From a9f3b75195359d51b82862103a7145219aa01c79 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Fri, 1 Mar 2024 13:02:32 +0000
Subject: [PATCH] Issue #3410098 by andypost, shalini_jha, Akhil Babu, Liam
 Morland, kristiaanvandeneynde, smustgrave, alexpott: Deprecate passing
 non-strings to UserSession::hasPermission() and User::hasPermission()

---
 .../lib/Drupal/Core/Session/AccountInterface.php |  2 +-
 core/lib/Drupal/Core/Session/UserSession.php     |  6 +++++-
 core/modules/user/src/Entity/User.php            |  6 +++++-
 .../Tests/Core/Session/UserSessionTest.php       | 16 ++++++++++++++++
 4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/core/lib/Drupal/Core/Session/AccountInterface.php b/core/lib/Drupal/Core/Session/AccountInterface.php
index 6fdd60356a08..d6d10d79a9fd 100644
--- a/core/lib/Drupal/Core/Session/AccountInterface.php
+++ b/core/lib/Drupal/Core/Session/AccountInterface.php
@@ -50,7 +50,7 @@ public function getRoles($exclude_locked_roles = FALSE);
    * @return bool
    *   TRUE if the user has the permission, FALSE otherwise.
    */
-  public function hasPermission($permission);
+  public function hasPermission(/* string */$permission);
 
   /**
    * Returns TRUE if the account is authenticated.
diff --git a/core/lib/Drupal/Core/Session/UserSession.php b/core/lib/Drupal/Core/Session/UserSession.php
index 10ae41e5de26..91787c0ba1cd 100644
--- a/core/lib/Drupal/Core/Session/UserSession.php
+++ b/core/lib/Drupal/Core/Session/UserSession.php
@@ -119,7 +119,11 @@ public function hasRole(string $rid): bool {
   /**
    * {@inheritdoc}
    */
-  public function hasPermission($permission) {
+  public function hasPermission(/* string */$permission) {
+    if (!is_string($permission)) {
+      @trigger_error('Calling ' . __METHOD__ . '() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485', E_USER_DEPRECATED);
+      return FALSE;
+    }
     return \Drupal::service('permission_checker')->hasPermission($permission, $this);
   }
 
diff --git a/core/modules/user/src/Entity/User.php b/core/modules/user/src/Entity/User.php
index 2af4c9b846d0..f03b4d14e4a4 100644
--- a/core/modules/user/src/Entity/User.php
+++ b/core/modules/user/src/Entity/User.php
@@ -224,7 +224,11 @@ public function removeRole($rid) {
   /**
    * {@inheritdoc}
    */
-  public function hasPermission($permission) {
+  public function hasPermission(/* string */$permission) {
+    if (!is_string($permission)) {
+      @trigger_error('Calling ' . __METHOD__ . '() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485', E_USER_DEPRECATED);
+      return FALSE;
+    }
     return \Drupal::service('permission_checker')->hasPermission($permission, $this);
   }
 
diff --git a/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php b/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
index b55cc05393ad..ef01736b764a 100644
--- a/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/UserSessionTest.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Session\PermissionChecker;
 use Drupal\Core\Session\UserSession;
 use Drupal\Tests\UnitTestCase;
+use Drupal\user\Entity\User;
 use Drupal\user\RoleInterface;
 
 /**
@@ -180,4 +181,19 @@ public function testHasRole() {
     $this->assertTrue($this->users['user_last']->hasRole(RoleInterface::ANONYMOUS_ID));
   }
 
+  /**
+   * Tests deprecation when permission is not a string.
+   *
+   * @covers ::hasPermission
+   * @group legacy
+   */
+  public function testHasPermissionLegacy() {
+    $this->expectDeprecation('Calling Drupal\Core\Session\UserSession::hasPermission() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485');
+    $this->assertFalse((new UserSession())->hasPermission(NULL));
+    $this->expectDeprecation('Calling Drupal\user\Entity\User::hasPermission() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485');
+    $reflection = new \ReflectionClass(User::class);
+    $user = $reflection->newInstanceWithoutConstructor();
+    $this->assertFalse($user->hasPermission(NULL));
+  }
+
 }
-- 
GitLab