Commit 5a89e6af authored by webchick's avatar webchick

Issue #2574597 by Upchuk, jhedstrom, Berdir, klausi: Comment body doesn't show...

Issue #2574597 by Upchuk, jhedstrom, Berdir, klausi: Comment body doesn't show up in preview for Anonymous users
parent 2bd406fd
......@@ -130,18 +130,14 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
}
if ($operation == 'view') {
$entity = $items ? $items->getEntity() : NULL;
// Admins can view any fields except hostname, other users need both the
// "access comments" permission and for the comment to be published. The
// mail field is hidden from non-admins.
$admin_access = AccessResult::allowedIf($account->hasPermission('administer comments') && $field_definition->getName() != 'hostname')
->cachePerPermissions();
$anonymous_access = AccessResult::allowedIf($account->hasPermission('access comments') && (!$entity || $entity->isPublished()) && !in_array($field_definition->getName(), array('mail', 'hostname'), TRUE))
->cachePerPermissions();
if ($entity) {
$anonymous_access->cacheUntilEntityChanges($entity);
// Nobody has access to the hostname.
if ($field_definition->getName() == 'hostname') {
return AccessResult::forbidden();
}
// The mail field is hidden from non-admins.
if ($field_definition->getName() == 'mail') {
return AccessResult::allowedIfHasPermission($account, 'administer comments');
}
return $admin_access->orIf($anonymous_access);
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
......
......@@ -40,6 +40,32 @@ function testAnonymous() {
$this->setCommentAnonymous(COMMENT_ANONYMOUS_MAYNOT_CONTACT);
$this->drupalLogout();
// Preview comments (with `skip comment approval` permission).
$edit = [];
$title = 'comment title with skip comment approval';
$body = 'comment body with skip comment approval';
$edit['subject[0][value]'] = $title;
$edit['comment_body[0][value]'] = $body;
$this->drupalPostForm($this->node->urlInfo(), $edit, t('Preview'));
// Cannot use assertRaw here since both title and body are in the form.
$preview = (string) $this->cssSelect('.preview')[0]->asXML();
$this->assertTrue(strpos($preview, $title) !== FALSE, 'Anonymous user can preview comment title.');
$this->assertTrue(strpos($preview, $body) !== FALSE, 'Anonymous user can preview comment body.');
// Preview comments (without `skip comment approval` permission).
user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, ['skip comment approval']);
$edit = [];
$title = 'comment title without skip comment approval';
$body = 'comment body without skip comment approval';
$edit['subject[0][value]'] = $title;
$edit['comment_body[0][value]'] = $body;
$this->drupalPostForm($this->node->urlInfo(), $edit, t('Preview'));
// Cannot use assertRaw here since both title and body are in the form.
$preview = (string) $this->cssSelect('.preview')[0]->asXML();
$this->assertTrue(strpos($preview, $title) !== FALSE, 'Anonymous user can preview comment title.');
$this->assertTrue(strpos($preview, $body) !== FALSE, 'Anonymous user can preview comment body.');
user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, ['skip comment approval']);
// Post anonymous comment without contact info.
$anonymous_comment1 = $this->postComment($this->node, $this->randomMachineName(), $this->randomMachineName());
$this->assertTrue($this->commentExists($anonymous_comment1), 'Anonymous comment without contact info found.');
......@@ -168,4 +194,5 @@ function testAnonymous() {
$this->drupalGet('comment/reply/node/' . $this->node->id() . '/comment/' . $anonymous_comment2->id());
$this->assertResponse(403);
}
}
......@@ -213,9 +213,8 @@ public function testAccessToAdministrativeFields() {
foreach ($permutations as $set) {
$may_view = $set['comment']->{$field}->access('view', $set['user']);
$may_update = $set['comment']->{$field}->access('edit', $set['user']);
$this->assertEqual($may_view, $set['user']->hasPermission('administer comments') || ($set['comment']->isPublished() && $set['user']->hasPermission('access comments')), SafeMarkup::format('User @user @state view field @field on comment @comment', [
$this->assertTrue($may_view, SafeMarkup::format('User @user can view field @field on comment @comment', [
'@user' => $set['user']->getUsername(),
'@state' => $may_update ? 'can' : 'cannot',
'@comment' => $set['comment']->getSubject(),
'@field' => $field,
]));
......@@ -244,12 +243,20 @@ public function testAccessToAdministrativeFields() {
foreach ($permutations as $set) {
$may_view = $set['comment']->{$field}->access('view', $set['user']);
$may_update = $set['comment']->{$field}->access('edit', $set['user']);
$this->assertEqual($may_view, $field != 'hostname' && ($set['user']->hasPermission('administer comments') ||
($set['comment']->isPublished() && $set['user']->hasPermission('access comments'))), SafeMarkup::format('User @user @state view field @field on comment @comment', [
// Nobody has access to to view the hostname field.
if ($field === 'hostname') {
$view_access = FALSE;
$state = 'cannot';
}
else {
$view_access = TRUE;
$state = 'can';
}
$this->assertEqual($may_view, $view_access, SafeMarkup::format('User @user @state view field @field on comment @comment', [
'@user' => $set['user']->getUsername(),
'@state' => $may_view ? 'can' : 'cannot',
'@comment' => $set['comment']->getSubject(),
'@field' => $field,
'@state' => $state,
]));
$this->assertFalse($may_update, SafeMarkup::format('User @user @state update field @field on comment @comment', [
'@user' => $set['user']->getUsername(),
......@@ -266,10 +273,8 @@ public function testAccessToAdministrativeFields() {
foreach ($permutations as $set) {
$may_view = $set['comment']->{$field}->access('view', $set['user']);
$may_update = $set['comment']->{$field}->access('edit', $set['user']);
$this->assertEqual($may_view, $field != 'hostname' && ($set['user']->hasPermission('administer comments') ||
($set['comment']->isPublished() && $set['user']->hasPermission('access comments'))), SafeMarkup::format('User @user @state view field @field on comment @comment', [
$this->assertEqual($may_view, TRUE, SafeMarkup::format('User @user can view field @field on comment @comment', [
'@user' => $set['user']->getUsername(),
'@state' => $may_view ? 'can' : 'cannot',
'@comment' => $set['comment']->getSubject(),
'@field' => $field,
]));
......
......@@ -61,6 +61,9 @@ protected function setUp() {
public function testCommentFieldName() {
/** @var \Drupal\Core\Render\RendererInterface $renderer */
$renderer = \Drupal::service('renderer');
// Grant permission to properly check view access on render.
user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, ['access comments']);
$this->container->get('account_switcher')->switchTo(new AnonymousUserSession());
$view = Views::getView('test_comment_field_name');
$this->executeView($view);
......@@ -79,14 +82,7 @@ public function testCommentFieldName() {
'comment_field_data_field_name' => 'field_name',
];
$this->assertIdenticalResultset($view, $expected_result, $column_map);
// Test that no data can be rendered.
$this->assertIdentical(FALSE, isset($view->field['field_name']));
// Grant permission to properly check view access on render.
user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, ['access comments']);
$this->container->get('account_switcher')->switchTo(new AnonymousUserSession());
$view = Views::getView('test_comment_field_name');
$this->executeView($view);
// Test that data rendered.
$output = $renderer->executeInRenderContext(new RenderContext(), function () use ($view) {
return $view->field['field_name']->advancedRender($view->result[0]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment