Commit 20a76f00 authored by alexpott's avatar alexpott

Issue #687588 by tsphethean, mirie, Cottser, porchlight, cyborg_572, rgoodine,...

Issue #687588 by tsphethean, mirie, Cottser, porchlight, cyborg_572, rgoodine, adci_contributor, joshi.rohit100: Remove access check from submit() in UserCancelForm
parent 28e9d3ea
......@@ -110,6 +110,13 @@ public function buildForm(array $form, FormStateInterface $form_state) {
// Always provide entity id in the same form key as in the entity edit form.
$form['uid'] = array('#type' => 'value', '#value' => $this->entity->id());
// Store the user permissions so that it can be altered in hook_form_alter()
// if desired.
$form['access'] = array(
'#type' => 'value',
'#value' => $user->hasPermission('administer users'),
);
$form = parent::buildForm($form, $form_state);
return $form;
......@@ -122,7 +129,7 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
// Cancel account immediately, if the current user has administrative
// privileges, no confirmation mail shall be sent, and the user does not
// attempt to cancel the own account.
if ($this->currentUser()->hasPermission('administer users') && $form_state->isValueEmpty('user_cancel_confirm') && $this->entity->id() != $this->currentUser()->id()) {
if (!$form_state->isValueEmpty('access') && $form_state->isValueEmpty('user_cancel_confirm') && $this->entity->id() != $this->currentUser()->id()) {
user_cancel($form_state->getValues(), $this->entity->id(), $form_state->getValue('user_cancel_method'));
$form_state->setRedirectUrl($this->entity->urlInfo('collection'));
......
......@@ -64,6 +64,27 @@ function testUserCancelWithoutPermission() {
$this->assertTrue(($test_node->getOwnerId() == $account->id() && $test_node->isPublished()), 'Node of the user has not been altered.');
}
/**
* Test ability to change the permission for canceling users.
*/
public function testUserCancelChangePermission() {
\Drupal::service('module_installer')->install(array('user_form_test'));
$this->config('user.settings')->set('cancel_method', 'user_cancel_reassign')->save();
// Create a regular user.
$account = $this->drupalCreateUser(array());
$admin_user = $this->drupalCreateUser(array('cancel other accounts'));
$this->drupalLogin($admin_user);
// Delete regular user.
$this->drupalPostForm('user_form_test_cancel/' . $account->id(), array(), t('Cancel account'));
// Confirm deletion.
$this->assertRaw(t('%name has been deleted.', array('%name' => $account->getUsername())), 'User deleted.');
$this->assertFalse(user_load($account->id()), 'User is not found in the database.');
}
/**
* Tests that user account for uid 1 cannot be cancelled.
*
......
<?php
/**
* @file
* Support module for user form testing.
*/
/**
* Implements hook_form_FORM_ID_alter() for user_cancel_form().
*/
function user_form_test_form_user_cancel_form_alter(&$form, &$form_state) {
$form['user_cancel_confirm']['#default_value'] = FALSE;
$form['access']['#value'] = \Drupal::currentUser()->hasPermission('cancel other accounts');
}
cancel other accounts:
title: 'Cancel other user accounts'
......@@ -4,3 +4,11 @@ user_form_test.current_password:
_form: '\Drupal\user_form_test\Form\TestCurrentPassword'
requirements:
_permission: 'administer users'
user_form_test.cancel:
path: '/user_form_test_cancel/{user}'
defaults:
_entity_form: 'user.cancel'
requirements:
_permission: 'cancel other accounts'
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment