Verified Commit 1002797d authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2953111 by quietone, yogeshmpawar, ravi.shankar, benjifisher, alexpott,... 

Issue #2953111 by quietone, yogeshmpawar, ravi.shankar, benjifisher, alexpott, mikelutz, catch, andypost, larowlan, danflanagan8: Only migrate role permissions that exist on the destination

(cherry picked from commit 247bd31e)
parent 4a67a410

core/modules/user/migrations/d6_user_role.yml

+7 −5
Original line number Diff line number Diff line
@@ -35,13 +35,15 @@ process: 
    - plugin: node_update_7008

    - plugin: flatten

    - plugin: filter_format_permission

  # A special flag so we can migrate permissions that do not exist yet.

  # @todo Remove in https://www.drupal.org/project/drupal/issues/2953111.

  skip_missing_permission_deprecation:

    plugin: default_value

    default_value: true

destination:

  plugin: entity:user_role

migration_dependencies:

  required:

    - d6_filter_format

  optional:

    - block_content_type

    - contact_category

    - d6_comment_type

    - d6_node_type

    - d6_taxonomy_vocabulary

    - d6_taxonomy_vocabulary_translation

core/modules/user/migrations/d7_user_role.yml

+7 −5
Original line number Diff line number Diff line
@@ -33,13 +33,15 @@ process: 
        'edit own forum topics': 'edit own forum content'

    - plugin: flatten

  weight: weight

  # A special flag so we can migrate permissions that do not exist yet.

  # @todo Remove in https://www.drupal.org/project/drupal/issues/2953111.

  skip_missing_permission_deprecation:

    plugin: default_value

    default_value: true

destination:

  plugin: entity:user_role

migration_dependencies:

  optional:

    - block_content_type

    - contact_category

    - d7_comment_type

    - d7_filter_format

    - d7_node_type

    - d7_shortcut_set

    - d7_taxonomy_vocabulary

    - d7_taxonomy_vocabulary_translation

core/modules/user/src/Entity/Role.php

+1 −1
Original line number Diff line number Diff line
@@ -202,7 +202,7 @@ public function calculateDependencies() { 
    $permission_definitions = \Drupal::service('user.permissions')->getPermissions();

    $valid_permissions = array_intersect($this->permissions, array_keys($permission_definitions));

    $invalid_permissions = array_diff($this->permissions, $valid_permissions);

    if (!empty($invalid_permissions) && !$this->get('skip_missing_permission_deprecation')) {

    if (!empty($invalid_permissions)) {

      throw new \RuntimeException('Adding non-existent permissions to a role is not allowed. The incorrect permissions are "' . implode('", "', $invalid_permissions) . '".');

    }

    foreach ($valid_permissions as $permission) {

core/modules/user/src/Plugin/migrate/destination/EntityUserRole.php

0 → 100644
+95 −0
Original line number Diff line number Diff line 
<?php



namespace Drupal\user\Plugin\migrate\destination;



use Drupal\Core\Config\ConfigFactoryInterface;

use Drupal\Core\Entity\EntityStorageInterface;

use Drupal\Core\Language\LanguageManagerInterface;

use Drupal\migrate\Plugin\migrate\destination\EntityConfigBase;

use Drupal\migrate\Plugin\MigrationInterface;

use Drupal\migrate\Row;

use Symfony\Component\DependencyInjection\ContainerInterface;



/**

 * Provides a destination plugin for migrating user role entities.

 *

 * @MigrateDestination(

 *   id = "entity:user_role"

 * )

 */

class EntityUserRole extends EntityConfigBase {



  /**

   * All permissions on the destination site.

   *

   * @var string[]

   */

  protected $destinationPermissions = [];



  /**

   * Builds a user role entity destination.

   *

   * @param array $configuration

   *   A configuration array containing information about the plugin instance.

   * @param string $plugin_id

   *   The plugin_id for the plugin instance.

   * @param mixed $plugin_definition

   *   The plugin implementation definition.

   * @param \Drupal\migrate\Plugin\MigrationInterface $migration

   *   The migration.

   * @param \Drupal\Core\Entity\EntityStorageInterface $storage

   *   The storage for this entity type.

   * @param array $bundles

   *   The list of bundles this entity type has.

   * @param \Drupal\Core\Language\LanguageManagerInterface $language_manager

   *   The language manager.

   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory

   *   The configuration factory.

   * @param array $destination_permissions

   *   All available permissions.

   */

  public function __construct(array $configuration, $plugin_id, $plugin_definition, MigrationInterface $migration, EntityStorageInterface $storage, array $bundles, LanguageManagerInterface $language_manager, ConfigFactoryInterface $config_factory, array $destination_permissions) {

    parent::__construct($configuration, $plugin_id, $plugin_definition, $migration, $storage, $bundles, $language_manager, $config_factory);

    $this->destinationPermissions = $destination_permissions;

  }



  /**

   * {@inheritdoc}

   */

  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition, MigrationInterface $migration = NULL) {

    $entity_type_id = static::getEntityTypeId($plugin_id);

    return new static(

      $configuration,

      $plugin_id,

      $plugin_definition,

      $migration,

      $container->get('entity_type.manager')->getStorage($entity_type_id),

      array_keys($container->get('entity_type.bundle.info')->getBundleInfo($entity_type_id)),

      $container->get('language_manager'),

      $container->get('config.factory'),

      array_keys($container->get('user.permissions')->getPermissions()),

    );

  }



  /**

   * {@inheritdoc}

   */

  public function import(Row $row, array $old_destination_id_values = []): array|bool {

    $permissions = $row->getDestinationProperty('permissions') ?? [];



    // Get permissions that do not exist on the destination.

    $invalid_permissions = array_diff($permissions, $this->destinationPermissions);

    if ($invalid_permissions) {

      sort($invalid_permissions);

      // Log the message in the migration message table.

      $message = "Permission(s) '" . implode("', '", $invalid_permissions) . "' not found.";

      $this->migration->getIdMap()

        ->saveMessage($row->getSourceIdValues(), $message, MigrationInterface::MESSAGE_WARNING);

    }



    $valid_permissions = array_intersect($permissions, $this->destinationPermissions);

    $row->setDestinationProperty('permissions', $valid_permissions);

    return parent::import($row, $old_destination_id_values);

  }



}

core/modules/user/tests/src/Functional/Update/UserUpdateRoleMigrateTest.php

0 → 100644
+65 −0
Original line number Diff line number Diff line 
<?php



namespace Drupal\Tests\user\Functional\Update;



use Drupal\FunctionalTests\Update\UpdatePathTestBase;

use Drupal\user\Entity\Role;



/**

 * Tests user_post_update_update_roles_followup() upgrade path.

 *

 * @group Update

 * @group legacy

 */

class UserUpdateRoleMigrateTest extends UpdatePathTestBase {



  /**

   * {@inheritdoc}

   */

  protected function setDatabaseDumpFiles() {

    $this->databaseDumpFiles = [

      __DIR__ . '/../../../../../system/tests/fixtures/update/drupal-9.4.0.bare.standard.php.gz',

    ];

  }



  /**

   * Tests that roles have only existing permissions.

   */

  public function testRolePermissions() {

    /** @var \Drupal\Core\Database\Connection $connection */

    $connection = \Drupal::service('database');



    // Edit the authenticated role to have a non-existent permission.

    $authenticated = $connection->select('config')

      ->fields('config', ['data'])

      ->condition('collection', '')

      ->condition('name', 'user.role.authenticated')

      ->execute()

      ->fetchField();

    $authenticated = unserialize($authenticated);

    $authenticated['permissions'][] = 'does_not_exist';

    $connection->update('config')

      ->fields([

        'data' => serialize($authenticated),

      ])

      ->condition('collection', '')

      ->condition('name', 'user.role.authenticated')

      ->execute();



    $authenticated = Role::load('authenticated');

    $this->assertTrue($authenticated->hasPermission('does_not_exist'), 'Authenticated role has a permission that does not exist');



    $this->runUpdates();



    $this->assertSession()->pageTextContains('The role Authenticated user has had non-existent permissions removed. Check the logs for details.');



    $authenticated = Role::load('authenticated');

    $this->assertFalse($authenticated->hasPermission('does_not_exist'), 'Authenticated role does not have a permission that does not exist');



    $this->drupalLogin($this->createUser(['access site reports']));

    $this->drupalGet('admin/reports/dblog', ['query' => ['type[]' => 'update']]);

    $this->clickLink('The role Authenticated user has had the following non-…');

    $this->assertSession()->pageTextContains('The role Authenticated user has had the following non-existent permission(s) removed: does_not_exist.');

  }



}