecker object.
- *
- * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
- * The entity type manager.
- */
- public function __construct(protected EntityTypeManagerInterface $entityTypeManager) {}
+ public function __construct(protected EntityTypeManagerInterface|AccessPolicyProcessorInterface $processor) {
+ if ($this->processor instanceof EntityTypeManagerInterface) {
+ @trigger_error('Calling ' . __METHOD__ . '() without the $processor argument is deprecated in drupal:10.3.0 and will be required in drupal:11.0.0. See https://www.drupal.org/node/3402107', E_USER_DEPRECATED);
+ $this->processor = \Drupal::service('access_policy_processor');
+ }
+ }
/**
* {@inheritdoc}
*/
public function hasPermission(string $permission, AccountInterface $account): bool {
- // User #1 has all privileges.
- if ((int) $account->id() === 1) {
- return TRUE;
- }
-
- return $this->entityTypeManager->getStorage('user_role')->isPermissionInRoles($permission, $account->getRoles());
+ $item = $this->processor->processAccessPolicies($account)->getItem();
+ return $item && $item->hasPermission($permission);
}
}
diff --git a/core/lib/Drupal/Core/Session/PermissionsHashGenerator.php b/core/lib/Drupal/Core/Session/PermissionsHashGenerator.php
index db837b7691fef532b49dd2873269934268311a7e..c15afc3ca1d74bbb3c21f52a9d4d7abd1b8a8e58 100644
--- a/core/lib/Drupal/Core/Session/PermissionsHashGenerator.php
+++ b/core/lib/Drupal/Core/Session/PermissionsHashGenerator.php
@@ -2,7 +2,7 @@
namespace Drupal\Core\Session;
-use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\PrivateKey;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheBackendInterface;
@@ -21,73 +21,83 @@ class PermissionsHashGenerator implements PermissionsHashGeneratorInterface {
protected $privateKey;
/**
- * The cache backend interface to use for the persistent cache.
+ * The cache backend interface to use for the static cache.
*
* @var \Drupal\Core\Cache\CacheBackendInterface
*/
- protected $cache;
+ protected $static;
/**
- * The cache backend interface to use for the static cache.
+ * The access policy processor.
*
- * @var \Drupal\Core\Cache\CacheBackendInterface
+ * @var \Drupal\Core\Session\AccessPolicyProcessorInterface
*/
- protected $static;
+ protected $processor;
/**
* Constructs a PermissionsHashGenerator object.
*
* @param \Drupal\Core\PrivateKey $private_key
* The private key service.
- * @param \Drupal\Core\Cache\CacheBackendInterface $cache
- * The cache backend interface to use for the persistent cache.
* @param \Drupal\Core\Cache\CacheBackendInterface $static
* The cache backend interface to use for the static cache.
- * @param \Drupal\Core\Entity\EntityTypeManagerInterface|null $entityTypeManager
- * The entity type manager.
+ * @param \Drupal\Core\Session\AccessPolicyProcessorInterface|\Drupal\Core\Cache\CacheBackendInterface $processor
+ * The access policy processor.
*/
- public function __construct(PrivateKey $private_key, CacheBackendInterface $cache, CacheBackendInterface $static, protected ?EntityTypeManagerInterface $entityTypeManager = NULL) {
+ public function __construct(PrivateKey $private_key, CacheBackendInterface $static, AccessPolicyProcessorInterface|CacheBackendInterface $processor) {
$this->privateKey = $private_key;
- $this->cache = $cache;
- $this->static = $static;
- if ($this->entityTypeManager === NULL) {
- @trigger_error('Calling ' . __METHOD__ . '() without the $entityTypeManager argument is deprecated in drupal:10.1.0 and will be required in drupal:11.0.0. See https://www.drupal.org/node/3348138', E_USER_DEPRECATED);
- $this->entityTypeManager = \Drupal::entityTypeManager();
+ if ($processor instanceof CacheBackendInterface) {
+ @trigger_error('Calling ' . __METHOD__ . '() without the $processor argument is deprecated in drupal:10.3.0 and will be required in drupal:11.0.0. See https://www.drupal.org/node/3402110', E_USER_DEPRECATED);
+ $this->static = $processor;
+ $this->processor = \Drupal::service('access_policy_processor');
+ return;
}
+ $this->static = $static;
+ $this->processor = $processor;
}
/**
* {@inheritdoc}
- *
- * Cached by role, invalidated whenever permissions change.
*/
public function generate(AccountInterface $account) {
- // User 1 is the super user, and can always access all permissions. Use a
- // different, unique identifier for the hash.
- if ($account->id() == 1) {
- return $this->hash('is-super-user');
- }
+ // We can use a simple per-user static cache here because we already cache
+ // the permissions more efficiently in the access policy processor. On top
+ // of that, there is only a tiny chance of a hash being generated for more
+ // than one account during a single request.
+ $cid = 'permissions_hash_' . $account->id();
- $sorted_roles = $account->getRoles();
- sort($sorted_roles);
- $role_list = implode(',', $sorted_roles);
- $cid = "user_permissions_hash:$role_list";
+ // Retrieve the hash from the static cache if available.
if ($static_cache = $this->static->get($cid)) {
return $static_cache->data;
}
+
+ // Otherwise hash the permissions and store them in the static cache.
+ $calculated_permissions = $this->processor->processAccessPolicies($account);
+ $item = $calculated_permissions->getItem();
+
+ // This should never happen, but in case nothing defined permissions for the
+ // current user, even if empty, we need to have _some_ hash too.
+ if ($item === FALSE) {
+ $hash = 'no-access-policies';
+ }
+ // If the calculated permissions item grants admin rights, we can simplify
+ // the entry by setting it to 'is-admin' rather than calculating an actual
+ // hash. This is because admin flagged calculated permissions
+ // automatically empty out the permissions array.
+ elseif ($item->isAdmin()) {
+ $hash = 'is-admin';
+ }
+ // Sort the permissions by name to ensure we don't get mismatching hashes
+ // for people with the same permissions, just because the order of the
+ // permissions happened to differ.
else {
- $tags = Cache::buildTags('config:user.role', $sorted_roles, '.');
- if ($cache = $this->cache->get($cid)) {
- $permissions_hash = $cache->data;
- }
- else {
- $permissions_hash = $this->doGenerate($sorted_roles);
- $this->cache->set($cid, $permissions_hash, Cache::PERMANENT, $tags);
- }
- $this->static->set($cid, $permissions_hash, Cache::PERMANENT, $tags);
+ $permissions = $item->getPermissions();
+ sort($permissions);
+ $hash = $this->hash(serialize($permissions));
}
- return $permissions_hash;
+ $this->static->set($cid, $hash, Cache::PERMANENT, $calculated_permissions->getCacheTags());
+ return $hash;
}
/**
@@ -98,21 +108,22 @@ public function generate(AccountInterface $account) {
*
* @return string
* The permissions hash.
+ *
+ * @deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. There is no
+ * replacement.
+ *
+ * @see https://www.drupal.org/node/3435842
*/
protected function doGenerate(array $roles) {
- $permissions_by_role = [];
- /** @var \Drupal\user\RoleInterface[] $entities */
- $entities = $this->entityTypeManager->getStorage('user_role')->loadMultiple($roles);
- foreach ($roles as $role) {
- // Note that for admin roles (\Drupal\user\RoleInterface::isAdmin()), the
- // permissions returned will be empty ($permissions = []). Therefore the
- // presence of the role ID as a key in $permissions_by_role is essential
- // to ensure that the hash correctly recognizes admin roles. (If the hash
- // was based solely on the union of $permissions, the admin roles would
- // effectively be no-ops, allowing for hash collisions.)
- $permissions_by_role[$role] = isset($entities[$role]) ? $entities[$role]->getPermissions() : [];
- }
- return $this->hash(serialize($permissions_by_role));
+ @trigger_error(__METHOD__ . '() is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. There is no replacement. See https://www.drupal.org/node/3435842', E_USER_DEPRECATED);
+ return '';
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getCacheableMetadata(AccountInterface $account): CacheableMetadata {
+ return CacheableMetadata::createFromObject($this->processor->processAccessPolicies($account));
}
/**
diff --git a/core/lib/Drupal/Core/Session/PermissionsHashGeneratorInterface.php b/core/lib/Drupal/Core/Session/PermissionsHashGeneratorInterface.php
index 46d957804edea24e165d6a7fc5a479a953f86188..c89f4256173b7ca605dbfd2800855bad9ae2df03 100644
--- a/core/lib/Drupal/Core/Session/PermissionsHashGeneratorInterface.php
+++ b/core/lib/Drupal/Core/Session/PermissionsHashGeneratorInterface.php
@@ -2,6 +2,8 @@
namespace Drupal\Core\Session;
+use Drupal\Core\Cache\CacheableMetadata;
+
/**
* Defines the user permissions hash generator interface.
*/
@@ -18,4 +20,15 @@ interface PermissionsHashGeneratorInterface {
*/
public function generate(AccountInterface $account);
+ /**
+ * Gets the cacheability metadata for the generated hash.
+ *
+ * @param \Drupal\Core\Session\AccountInterface $account
+ * The user account for which to get the permissions hash.
+ *
+ * @return \Drupal\Core\Cache\CacheableMetadata
+ * A cacheable metadata object.
+ */
+ public function getCacheableMetadata(AccountInterface $account): CacheableMetadata;
+
}
diff --git a/core/lib/Drupal/Core/Session/SuperUserAccessPolicy.php b/core/lib/Drupal/Core/Session/SuperUserAccessPolicy.php
new file mode 100644
index 0000000000000000000000000000000000000000..6c37d9db020c552e6914dae00fb43e242c18ea30
--- /dev/null
+++ b/core/lib/Drupal/Core/Session/SuperUserAccessPolicy.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Core\Session;
+
+/**
+ * Grants user 1 an all access pass.
+ */
+class SuperUserAccessPolicy extends AccessPolicyBase {
+
+ /**
+ * {@inheritdoc}
+ */
+ public function calculatePermissions(AccountInterface $account, string $scope): RefinableCalculatedPermissionsInterface {
+ $calculated_permissions = parent::calculatePermissions($account, $scope);
+
+ if (((int) $account->id()) !== 1) {
+ return $calculated_permissions;
+ }
+
+ return $calculated_permissions->addItem(new CalculatedPermissionsItem([], TRUE));
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getPersistentCacheContexts(): array {
+ return ['user.is_super_user'];
+ }
+
+}
diff --git a/core/lib/Drupal/Core/Session/UserRolesAccessPolicy.php b/core/lib/Drupal/Core/Session/UserRolesAccessPolicy.php
new file mode 100644
index 0000000000000000000000000000000000000000..1b2d985211e84f8d269e925622be94cad48b6388
--- /dev/null
+++ b/core/lib/Drupal/Core/Session/UserRolesAccessPolicy.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Core\Session;
+
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+
+/**
+ * Grants permissions based on a user's roles.
+ */
+class UserRolesAccessPolicy extends AccessPolicyBase {
+
+ public function __construct(protected EntityTypeManagerInterface $entityTypeManager) {}
+
+ /**
+ * {@inheritdoc}
+ */
+ public function calculatePermissions(AccountInterface $account, string $scope): RefinableCalculatedPermissionsInterface {
+ $calculated_permissions = parent::calculatePermissions($account, $scope);
+
+ /** @var \Drupal\user\RoleInterface[] $user_roles */
+ $user_roles = $this->entityTypeManager->getStorage('user_role')->loadMultiple($account->getRoles());
+
+ foreach ($user_roles as $user_role) {
+ $calculated_permissions
+ ->addItem(new CalculatedPermissionsItem($user_role->getPermissions(), $user_role->isAdmin()))
+ ->addCacheableDependency($user_role);
+ }
+
+ return $calculated_permissions;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getPersistentCacheContexts(): array {
+ return ['user.roles'];
+ }
+
+}
diff --git a/core/profiles/demo_umami/tests/src/FunctionalJavascript/OpenTelemetryAuthenticatedPerformanceTest.php b/core/profiles/demo_umami/tests/src/FunctionalJavascript/OpenTelemetryAuthenticatedPerformanceTest.php
index cd50c3b118846975814627f30d7a036039d8274d..55252faff7582ea37efc4b8aa631506f86a35cb1 100644
--- a/core/profiles/demo_umami/tests/src/FunctionalJavascript/OpenTelemetryAuthenticatedPerformanceTest.php
+++ b/core/profiles/demo_umami/tests/src/FunctionalJavascript/OpenTelemetryAuthenticatedPerformanceTest.php
@@ -42,6 +42,7 @@ public function testFrontPageAuthenticatedWarmCache(): void {
'SELECT "roles_target_id" FROM "user__roles" WHERE "entity_id" = "10"',
'SELECT "config"."name" AS "name" FROM "config" "config" WHERE ("collection" = "") AND ("name" LIKE "language.entity.%" ESCAPE ' . "'\\\\'" . ') ORDER BY "collection" ASC, "name" ASC',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "twig_extension_hash_prefix" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "asset.css_js_query_string" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "drupal.test_wait_terminate" ) AND "collection" = "state"',
@@ -49,8 +50,8 @@ public function testFrontPageAuthenticatedWarmCache(): void {
];
$recorded_queries = $performance_data->getQueries();
$this->assertSame($expected_queries, $recorded_queries);
- $this->assertSame(9, $performance_data->getQueryCount());
- $this->assertSame(45, $performance_data->getCacheGetCount());
+ $this->assertSame(10, $performance_data->getQueryCount());
+ $this->assertSame(44, $performance_data->getCacheGetCount());
$this->assertSame(0, $performance_data->getCacheSetCount());
$this->assertSame(0, $performance_data->getCacheDeleteCount());
$this->assertSame(0, $performance_data->getCacheTagChecksumCount());
diff --git a/core/profiles/standard/tests/src/FunctionalJavascript/StandardPerformanceTest.php b/core/profiles/standard/tests/src/FunctionalJavascript/StandardPerformanceTest.php
index af52184ecc38ef5a1679eb3aee4e3700c99aa9a8..4ad67fee30b685d0ae04bfb205e28ff718eb2d20 100644
--- a/core/profiles/standard/tests/src/FunctionalJavascript/StandardPerformanceTest.php
+++ b/core/profiles/standard/tests/src/FunctionalJavascript/StandardPerformanceTest.php
@@ -59,6 +59,7 @@ public function testAnonymous() {
'SELECT "base_table"."id" AS "id", "base_table"."path" AS "path", "base_table"."alias" AS "alias", "base_table"."langcode" AS "langcode" FROM "path_alias" "base_table" WHERE ("base_table"."status" = 1) AND ("base_table"."alias" LIKE "/node" ESCAPE ' . "'\\\\'" . ') AND ("base_table"."langcode" IN ("en", "und")) ORDER BY "base_table"."langcode" ASC, "base_table"."id" DESC',
'SELECT "name", "route", "fit" FROM "router" WHERE "pattern_outline" IN ( "/node" ) AND "number_parts" >= 1',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "views.view_route_names" ) AND "collection" = "state"',
'SELECT COUNT(*) AS "expression" FROM (SELECT 1 AS "expression" FROM "node_field_data" "node_field_data" WHERE ("node_field_data"."promote" = 1) AND ("node_field_data"."status" = 1)) "subquery"',
'SELECT "node_field_data"."sticky" AS "node_field_data_sticky", "node_field_data"."created" AS "node_field_data_created", "node_field_data"."nid" AS "nid" FROM "node_field_data" "node_field_data" WHERE ("node_field_data"."promote" = 1) AND ("node_field_data"."status" = 1) ORDER BY "node_field_data_sticky" DESC, "node_field_data_created" DESC LIMIT 10 OFFSET 0',
@@ -94,12 +95,12 @@ public function testAnonymous() {
];
$recorded_queries = $performance_data->getQueries();
$this->assertSame($expected_queries, $recorded_queries);
- $this->assertSame(35, $performance_data->getQueryCount());
- $this->assertSame(137, $performance_data->getCacheGetCount());
+ $this->assertSame(36, $performance_data->getQueryCount());
+ $this->assertSame(136, $performance_data->getCacheGetCount());
$this->assertSame(47, $performance_data->getCacheSetCount());
$this->assertSame(0, $performance_data->getCacheDeleteCount());
- $this->assertCountBetween(40, 43, $performance_data->getCacheTagChecksumCount());
- $this->assertCountBetween(47, 50, $performance_data->getCacheTagIsValidCount());
+ $this->assertCountBetween(39, 42, $performance_data->getCacheTagChecksumCount());
+ $this->assertCountBetween(45, 48, $performance_data->getCacheTagIsValidCount());
$this->assertSame(0, $performance_data->getCacheTagInvalidationCount());
// Test node page.
@@ -112,6 +113,7 @@ public function testAnonymous() {
'SELECT "base_table"."id" AS "id", "base_table"."path" AS "path", "base_table"."alias" AS "alias", "base_table"."langcode" AS "langcode" FROM "path_alias" "base_table" WHERE ("base_table"."status" = 1) AND ("base_table"."alias" LIKE "/node/1" ESCAPE ' . "'\\\\'" . ') AND ("base_table"."langcode" IN ("en", "und")) ORDER BY "base_table"."langcode" ASC, "base_table"."id" DESC',
'SELECT "name", "route", "fit" FROM "router" WHERE "pattern_outline" IN ( "/node/1", "/node/%", "/node" ) AND "number_parts" >= 2',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "data" FROM "config" WHERE "collection" = "" AND "name" IN ( "core.entity_view_display.node.article.full" )',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "twig_extension_hash_prefix" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "theme:stark" ) AND "collection" = "config.entity.key_store.block"',
@@ -125,12 +127,12 @@ public function testAnonymous() {
];
$recorded_queries = $performance_data->getQueries();
$this->assertSame($expected_queries, $recorded_queries);
- $this->assertSame(13, $performance_data->getQueryCount());
- $this->assertSame(95, $performance_data->getCacheGetCount());
+ $this->assertSame(14, $performance_data->getQueryCount());
+ $this->assertSame(94, $performance_data->getCacheGetCount());
$this->assertSame(16, $performance_data->getCacheSetCount());
$this->assertSame(0, $performance_data->getCacheDeleteCount());
- $this->assertCountBetween(24, 25, $performance_data->getCacheTagChecksumCount());
- $this->assertCountBetween(41, 42, $performance_data->getCacheTagIsValidCount());
+ $this->assertCountBetween(23, 24, $performance_data->getCacheTagChecksumCount());
+ $this->assertCountBetween(40, 41, $performance_data->getCacheTagIsValidCount());
$this->assertSame(0, $performance_data->getCacheTagInvalidationCount());
// Test user profile page.
@@ -149,6 +151,7 @@ public function testAnonymous() {
'SELECT "t".* FROM "user__roles" "t" WHERE ("entity_id" IN (2)) AND ("deleted" = 0) AND ("langcode" IN ("en", "und", "zxx")) ORDER BY "delta" ASC',
'SELECT "t".* FROM "user__user_picture" "t" WHERE ("entity_id" IN (2)) AND ("deleted" = 0) AND ("langcode" IN ("en", "und", "zxx")) ORDER BY "delta" ASC',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "data" FROM "config" WHERE "collection" = "" AND "name" IN ( "core.entity_view_display.user.user.full" )',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "twig_extension_hash_prefix" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "theme:stark" ) AND "collection" = "config.entity.key_store.block"',
@@ -161,12 +164,12 @@ public function testAnonymous() {
];
$recorded_queries = $performance_data->getQueries();
$this->assertSame($expected_queries, $recorded_queries);
- $this->assertSame(17, $performance_data->getQueryCount());
- $this->assertSame(81, $performance_data->getCacheGetCount());
+ $this->assertSame(18, $performance_data->getQueryCount());
+ $this->assertSame(80, $performance_data->getCacheGetCount());
$this->assertSame(16, $performance_data->getCacheSetCount());
$this->assertSame(0, $performance_data->getCacheDeleteCount());
- $this->assertCountBetween(24, 25, $performance_data->getCacheTagChecksumCount());
- $this->assertCountBetween(36, 37, $performance_data->getCacheTagIsValidCount());
+ $this->assertCountBetween(23, 24, $performance_data->getCacheTagChecksumCount());
+ $this->assertCountBetween(34, 35, $performance_data->getCacheTagIsValidCount());
$this->assertSame(0, $performance_data->getCacheTagInvalidationCount());
}
@@ -214,6 +217,7 @@ public function testLogin(): void {
'SELECT "t".* FROM "user__roles" "t" WHERE ("entity_id" IN (2)) AND ("deleted" = 0) AND ("langcode" IN ("en", "und", "zxx")) ORDER BY "delta" ASC',
'SELECT "t".* FROM "user__user_picture" "t" WHERE ("entity_id" IN (2)) AND ("deleted" = 0) AND ("langcode" IN ("en", "und", "zxx")) ORDER BY "delta" ASC',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "twig_extension_hash_prefix" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "asset.css_js_query_string" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "drupal.test_wait_terminate" ) AND "collection" = "state"',
@@ -221,12 +225,12 @@ public function testLogin(): void {
];
$recorded_queries = $performance_data->getQueries();
$this->assertSame($expected_queries, $recorded_queries);
- $this->assertSame(25, $performance_data->getQueryCount());
- $this->assertSame(64, $performance_data->getCacheGetCount());
+ $this->assertSame(26, $performance_data->getQueryCount());
+ $this->assertSame(63, $performance_data->getCacheGetCount());
$this->assertSame(1, $performance_data->getCacheSetCount());
$this->assertSame(1, $performance_data->getCacheDeleteCount());
$this->assertSame(1, $performance_data->getCacheTagChecksumCount());
- $this->assertSame(28, $performance_data->getCacheTagIsValidCount());
+ $this->assertSame(29, $performance_data->getCacheTagIsValidCount());
$this->assertSame(0, $performance_data->getCacheTagInvalidationCount());
}
@@ -257,6 +261,7 @@ public function testLoginBlock(): void {
$expected_queries = [
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "views.view_route_names" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "twig_extension_hash_prefix" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "theme:stark" ) AND "collection" = "config.entity.key_store.block"',
@@ -281,6 +286,7 @@ public function testLoginBlock(): void {
'SELECT * FROM "users_field_data" "u" WHERE "u"."uid" = "2" AND "u"."default_langcode" = 1',
'SELECT "roles_target_id" FROM "user__roles" WHERE "entity_id" = "2"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.maintenance_mode" ) AND "collection" = "state"',
+ 'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "system.private_key" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "twig_extension_hash_prefix" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "asset.css_js_query_string" ) AND "collection" = "state"',
'SELECT "name", "value" FROM "key_value" WHERE "name" IN ( "drupal.test_wait_terminate" ) AND "collection" = "state"',
@@ -288,8 +294,8 @@ public function testLoginBlock(): void {
];
$recorded_queries = $performance_data->getQueries();
$this->assertSame($expected_queries, $recorded_queries);
- $this->assertSame(29, $performance_data->getQueryCount());
- $this->assertSame(108, $performance_data->getCacheGetCount());
+ $this->assertSame(31, $performance_data->getQueryCount());
+ $this->assertSame(106, $performance_data->getCacheGetCount());
$this->assertSame(1, $performance_data->getCacheSetCount());
$this->assertSame(1, $performance_data->getCacheDeleteCount());
$this->assertSame(1, $performance_data->getCacheTagChecksumCount());
diff --git a/core/tests/Drupal/KernelTests/Core/Render/RenderCacheTest.php b/core/tests/Drupal/KernelTests/Core/Render/RenderCacheTest.php
index 919c18be6b8551b1cefa0b549f7de20bd3a464c1..67a755379241e199805669e29bf628650ce8ba60 100644
--- a/core/tests/Drupal/KernelTests/Core/Render/RenderCacheTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Render/RenderCacheTest.php
@@ -70,16 +70,16 @@ protected function doTestUser1WithContexts($contexts) {
],
];
$element = $test_element;
- $element['#markup'] = 'content for user 1';
+ $element['#markup'] = 'content for admin users';
$output = \Drupal::service('renderer')->renderRoot($element);
- $this->assertEquals('content for user 1', $output);
+ $this->assertEquals('content for admin users', $output);
// Verify the cache is working by rendering the same element but with
// different markup passed in; the result should be the same.
$element = $test_element;
$element['#markup'] = 'should not be used';
$output = \Drupal::service('renderer')->renderRoot($element);
- $this->assertEquals('content for user 1', $output);
+ $this->assertEquals('content for admin users', $output);
\Drupal::service('account_switcher')->switchBack();
// Verify that the first authenticated user does not see the same content
@@ -100,13 +100,14 @@ protected function doTestUser1WithContexts($contexts) {
$this->assertEquals('content for authenticated users', $output);
\Drupal::service('account_switcher')->switchBack();
- // Verify that the admin user (who has an admin role without explicit
- // permissions) does not share the same cache.
+ // The admin user should have the same cache as user 1, as the admin role
+ // has the same permissions hash.
\Drupal::service('account_switcher')->switchTo($admin_user);
$element = $test_element;
- $element['#markup'] = 'content for admin user';
+ $element['#markup'] = 'content that is role specific';
$output = \Drupal::service('renderer')->renderRoot($element);
- $this->assertEquals('content for admin user', $output);
+ $expected = in_array('user.roles', $contexts, TRUE) ? 'content that is role specific' : 'content for admin users';
+ $this->assertEquals($expected, $output);
\Drupal::service('account_switcher')->switchBack();
}
diff --git a/core/tests/Drupal/KernelTests/Core/Session/UserRolesPermissionsTest.php b/core/tests/Drupal/KernelTests/Core/Session/UserRolesPermissionsTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..284e47bbad4d1897be1d56745b9d062d9569046d
--- /dev/null
+++ b/core/tests/Drupal/KernelTests/Core/Session/UserRolesPermissionsTest.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Drupal\KernelTests\Core\Session;
+
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+
+/**
+ * Test case for getting permissions from user roles.
+ *
+ * @group Session
+ */
+class UserRolesPermissionsTest extends KernelTestBase {
+
+ use UserCreationTrait;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected static $modules = ['system', 'user'];
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void {
+ parent::setUp();
+ $this->installEntitySchema('user');
+ }
+
+ /**
+ * Tests that assigning a role grants that role's permissions.
+ */
+ public function testPermissionChange(): void {
+ // Create two accounts to avoid dealing with user 1.
+ $this->createUser();
+ $account = $this->createUser();
+
+ $this->assertFalse($account->hasPermission('administer modules'));
+ $account->addRole($this->createRole(['administer modules']))->save();
+ $this->assertTrue($account->hasPermission('administer modules'));
+ }
+
+}
diff --git a/core/tests/Drupal/Tests/Core/Session/PermissionCheckerTest.php b/core/tests/Drupal/Tests/Core/Session/PermissionCheckerTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..2e5189f4f1f78cb817421d2a5286d13d3ab892b6
--- /dev/null
+++ b/core/tests/Drupal/Tests/Core/Session/PermissionCheckerTest.php
@@ -0,0 +1,110 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\Core\Session;
+
+use Drupal\Core\Session\AccessPolicyProcessorInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Session\CalculatedPermissions;
+use Drupal\Core\Session\CalculatedPermissionsItem;
+use Drupal\Core\Session\PermissionChecker;
+use Drupal\Core\Session\RefinableCalculatedPermissions;
+use Drupal\Tests\UnitTestCase;
+
+/**
+ * @coversDefaultClass \Drupal\Core\Session\PermissionChecker
+ * @group Session
+ */
+class PermissionCheckerTest extends UnitTestCase {
+
+ /**
+ * The permission checker to run tests on.
+ *
+ * @var \Drupal\Core\Session\PermissionChecker
+ */
+ protected $checker;
+
+ /**
+ * The mocked access policy processor.
+ *
+ * @var \Drupal\Core\Session\AccessPolicyProcessorInterface|\Prophecy\Prophecy\ObjectProphecy
+ */
+ protected $processor;
+
+ /**
+ * The mocked account to use for testing.
+ *
+ * @var \Drupal\Core\Session\AccountInterface
+ */
+ protected $account;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void {
+ parent::setUp();
+ $this->processor = $this->prophesize(AccessPolicyProcessorInterface::class);
+ $this->checker = new PermissionChecker($this->processor->reveal());
+ $this->account = $this->prophesize(AccountInterface::class)->reveal();
+ }
+
+ /**
+ * Tests the hasPermission method under normal circumstances.
+ */
+ public function testHasPermission(): void {
+ $calculated_permissions = new CalculatedPermissions(
+ (new RefinableCalculatedPermissions())->addItem(
+ new CalculatedPermissionsItem(['foo'])
+ )
+ );
+ $this->processor->processAccessPolicies($this->account)->willReturn($calculated_permissions);
+ $this->assertTrue($this->checker->hasPermission('foo', $this->account));
+ $this->assertFalse($this->checker->hasPermission('bar', $this->account));
+ }
+
+ /**
+ * Tests the hasPermission method when no policy added something.
+ */
+ public function testHasPermissionEmpty(): void {
+ $calculated_permissions = new CalculatedPermissions(new RefinableCalculatedPermissions());
+ $this->processor->processAccessPolicies($this->account)->willReturn($calculated_permissions);
+ $this->assertFalse($this->checker->hasPermission('foo', $this->account));
+ $this->assertFalse($this->checker->hasPermission('bar', $this->account));
+ }
+
+ /**
+ * Tests the hasPermission method when mixed scopes and identifiers exist.
+ */
+ public function testHasPermissionMixed(): void {
+ $calculated_permissions = new CalculatedPermissions(
+ (new RefinableCalculatedPermissions())->addItem(
+ new CalculatedPermissionsItem(['foo'])
+ )->addItem(
+ new CalculatedPermissionsItem(['bar'], identifier: 'other-identifier')
+ )->addItem(
+ new CalculatedPermissionsItem(['baz'], FALSE, 'other-scope', 'other-identifier')
+ )
+ );
+ $this->processor->processAccessPolicies($this->account)->willReturn($calculated_permissions);
+ $this->assertTrue($this->checker->hasPermission('foo', $this->account));
+ $this->assertFalse($this->checker->hasPermission('bar', $this->account));
+ $this->assertFalse($this->checker->hasPermission('baz', $this->account));
+ }
+
+ /**
+ * Tests the hasPermission method with only contrib scopes and identifiers.
+ */
+ public function testHasPermissionOnlyContrib(): void {
+ $calculated_permissions = new CalculatedPermissions(
+ (new RefinableCalculatedPermissions())->addItem(
+ new CalculatedPermissionsItem(['baz'], FALSE, 'other-scope', 'other-identifier')
+ )
+ );
+ $this->processor->processAccessPolicies($this->account)->willReturn($calculated_permissions);
+ $this->assertFalse($this->checker->hasPermission('foo', $this->account));
+ $this->assertFalse($this->checker->hasPermission('bar', $this->account));
+ $this->assertFalse($this->checker->hasPermission('baz', $this->account));
+ }
+
+}
diff --git a/core/tests/Drupal/Tests/Core/Session/PermissionsHashGeneratorTest.php b/core/tests/Drupal/Tests/Core/Session/PermissionsHashGeneratorTest.php
index 79c191f59252b1b9194e9aa9f306c97fa3498f7c..067472b3b05f13652b4ebcbf2176e32a00d8b27f 100644
--- a/core/tests/Drupal/Tests/Core/Session/PermissionsHashGeneratorTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/PermissionsHashGeneratorTest.php
@@ -5,11 +5,18 @@
namespace Drupal\Tests\Core\Session;
use Drupal\Component\Utility\Crypt;
-use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Cache\Cache;
+use Drupal\Core\Cache\CacheBackendInterface;
+use Drupal\Core\PrivateKey;
+use Drupal\Core\Session\AccessPolicyProcessorInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Session\CalculatedPermissions;
+use Drupal\Core\Session\CalculatedPermissionsItem;
use Drupal\Core\Session\PermissionsHashGenerator;
+use Drupal\Core\Session\RefinableCalculatedPermissions;
use Drupal\Core\Site\Settings;
use Drupal\Tests\UnitTestCase;
-use Drupal\user\RoleStorageInterface;
+use Prophecy\Argument;
/**
* @coversDefaultClass \Drupal\Core\Session\PermissionsHashGenerator
@@ -18,53 +25,32 @@
class PermissionsHashGeneratorTest extends UnitTestCase {
/**
- * The mocked super user account.
+ * The mocked user 1 account.
*
- * @var \Drupal\user\UserInterface|\PHPUnit\Framework\MockObject\MockObject
+ * @var \Drupal\Core\Session\AccountInterface
*/
protected $account1;
/**
- * A mocked account.
+ * The mocked user 2 account.
*
- * @var \Drupal\user\UserInterface|\PHPUnit\Framework\MockObject\MockObject
+ * @var \Drupal\Core\Session\AccountInterface
*/
protected $account2;
- /**
- * An "updated" mocked account.
- *
- * @var \Drupal\user\UserInterface|\PHPUnit\Framework\MockObject\MockObject
- */
- protected $account2Updated;
-
- /**
- * A different account.
- *
- * @var \Drupal\user\UserInterface|\PHPUnit\Framework\MockObject\MockObject
- */
- protected $account3;
-
- /**
- * The mocked private key service.
- *
- * @var \Drupal\Core\PrivateKey|\PHPUnit\Framework\MockObject\MockObject
- */
- protected $privateKey;
-
/**
* The mocked cache backend.
*
- * @var \Drupal\Core\Cache\CacheBackendInterface|\PHPUnit\Framework\MockObject\MockObject
+ * @var \Drupal\Core\Cache\CacheBackendInterface|\Prophecy\Prophecy\ObjectProphecy
*/
- protected $cache;
+ protected $staticCache;
/**
- * The mocked cache backend.
+ * The mocked access policy processor.
*
- * @var \Drupal\Core\Cache\CacheBackendInterface|\PHPUnit\Framework\MockObject\MockObject
+ * @var \Drupal\Core\Session\AccessPolicyProcessorInterface|\Prophecy\Prophecy\ObjectProphecy
*/
- protected $staticCache;
+ protected $processor;
/**
* The permission hash class being tested.
@@ -81,182 +67,112 @@ protected function setUp(): void {
new Settings(['hash_salt' => 'test']);
- // The mocked super user account, with the same roles as Account 2.
- $this->account1 = $this->getMockBuilder('Drupal\user\Entity\User')
- ->disableOriginalConstructor()
- ->onlyMethods(['getRoles', 'id'])
- ->getMock();
- $this->account1->expects($this->any())
- ->method('id')
- ->willReturn(1);
- $this->account1->expects($this->never())
- ->method('getRoles');
-
- // Account 2: 'administrator' and 'authenticated' roles.
- $roles_1 = ['administrator', 'authenticated'];
- $this->account2 = $this->getMockBuilder('Drupal\user\Entity\User')
- ->disableOriginalConstructor()
- ->onlyMethods(['getRoles', 'id'])
- ->getMock();
- $this->account2->expects($this->any())
- ->method('getRoles')
- ->willReturn($roles_1);
- $this->account2->expects($this->any())
- ->method('id')
- ->willReturn(2);
+ $this->account1 = $this->prophesize(AccountInterface::class);
+ $this->account1->id()->willReturn(1);
+ $this->account1 = $this->account1->reveal();
- // Account 3: 'authenticated' and 'administrator' roles (different order).
- $roles_3 = ['authenticated', 'administrator'];
- $this->account3 = $this->getMockBuilder('Drupal\user\Entity\User')
- ->disableOriginalConstructor()
- ->onlyMethods(['getRoles', 'id'])
- ->getMock();
- $this->account3->expects($this->any())
- ->method('getRoles')
- ->willReturn($roles_3);
- $this->account3->expects($this->any())
- ->method('id')
- ->willReturn(3);
+ $this->account2 = $this->prophesize(AccountInterface::class);
+ $this->account2->id()->willReturn(2);
+ $this->account2 = $this->account2->reveal();
- // Updated account 2: now also 'editor' role.
- $roles_2_updated = ['editor', 'administrator', 'authenticated'];
- $this->account2Updated = $this->getMockBuilder('Drupal\user\Entity\User')
- ->disableOriginalConstructor()
- ->onlyMethods(['getRoles', 'id'])
- ->getMock();
- $this->account2Updated->expects($this->any())
- ->method('getRoles')
- ->willReturn($roles_2_updated);
- $this->account2Updated->expects($this->any())
- ->method('id')
- ->willReturn(2);
+ $private_key = $this->prophesize(PrivateKey::class);
+ $private_key->get()->willReturn(Crypt::randomBytesBase64(55));
- // Mocked private key + cache services.
- $random = Crypt::randomBytesBase64(55);
- $this->privateKey = $this->getMockBuilder('Drupal\Core\PrivateKey')
- ->disableOriginalConstructor()
- ->onlyMethods(['get'])
- ->getMock();
- $this->privateKey->expects($this->any())
- ->method('get')
- ->willReturn($random);
- $this->cache = $this->getMockBuilder('Drupal\Core\Cache\CacheBackendInterface')
- ->disableOriginalConstructor()
- ->getMock();
- $this->staticCache = $this->getMockBuilder('Drupal\Core\Cache\CacheBackendInterface')
- ->disableOriginalConstructor()
- ->getMock();
- $entityTypeManager = $this->getMockBuilder(EntityTypeManagerInterface::class)
- ->disableOriginalConstructor()
- ->getMock();
+ $this->staticCache = $this->prophesize(CacheBackendInterface::class);
+ $this->staticCache->get(Argument::any())->willReturn(FALSE);
+ $this->staticCache->set(Argument::cetera())->shouldBeCalled();
- $roleStorage = $this->getMockBuilder(RoleStorageInterface::class)
- ->disableOriginalConstructor()
- ->getMock();
+ $this->processor = $this->prophesize(AccessPolicyProcessorInterface::class);
- $entityTypeManager->expects($this->any())
- ->method('getStorage')
- ->with('user_role')
- ->willReturn($roleStorage);
-
- $this->permissionsHash = new PermissionsHashGenerator($this->privateKey, $this->cache, $this->staticCache, $entityTypeManager);
+ $this->permissionsHash = new PermissionsHashGenerator(
+ $private_key->reveal(),
+ $this->staticCache->reveal(),
+ $this->processor->reveal()
+ );
}
/**
+ * Tests the generate method for regular accounts.
+ *
* @covers ::generate
*/
- public function testGenerate() {
- // Ensure that the super user (user 1) always gets the same hash.
- $super_user_hash = $this->permissionsHash->generate($this->account1);
-
- // Ensure that two user accounts with the same roles generate the same hash.
+ public function testGenerateRegular() {
+ $permissions = new CalculatedPermissions(
+ (new RefinableCalculatedPermissions())->addItem(new CalculatedPermissionsItem([
+ 'permission foo',
+ 'permission bar',
+ ]))
+ );
+ $this->processor->processAccessPolicies($this->account1)->willReturn($permissions);
+ $this->processor->processAccessPolicies($this->account2)->willReturn($permissions);
+
+ // Check that two accounts with the same permissions generate the same hash.
+ $hash_1 = $this->permissionsHash->generate($this->account1);
$hash_2 = $this->permissionsHash->generate($this->account2);
- $hash_3 = $this->permissionsHash->generate($this->account3);
- $this->assertSame($hash_2, $hash_3, 'Different users with the same roles generate the same permissions hash.');
-
- $this->assertNotSame($hash_2, $super_user_hash, 'User 1 has a different hash despite having the same roles');
-
- // Compare with hash for user account 1 with an additional role.
- $updated_hash_2 = $this->permissionsHash->generate($this->account2Updated);
- $this->assertNotSame($hash_2, $updated_hash_2, 'Same user with updated roles generates different permissions hash.');
+ $this->assertSame($hash_1, $hash_2, 'Different users with the same permissions generate the same permissions hash.');
}
/**
+ * Tests the generate method for admin users.
+ *
* @covers ::generate
*/
- public function testGeneratePersistentCache() {
- // Set expectations for the mocked cache backend.
- $expected_cid = 'user_permissions_hash:administrator,authenticated';
-
- $mock_cache = new \stdClass();
- $mock_cache->data = 'test_hash_here';
+ public function testGenerateAdmin() {
+ $permissions = new CalculatedPermissions((new RefinableCalculatedPermissions())->addItem(new CalculatedPermissionsItem([], TRUE)));
+ $this->processor->processAccessPolicies($this->account1)->willReturn($permissions);
+ $this->processor->processAccessPolicies($this->account2)->willReturn($permissions);
- $this->staticCache->expects($this->once())
- ->method('get')
- ->with($expected_cid)
- ->willReturn(FALSE);
- $this->staticCache->expects($this->once())
- ->method('set')
- ->with($expected_cid, $this->isType('string'));
-
- $this->cache->expects($this->once())
- ->method('get')
- ->with($expected_cid)
- ->willReturn($mock_cache);
- $this->cache->expects($this->never())
- ->method('set');
+ // Check that two accounts with the same permissions generate the same hash.
+ $hash_1 = $this->permissionsHash->generate($this->account1);
+ $hash_2 = $this->permissionsHash->generate($this->account2);
+ $this->assertSame($hash_1, $hash_2, 'Different admins generate the same permissions hash.');
- $this->permissionsHash->generate($this->account2);
+ // Check that the generated hash is simply 'is-admin'.
+ $this->assertSame('is-admin', $hash_1, 'Admins generate the string "is-admin" as their permissions hash.');
}
/**
+ * Tests the generate method with no access policies.
+ *
* @covers ::generate
*/
- public function testGenerateStaticCache() {
- // Set expectations for the mocked cache backend.
- $expected_cid = 'user_permissions_hash:administrator,authenticated';
+ public function testGenerateNoAccessPolicies() {
+ $permissions = new CalculatedPermissions(new RefinableCalculatedPermissions());
+ $this->processor->processAccessPolicies($this->account1)->willReturn($permissions);
+ $this->processor->processAccessPolicies($this->account2)->willReturn($permissions);
- $mock_cache = new \stdClass();
- $mock_cache->data = 'test_hash_here';
-
- $this->staticCache->expects($this->once())
- ->method('get')
- ->with($expected_cid)
- ->willReturn($mock_cache);
- $this->staticCache->expects($this->never())
- ->method('set');
-
- $this->cache->expects($this->never())
- ->method('get');
- $this->cache->expects($this->never())
- ->method('set');
+ // Check that two accounts with the same permissions generate the same hash.
+ $hash_1 = $this->permissionsHash->generate($this->account1);
+ $hash_2 = $this->permissionsHash->generate($this->account2);
+ $this->assertSame($hash_1, $hash_2, 'Different accounts generate the same permissions hash when there are no policies.');
- $this->permissionsHash->generate($this->account2);
+ // Check that the generated hash is simply 'no-access-policies'.
+ $this->assertSame('no-access-policies', $hash_1, 'Accounts generate the string "is-admin" as their permissions hash when no policies are defined.');
}
/**
- * Tests the generate method with no cache returned.
+ * Tests the generate method's caching.
+ *
+ * @covers ::generate
*/
- public function testGenerateNoCache() {
- // Set expectations for the mocked cache backend.
- $expected_cid = 'user_permissions_hash:administrator,authenticated';
-
- $this->staticCache->expects($this->once())
- ->method('get')
- ->with($expected_cid)
- ->willReturn(FALSE);
- $this->staticCache->expects($this->once())
- ->method('set')
- ->with($expected_cid, $this->isType('string'));
+ public function testGenerateCache() {
+ $permissions = new CalculatedPermissions(new RefinableCalculatedPermissions());
+ $this->processor->processAccessPolicies($this->account1)->willReturn($permissions);
+ $this->processor->processAccessPolicies($this->account2)->willReturn($permissions);
+
+ // Test that set is called with the right cache ID.
+ $this->staticCache->set('permissions_hash_1', 'no-access-policies', Cache::PERMANENT, [])->shouldBeCalledOnce();
+ $this->staticCache->set('permissions_hash_2', 'no-access-policies', Cache::PERMANENT, [])->shouldBeCalledOnce();
+ $this->permissionsHash->generate($this->account1);
+ $this->permissionsHash->generate($this->account2);
- $this->cache->expects($this->once())
- ->method('get')
- ->with($expected_cid)
- ->willReturn(FALSE);
- $this->cache->expects($this->once())
- ->method('set')
- ->with($expected_cid, $this->isType('string'));
+ // Verify that ::set() isn't called more when ::get() returns something.
+ $cache_return = new \stdClass();
+ $cache_return->data = 'no-access-policies';
+ $this->staticCache->get('permissions_hash_1')->willReturn($cache_return);
+ $this->staticCache->get('permissions_hash_2')->willReturn($cache_return);
+ $this->permissionsHash->generate($this->account1);
$this->permissionsHash->generate($this->account2);
}
diff --git a/core/tests/Drupal/Tests/Core/Session/SuperUserAccessPolicyTest.php b/core/tests/Drupal/Tests/Core/Session/SuperUserAccessPolicyTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..13b7feec432da3cdbb948ada7d3e6166bb52a09d
--- /dev/null
+++ b/core/tests/Drupal/Tests/Core/Session/SuperUserAccessPolicyTest.php
@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\Core\Session;
+
+use Drupal\Core\Cache\Cache;
+use Drupal\Core\Cache\Context\CacheContextsManager;
+use Drupal\Core\Session\AccessPolicyInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Session\CalculatedPermissionsItem;
+use Drupal\Core\Session\RefinableCalculatedPermissions;
+use Drupal\Core\Session\SuperUserAccessPolicy;
+use Drupal\Tests\UnitTestCase;
+use Prophecy\Argument;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+/**
+ * @coversDefaultClass \Drupal\Core\Session\SuperUserAccessPolicy
+ * @group Session
+ */
+class SuperUserAccessPolicyTest extends UnitTestCase {
+
+ /**
+ * The access policy to test.
+ *
+ * @var \Drupal\Core\Session\SuperUserAccessPolicy
+ */
+ protected $accessPolicy;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void {
+ parent::setUp();
+ $this->accessPolicy = new SuperUserAccessPolicy();
+
+ $cache_context_manager = $this->prophesize(CacheContextsManager::class);
+ $cache_context_manager->assertValidTokens(Argument::any())->willReturn(TRUE);
+
+ $container = $this->prophesize(ContainerInterface::class);
+ $container->get('cache_contexts_manager')->willReturn($cache_context_manager->reveal());
+ \Drupal::setContainer($container->reveal());
+ }
+
+ /**
+ * @covers ::applies
+ */
+ public function testApplies(): void {
+ $this->assertTrue($this->accessPolicy->applies(AccessPolicyInterface::SCOPE_DRUPAL));
+ $this->assertFalse($this->accessPolicy->applies('another scope'));
+ $this->assertFalse($this->accessPolicy->applies($this->randomString()));
+ }
+
+ /**
+ * Tests the calculatePermissions method.
+ *
+ * @param int $uid
+ * The UID for the account the policy checks.
+ * @param bool $expect_admin_rights
+ * Whether to expect admin rights to be granted.
+ *
+ * @covers ::calculatePermissions
+ * @dataProvider calculatePermissionsProvider
+ */
+ public function testCalculatePermissions(int $uid, bool $expect_admin_rights): void {
+ $account = $this->prophesize(AccountInterface::class);
+ $account->id()->willReturn($uid);
+ $calculated_permissions = $this->accessPolicy->calculatePermissions($account->reveal(), AccessPolicyInterface::SCOPE_DRUPAL);
+
+ if ($expect_admin_rights) {
+ $this->assertCount(1, $calculated_permissions->getItems(), 'Only one calculated permissions item was added.');
+ $item = $calculated_permissions->getItem();
+ $this->assertSame([], $item->getPermissions());
+ $this->assertTrue($item->isAdmin());
+ }
+
+ $this->assertSame([], $calculated_permissions->getCacheTags());
+ $this->assertSame(['user.is_super_user'], $calculated_permissions->getCacheContexts());
+ $this->assertSame(Cache::PERMANENT, $calculated_permissions->getCacheMaxAge());
+ }
+
+ /**
+ * Data provider for testCalculatePermissions.
+ *
+ * @return array
+ * A list of test scenarios.
+ */
+ public function calculatePermissionsProvider(): array {
+ $cases['is-super-user'] = [1, TRUE];
+ $cases['is-normal-user'] = [2, FALSE];
+ return $cases;
+ }
+
+ /**
+ * Tests the alterPermissions method.
+ *
+ * @param int $uid
+ * The UID for the account the policy checks.
+ *
+ * @covers ::alterPermissions
+ * @dataProvider alterPermissionsProvider
+ */
+ public function testAlterPermissions(int $uid): void {
+ $account = $this->prophesize(AccountInterface::class);
+ $account->id()->willReturn($uid);
+
+ $calculated_permissions = new RefinableCalculatedPermissions();
+ $calculated_permissions->addItem(new CalculatedPermissionsItem(['foo']));
+ $calculated_permissions->addCacheTags(['bar']);
+ $calculated_permissions->addCacheContexts(['baz']);
+
+ $this->accessPolicy->alterPermissions($account->reveal(), AccessPolicyInterface::SCOPE_DRUPAL, $calculated_permissions);
+ $this->assertSame(['foo'], $calculated_permissions->getItem()->getPermissions());
+ $this->assertSame(['bar'], $calculated_permissions->getCacheTags());
+ $this->assertSame(['baz'], $calculated_permissions->getCacheContexts());
+ }
+
+ /**
+ * Data provider for testAlterPermissions.
+ *
+ * @return array
+ * A list of test scenarios.
+ */
+ public function alterPermissionsProvider(): array {
+ $cases['is-super-user'] = [1];
+ $cases['is-normal-user'] = [2];
+ return $cases;
+ }
+
+ /**
+ * Tests the getPersistentCacheContexts method.
+ *
+ * @covers ::getPersistentCacheContexts
+ */
+ public function testGetPersistentCacheContexts(): void {
+ $this->assertSame(['user.is_super_user'], $this->accessPolicy->getPersistentCacheContexts(AccessPolicyInterface::SCOPE_DRUPAL));
+ }
+
+}
diff --git a/core/tests/Drupal/Tests/Core/Session/UserRolesAccessPolicyTest.php b/core/tests/Drupal/Tests/Core/Session/UserRolesAccessPolicyTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..dc7613a9b2b9cd4e30f679822997c9cfea11d0b8
--- /dev/null
+++ b/core/tests/Drupal/Tests/Core/Session/UserRolesAccessPolicyTest.php
@@ -0,0 +1,189 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\Core\Session;
+
+use Drupal\Core\Cache\Cache;
+use Drupal\Core\Cache\Context\CacheContextsManager;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Session\AccessPolicyInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Session\CalculatedPermissionsItem;
+use Drupal\Core\Session\RefinableCalculatedPermissions;
+use Drupal\Core\Session\UserRolesAccessPolicy;
+use Drupal\Tests\UnitTestCase;
+use Drupal\user\RoleInterface;
+use Drupal\user\RoleStorageInterface;
+use Prophecy\Argument;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+/**
+ * @coversDefaultClass \Drupal\Core\Session\UserRolesAccessPolicy
+ * @group Session
+ */
+class UserRolesAccessPolicyTest extends UnitTestCase {
+
+ /**
+ * The access policy to test.
+ *
+ * @var \Drupal\Core\Session\UserRolesAccessPolicy
+ */
+ protected $accessPolicy;
+
+ /**
+ * The mocked entity type manager service.
+ *
+ * @var \Drupal\Core\Entity\EntityTypeManagerInterface|\Prophecy\Prophecy\ObjectProphecy
+ */
+ protected $entityTypeManager;
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void {
+ parent::setUp();
+
+ $this->entityTypeManager = $this->prophesize(EntityTypeManagerInterface::class);
+ $this->accessPolicy = new UserRolesAccessPolicy($this->entityTypeManager->reveal());
+
+ $cache_context_manager = $this->prophesize(CacheContextsManager::class);
+ $cache_context_manager->assertValidTokens(Argument::any())->willReturn(TRUE);
+
+ $container = $this->prophesize(ContainerInterface::class);
+ $container->get('cache_contexts_manager')->willReturn($cache_context_manager->reveal());
+ \Drupal::setContainer($container->reveal());
+ }
+
+ /**
+ * @covers ::applies
+ */
+ public function testApplies(): void {
+ $this->assertTrue($this->accessPolicy->applies(AccessPolicyInterface::SCOPE_DRUPAL));
+ $this->assertFalse($this->accessPolicy->applies('another scope'));
+ $this->assertFalse($this->accessPolicy->applies($this->randomString()));
+ }
+
+ /**
+ * Tests the calculatePermissions method.
+ *
+ * @param array $roles
+ * The roles to grant the account.
+ * @param bool $expect_admin_rights
+ * Whether to expect admin rights to be granted.
+ *
+ * @covers ::calculatePermissions
+ * @dataProvider calculatePermissionsProvider
+ */
+ public function testCalculatePermissions(array $roles, bool $expect_admin_rights): void {
+ $account = $this->prophesize(AccountInterface::class);
+ $account->getRoles()->willReturn(array_keys($roles));
+
+ $total_permissions = $cache_tags = $mocked_roles = [];
+ foreach ($roles as $role_id => $role) {
+ $total_permissions = array_merge($total_permissions, $role['permissions']);
+ $cache_tags[] = "config:user.role.$role_id";
+
+ $mocked_role = $this->prophesize(RoleInterface::class);
+ $mocked_role->getPermissions()->willReturn($role['permissions']);
+ $mocked_role->isAdmin()->willReturn($role['is_admin']);
+ $mocked_role->getCacheTags()->willReturn(["config:user.role.$role_id"]);
+ $mocked_role->getCacheContexts()->willReturn([]);
+ $mocked_role->getCacheMaxAge()->willReturn(Cache::PERMANENT);
+ $mocked_roles[$role_id] = $mocked_role->reveal();
+ }
+
+ $role_storage = $this->prophesize(RoleStorageInterface::class);
+ $role_storage->loadMultiple(array_keys($roles))->willReturn($mocked_roles);
+ $this->entityTypeManager->getStorage('user_role')->willReturn($role_storage->reveal());
+
+ $calculated_permissions = $this->accessPolicy->calculatePermissions($account->reveal(), AccessPolicyInterface::SCOPE_DRUPAL);
+
+ if (!empty($roles)) {
+ $this->assertCount(1, $calculated_permissions->getItems(), 'Only one calculated permissions item was added.');
+ $item = $calculated_permissions->getItem();
+
+ if ($expect_admin_rights) {
+ $this->assertSame([], $item->getPermissions());
+ $this->assertTrue($item->isAdmin());
+ }
+ else {
+ $this->assertSame($total_permissions, $item->getPermissions());
+ $this->assertFalse($item->isAdmin());
+ }
+ }
+
+ $this->assertSame($cache_tags, $calculated_permissions->getCacheTags());
+ $this->assertSame(['user.roles'], $calculated_permissions->getCacheContexts());
+ $this->assertSame(Cache::PERMANENT, $calculated_permissions->getCacheMaxAge());
+ }
+
+ /**
+ * Data provider for testCalculatePermissions.
+ *
+ * @return array
+ * A list of test scenarios.
+ */
+ public function calculatePermissionsProvider(): array {
+ $cases['no-roles'] = [
+ 'roles' => [],
+ 'has-admin' => FALSE,
+ ];
+ $cases['some-roles'] = [
+ 'roles' => [
+ 'role_foo' => [
+ 'permissions' => ['foo'],
+ 'is_admin' => FALSE,
+ ],
+ 'role_bar' => [
+ 'permissions' => ['bar'],
+ 'is_admin' => FALSE,
+ ],
+ ],
+ 'has-admin' => FALSE,
+ ];
+ $cases['admin-role'] = [
+ 'roles' => [
+ 'role_foo' => [
+ 'permissions' => ['foo'],
+ 'is_admin' => FALSE,
+ ],
+ 'role_bar' => [
+ 'permissions' => ['bar'],
+ 'is_admin' => TRUE,
+ ],
+ ],
+ 'has-admin' => TRUE,
+ ];
+ return $cases;
+ }
+
+ /**
+ * Tests the alterPermissions method.
+ *
+ * @covers ::alterPermissions
+ */
+ public function testAlterPermissions(): void {
+ $account = $this->prophesize(AccountInterface::class);
+
+ $calculated_permissions = new RefinableCalculatedPermissions();
+ $calculated_permissions->addItem(new CalculatedPermissionsItem(['foo']));
+ $calculated_permissions->addCacheTags(['bar']);
+ $calculated_permissions->addCacheContexts(['baz']);
+
+ $this->accessPolicy->alterPermissions($account->reveal(), AccessPolicyInterface::SCOPE_DRUPAL, $calculated_permissions);
+ $this->assertSame(['foo'], $calculated_permissions->getItem()->getPermissions());
+ $this->assertSame(['bar'], $calculated_permissions->getCacheTags());
+ $this->assertSame(['baz'], $calculated_permissions->getCacheContexts());
+ }
+
+ /**
+ * Tests the getPersistentCacheContexts method.
+ *
+ * @covers ::getPersistentCacheContexts
+ */
+ public function testGetPersistentCacheContexts(): void {
+ $this->assertSame(['user.roles'], $this->accessPolicy->getPersistentCacheContexts(AccessPolicyInterface::SCOPE_DRUPAL));
+ }
+
+}
diff --git a/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php b/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
index ef01736b764a68aa1a9db0d164cba03036195026..77599733d4a3ea0d0c698a8fe81090978d315a25 100644
--- a/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
@@ -4,10 +4,7 @@
namespace Drupal\Tests\Core\Session;
-use Drupal\Component\Datetime\Time;
-use Drupal\Core\Cache\MemoryCache\MemoryCache;
use Drupal\Core\DependencyInjection\ContainerBuilder;
-use Drupal\Core\Session\PermissionChecker;
use Drupal\Core\Session\UserSession;
use Drupal\Tests\UnitTestCase;
use Drupal\user\Entity\User;
@@ -19,27 +16,6 @@
*/
class UserSessionTest extends UnitTestCase {
- /**
- * The user sessions used in the test.
- *
- * @var \Drupal\Core\Session\AccountInterface[]
- */
- protected $users = [];
-
- /**
- * Provides test data for getHasPermission().
- *
- * @return array
- */
- public static function providerTestHasPermission() {
- $data = [];
- $data[] = ['example permission', ['user_one', 'user_two'], ['user_last']];
- $data[] = ['another example permission', ['user_two'], ['user_one', 'user_last']];
- $data[] = ['final example permission', [], ['user_one', 'user_two', 'user_last']];
-
- return $data;
- }
-
/**
* Setups a user session for the test.
*
@@ -57,104 +33,23 @@ protected function createUserSession(array $rids = [], $authenticated = FALSE) {
}
/**
- * {@inheritdoc}
+ * Tests the has permission method.
+ *
+ * @see \Drupal\Core\Session\UserSession::hasPermission()
*/
- protected function setUp(): void {
- parent::setUp();
+ public function testHasPermission(): void {
+ $user = $this->createUserSession();
- $roles = [];
- $roles['role_one'] = $this->getMockBuilder('Drupal\user\Entity\Role')
- ->disableOriginalConstructor()
- ->onlyMethods(['hasPermission'])
- ->getMock();
- $roles['role_one']->expects($this->any())
- ->method('hasPermission')
- ->willReturnMap([
- ['example permission', TRUE],
- ['another example permission', FALSE],
- ['last example permission', FALSE],
- ]);
+ $permission_checker = $this->prophesize('Drupal\Core\Session\PermissionCheckerInterface');
+ $permission_checker->hasPermission('example permission', $user)->willReturn(TRUE);
+ $permission_checker->hasPermission('another example permission', $user)->willReturn(FALSE);
- $roles['role_two'] = $this->getMockBuilder('Drupal\user\Entity\Role')
- ->disableOriginalConstructor()
- ->onlyMethods(['hasPermission'])
- ->getMock();
- $roles['role_two']->expects($this->any())
- ->method('hasPermission')
- ->willReturnMap([
- ['example permission', TRUE],
- ['another example permission', TRUE],
- ['last example permission', FALSE],
- ]);
-
- $roles['anonymous'] = $this->getMockBuilder('Drupal\user\Entity\Role')
- ->disableOriginalConstructor()
- ->onlyMethods(['hasPermission'])
- ->getMock();
- $roles['anonymous']->expects($this->any())
- ->method('hasPermission')
- ->willReturnMap([
- ['example permission', FALSE],
- ['another example permission', FALSE],
- ['last example permission', FALSE],
- ]);
-
- $role_storage = $this->getMockBuilder('Drupal\user\RoleStorage')
- ->setConstructorArgs(['role', new MemoryCache(new Time())])
- ->disableOriginalConstructor()
- ->onlyMethods(['loadMultiple'])
- ->getMock();
- $role_storage->expects($this->any())
- ->method('loadMultiple')
- ->willReturnMap([
- [[], []],
- [NULL, $roles],
- [['anonymous'], [$roles['anonymous']]],
- [['anonymous', 'role_one'], [$roles['role_one']]],
- [['anonymous', 'role_two'], [$roles['role_two']]],
- [
- ['anonymous', 'role_one', 'role_two'],
- [$roles['role_one'], $roles['role_two']],
- ],
- ]);
-
- $entity_type_manager = $this->createMock('Drupal\Core\Entity\EntityTypeManagerInterface');
- $entity_type_manager->expects($this->any())
- ->method('getStorage')
- ->with($this->equalTo('user_role'))
- ->willReturn($role_storage);
$container = new ContainerBuilder();
- $container->set('entity_type.manager', $entity_type_manager);
- $container->set('permission_checker', new PermissionChecker($entity_type_manager));
+ $container->set('permission_checker', $permission_checker->reveal());
\Drupal::setContainer($container);
- $this->users['user_one'] = $this->createUserSession(['role_one']);
- $this->users['user_two'] = $this->createUserSession(['role_one', 'role_two']);
- $this->users['user_three'] = $this->createUserSession(['role_two'], TRUE);
- $this->users['user_last'] = $this->createUserSession();
- }
-
- /**
- * Tests the has permission method.
- *
- * @param string $permission
- * The permission to check.
- * @param \Drupal\Core\Session\AccountInterface[] $sessions_with_access
- * The users with access.
- * @param \Drupal\Core\Session\AccountInterface[] $sessions_without_access
- * The users without access.
- *
- * @dataProvider providerTestHasPermission
- *
- * @see \Drupal\Core\Session\UserSession::hasPermission()
- */
- public function testHasPermission($permission, array $sessions_with_access, array $sessions_without_access) {
- foreach ($sessions_with_access as $name) {
- $this->assertTrue($this->users[$name]->hasPermission($permission));
- }
- foreach ($sessions_without_access as $name) {
- $this->assertFalse($this->users[$name]->hasPermission($permission));
- }
+ $this->assertTrue($user->hasPermission('example permission'));
+ $this->assertFalse($user->hasPermission('another example permission'));
}
/**
@@ -164,8 +59,9 @@ public function testHasPermission($permission, array $sessions_with_access, arra
* @todo Move roles constants to a class/interface
*/
public function testUserGetRoles() {
- $this->assertEquals([RoleInterface::AUTHENTICATED_ID, 'role_two'], $this->users['user_three']->getRoles());
- $this->assertEquals(['role_two'], $this->users['user_three']->getRoles(TRUE));
+ $user = $this->createUserSession(['role_two'], TRUE);
+ $this->assertEquals([RoleInterface::AUTHENTICATED_ID, 'role_two'], $user->getRoles());
+ $this->assertEquals(['role_two'], $user->getRoles(TRUE));
}
/**
@@ -174,11 +70,16 @@ public function testUserGetRoles() {
* @covers ::hasRole
*/
public function testHasRole() {
- $this->assertTrue($this->users['user_one']->hasRole('role_one'));
- $this->assertFalse($this->users['user_two']->hasRole('no role'));
- $this->assertTrue($this->users['user_three']->hasRole(RoleInterface::AUTHENTICATED_ID));
- $this->assertFalse($this->users['user_three']->hasRole(RoleInterface::ANONYMOUS_ID));
- $this->assertTrue($this->users['user_last']->hasRole(RoleInterface::ANONYMOUS_ID));
+ $user1 = $this->createUserSession(['role_one']);
+ $user2 = $this->createUserSession(['role_one', 'role_two']);
+ $user3 = $this->createUserSession(['role_two'], TRUE);
+ $user4 = $this->createUserSession();
+
+ $this->assertTrue($user1->hasRole('role_one'));
+ $this->assertFalse($user2->hasRole('no role'));
+ $this->assertTrue($user3->hasRole(RoleInterface::AUTHENTICATED_ID));
+ $this->assertFalse($user3->hasRole(RoleInterface::ANONYMOUS_ID));
+ $this->assertTrue($user4->hasRole(RoleInterface::ANONYMOUS_ID));
}
/**