Issue #2932154 by jhedstrom: ModerationInformation::getLatestRevisionId...

Issue #2932154 by jhedstrom: ModerationInformation::getLatestRevisionId returns access-specific results

Issue #2932154 by jhedstrom: ModerationInformation::getLatestRevisionId...
f3b60eda · Lee Rowlands · e145f2a5 · f3b60eda · f3b60eda · f3b60eda
Verified Commit f3b60eda authored 7 years ago by Lee Rowlands
--- a/core/modules/content_moderation/src/ModerationInformation.php
+++ b/core/modules/content_moderation/src/ModerationInformation.php
@@ -87,6 +87,9 @@ public function getLatestRevisionId($entity_type_id, $entity_id) {
      $result = $storage->getQuery()
        ->latestRevision()
        ->condition($this->entityTypeManager->getDefinition($entity_type_id)->getKey('id'), $entity_id)
+        // No access check is performed here since this is an API function and
+        // should return the same ID regardless of the current user.
+        ->accessCheck(FALSE)
        ->execute();
      if ($result) {
        return key($result);
@@ -102,6 +105,9 @@ public function getDefaultRevisionId($entity_type_id, $entity_id) {
      $result = $storage->getQuery()
        ->currentRevision()
        ->condition($this->entityTypeManager->getDefinition($entity_type_id)->getKey('id'), $entity_id)
+        // No access check is performed here since this is an API function and
+        // should return the same ID regardless of the current user.
+        ->accessCheck(FALSE)
        ->execute();
      if ($result) {
        return key($result);

--- a/core/modules/content_moderation/tests/src/Functional/NodeAccessTest.php
+++ b/core/modules/content_moderation/tests/src/Functional/NodeAccessTest.php
@@ -2,6 +2,8 @@

 namespace Drupal\Tests\content_moderation\Functional;

+use Drupal\node\Entity\NodeType;
+
 /**
 * Tests permission access control around nodes.
 *
@@ -19,7 +21,7 @@ class NodeAccessTest extends ModerationStateTestBase {
    'block',
    'block_content',
    'node',
-    'node_access_test_empty',
+    'node_access_test',
  ];

  /**
@@ -49,6 +51,9 @@ protected function setUp() {
    $this->createContentTypeFromUi('Moderated content', 'moderated_content', FALSE);
    $this->grantUserPermissionToCreateContentOfType($this->adminUser, 'moderated_content');

+    // Add the private field to the node type.
+    node_access_test_add_field(NodeType::load('moderated_content'));
+
    // Rebuild permissions because hook_node_grants() is implemented by the
    // node_access_test_empty module.
    node_access_rebuild();
@@ -58,6 +63,10 @@ protected function setUp() {
   * Verifies that a non-admin user can still access the appropriate pages.
   */
  public function testPageAccess() {
+    // Initially disable access grant records in
+    // node_access_test_node_access_records().
+    \Drupal::state()->set('node_access_test.private', TRUE);
+
    $this->drupalLogin($this->adminUser);

    // Access the node form before moderation is enabled, the publication state
@@ -149,6 +158,30 @@ public function testPageAccess() {
    $this->assertResponse(403);
    $this->drupalGet($view_path);
    $this->assertResponse(200);
+
+    // Now create a private node that the user is not granted access to by the
+    // node grants, but is granted access via hook_node_access().
+    // @see node_access_test_node_access
+    $node = $this->createNode([
+      'type' => 'moderated_content',
+      'private' => TRUE,
+      'uid' => $this->adminUser->id(),
+    ]);
+    $user = $this->createUser([
+      'use editorial transition publish',
+    ]);
+    $this->drupalLogin($user);
+
+    // Grant access to the node via node_access_test_node_access().
+    \Drupal::state()->set('node_access_test.allow_uid', $user->id());
+
+    $this->drupalGet($node->toUrl());
+    $this->assertResponse(200);
+
+    // Verify the moderation form is in place by publishing the node.
+    $this->drupalPostForm(NULL, [], t('Apply'));
+    $node = \Drupal::entityTypeManager()->getStorage('node')->loadUnchanged($node->id());
+    $this->assertEquals('published', $node->moderation_state->value);
  }

 }
--- a/core/modules/content_moderation/tests/src/Kernel/NodeAccessTest.php
+++ b/core/modules/content_moderation/tests/src/Kernel/NodeAccessTest.php
+<?php
+
+namespace Drupal\Tests\content_moderation\Kernel;
+
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\node\Entity\NodeType;
+use Drupal\Tests\node\Traits\NodeCreationTrait;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+use Drupal\workflows\Entity\Workflow;
+
+/**
+ * Tests with node access enabled.
+ *
+ * @group content_moderation
+ */
+class NodeAccessTest extends KernelTestBase {
+
+  use NodeCreationTrait;
+  use UserCreationTrait;
+
+  /**
+   * The moderation information service.
+   *
+   * @var \Drupal\content_moderation\ModerationInformationInterface
+   */
+  protected $moderationInformation;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = [
+    'content_moderation',
+    'filter',
+    'node',
+    'node_access_test',
+    'system',
+    'user',
+    'workflows',
+  ];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    $this->installEntitySchema('content_moderation_state');
+    $this->installEntitySchema('node');
+    $this->installEntitySchema('user');
+    $this->installEntitySchema('workflow');
+    $this->installConfig(['content_moderation', 'filter']);
+    $this->installSchema('system', ['sequences']);
+    $this->installSchema('node', ['node_access']);
+
+    // Add a moderated node type.
+    $node_type = NodeType::create([
+      'type' => 'page',
+      'label' => 'Page',
+    ]);
+    $node_type->save();
+    $workflow = Workflow::load('editorial');
+    $workflow->getTypePlugin()->addEntityTypeAndBundle('node', 'page');
+    $workflow->save();
+
+    $this->moderationInformation = \Drupal::service('content_moderation.moderation_information');
+  }
+
+  /**
+   * Tests for moderation information methods with node access.
+   */
+  public function testModerationInformation() {
+    // Create an admin user.
+    $user = $this->createUser([], NULL, TRUE);
+    \Drupal::currentUser()->setAccount($user);
+
+    // Create a node.
+    $node = $this->createNode(['type' => 'page']);
+    $this->assertEquals($node->getRevisionId(), $this->moderationInformation->getDefaultRevisionId('node', $node->id()));
+    $this->assertEquals($node->getRevisionId(), $this->moderationInformation->getLatestRevisionId('node', $node->id()));
+
+    // Create a non-admin user.
+    $user = $this->createUser();
+    \Drupal::currentUser()->setAccount($user);
+    $this->assertEquals($node->getRevisionId(), $this->moderationInformation->getDefaultRevisionId('node', $node->id()));
+    $this->assertEquals($node->getRevisionId(), $this->moderationInformation->getLatestRevisionId('node', $node->id()));
+  }
+
+}
--- a/core/modules/node/tests/modules/node_access_test/node_access_test.module
+++ b/core/modules/node/tests/modules/node_access_test/node_access_test.module
@@ -152,6 +152,12 @@ function node_access_test_node_access(NodeInterface $node, $op, AccountInterface
    // Make all Catalan content secret.
    return AccessResult::forbidden()->setCacheMaxAge(0);
  }
+
+  // Grant access if a specific user is specified.
+  if (\Drupal::state()->get('node_access_test.allow_uid') === $account->id()) {
+    return AccessResult::allowed();
+  }
+
  // No opinion.
  return AccessResult::neutral()->setCacheMaxAge(0);
 }