Tests the Paragraph access and permissions.
public function testParagraphAccessCheck() {
$permissions = [
'administer site configuration',
'administer node display',
'administer paragraph display',
'create paragraphed_content_demo content',
'edit any paragraphed_content_demo content',
];
$this
->loginAsAdmin($permissions);
// Remove the "access content" for anonymous users. That results in
// anonymous users not being able to "view" the host entity.
/* @var Role $role */
$role = \Drupal::entityTypeManager()
->getStorage('user_role')
->load(RoleInterface::ANONYMOUS_ID);
$role
->revokePermission('access content');
$role
->save();
// Set field_images from demo to private file storage.
$edit = array(
'field_storage[subform][settings][uri_scheme]' => 'private',
);
$this
->drupalGet('admin/structure/paragraphs_type/images/fields/paragraph.images.field_images_demo');
$this
->submitForm($edit, 'Save settings');
// Use the stable widget.
$form_display = EntityFormDisplay::load('node.paragraphed_content_demo.default')
->setComponent('field_paragraphs_demo', [
'type' => 'paragraphs',
]);
$form_display
->save();
// Create a new demo node.
$this
->drupalGet('node/add/paragraphed_content_demo');
// Add a new Paragraphs images item.
$this
->submitForm([], 'Add images');
$images = $this
->getTestFiles('image');
// Create a file, upload it.
$file_system = \Drupal::service('file_system');
$file_system
->copy($images[0]->uri, 'temporary://privateImage.jpg');
$file_path = $this->container
->get('file_system')
->realpath('temporary://privateImage.jpg');
// Create a file, upload it.
$file_system
->copy($images[1]->uri, 'temporary://privateImage2.jpg');
$file_path_2 = $this->container
->get('file_system')
->realpath('temporary://privateImage2.jpg');
$edit = array(
'title[0][value]' => 'Security test node',
'files[field_paragraphs_demo_0_subform_field_images_demo_0][]' => $file_path,
);
$this
->submitForm($edit, 'Upload');
$edit = array(
'files[field_paragraphs_demo_0_subform_field_images_demo_1][]' => $file_path_2,
);
$this
->submitForm($edit, 'Upload');
$this
->submitForm([], 'Preview');
$image_style = ImageStyle::load('medium');
$img1_url = $image_style
->buildUrl('private://' . date('Y-m') . '/privateImage.jpg');
$image_url = \Drupal::service('file_url_generator')
->transformRelative($img1_url);
$this
->assertSession()
->responseContains($image_url);
$this
->clickLink('Back to content editing');
$this
->submitForm([], 'Save');
$node = $this
->drupalGetNodeByTitle('Security test node');
$this
->drupalGet('node/' . $node
->id());
// Check the text and image after publish.
$this
->assertSession()
->responseContains($image_url);
$this
->drupalGet($img1_url);
$this
->assertSession()
->statusCodeEquals(200);
// Logout to become anonymous.
$this
->drupalLogout();
// @todo Requesting the same $img_url again triggers a caching problem on
// drupal.org test bot, thus we request a different file here.
$img_url = $image_style
->buildUrl('private://' . date('Y-m') . '/privateImage2.jpg');
$image_url = \Drupal::service('file_url_generator')
->transformRelative($img_url);
// Check the text and image after publish. Anonymous should not see content.
$this
->assertSession()
->responseNotContains($image_url);
$this
->drupalGet($img_url);
$this
->assertSession()
->statusCodeEquals(403);
// Login as admin with no delete permissions.
$this
->loginAsAdmin($permissions);
// Create a new demo node.
$this
->drupalGet('node/add/paragraphed_content_demo');
$this
->submitForm([], 'Add text');
$this
->assertSession()
->pageTextContains('Text');
$edit = [
'title[0][value]' => 'delete_permissions',
'field_paragraphs_demo[0][subform][field_text_demo][0][value]' => 'Test',
];
$this
->submitForm($edit, 'Save');
// Edit the node.
$this
->clickLink('Edit');
// Check the remove button is present.
$this
->assertNotNull($this
->xpath('//*[@name="field_paragraphs_demo_0_remove"]'));
// Delete the Paragraph and save.
$this
->submitForm([], 'field_paragraphs_demo_0_remove');
$this
->submitForm([], 'Save');
$node = $this
->getNodeByTitle('delete_permissions');
$this
->assertSession()
->addressEquals('node/' . $node
->id());
// Create an unpublished Paragraph and assert if it is displayed for the
// user.
$permissions = [
'create paragraphed_content_demo content',
'edit any paragraphed_content_demo content',
'view unpublished paragraphs',
'administer paragraph form display',
];
$this
->loginAsAdmin($permissions);
$edit = [
'fields[status][region]' => 'content',
'fields[status][type]' => 'boolean_checkbox',
];
$this
->drupalGet('admin/structure/paragraphs_type/text/form-display');
$this
->submitForm($edit, 'Save');
$this
->drupalGet('node/add/paragraphed_content_demo');
$this
->submitForm([], 'Add text');
$this
->assertSession()
->pageTextContains('Text');
$edit = [
'title[0][value]' => 'unpublished_permissions',
'field_paragraphs_demo[0][subform][field_text_demo][0][value]' => 'recognizable_test',
'field_paragraphs_demo[0][subform][status][value]' => FALSE,
];
$this
->submitForm($edit, 'Save');
$this
->assertSession()
->pageTextContains('recognizable_test');
$this
->assertSession()
->responseContains('paragraph--unpublished');
$this
->drupalLogout();
$node = $this
->drupalGetNodeByTitle('unpublished_permissions');
// Login as an user without the view unpublished Paragraph permission.
$user = $this
->drupalCreateUser([
'administer nodes',
'edit any paragraphed_content_demo content',
]);
$this
->drupalLogin($user);
// Assert that the Paragraph is not displayed.
$this
->drupalGet('node/' . $node
->id());
$this
->assertSession()
->pageTextNotContains('recognizable_test');
$this
->assertSession()
->responseNotContains('paragraph--unpublished');
// Grant to the user the view unpublished Paragraph permission.
$this
->grantPermissions(Role::load(Role::AUTHENTICATED_ID), [
'view unpublished paragraphs',
]);
// Assert that the Paragraph is displayed.
$this
->drupalGet('node/' . $node
->id());
$this
->assertSession()
->pageTextContains('recognizable_test');
$this
->assertSession()
->responseContains('paragraph--unpublished');
// Grant to the user the administer Paragraphs settings permission.
$this
->grantPermissions(Role::load(Role::AUTHENTICATED_ID), [
'administer paragraphs settings',
]);
// Disable the show unpublished Paragraphs setting.
$this
->drupalGet('admin/config/content/paragraphs');
$this
->submitForm([
'show_unpublished' => FALSE,
], 'Save configuration');
// Assert that the Paragraph is not displayed even if the user has the
// permission to do so.
$this
->drupalGet('node/' . $node
->id());
$this
->assertSession()
->pageTextNotContains('recognizable_test');
$this
->assertSession()
->responseNotContains('paragraph--unpublished');
// Enable the show unpublished Paragraphs setting.
$this
->drupalGet('admin/config/content/paragraphs');
$this
->submitForm([
'show_unpublished' => TRUE,
], 'Save configuration');
// Assert that the Paragraph is displayed when the user has the permission
// to do so.
$this
->drupalGet('node/' . $node
->id());
$this
->assertSession()
->pageTextContains('recognizable_test');
$this
->assertSession()
->responseContains('paragraph--unpublished');
}