3 namespace Drupal\Tests\content_moderation\Functional;
5 use Drupal\node\Entity\NodeType;
8 * Tests permission access control around nodes.
10 * @group content_moderation
12 class NodeAccessTest extends ModerationStateTestBase {
19 public static $modules = [
28 * Permissions to grant admin user.
32 protected $permissions = [
33 'administer workflows',
34 'access administration pages',
35 'administer content types',
37 'view latest version',
38 'view any unpublished content',
39 'access content overview',
40 'use editorial transition create_new_draft',
41 'use editorial transition publish',
48 protected function setUp() {
50 $this->drupalLogin($this->adminUser);
51 $this->createContentTypeFromUi('Moderated content', 'moderated_content', FALSE);
52 $this->grantUserPermissionToCreateContentOfType($this->adminUser, 'moderated_content');
54 // Add the private field to the node type.
55 node_access_test_add_field(NodeType::load('moderated_content'));
57 // Rebuild permissions because hook_node_grants() is implemented by the
58 // node_access_test_empty module.
59 node_access_rebuild();
63 * Verifies that a non-admin user can still access the appropriate pages.
65 public function testPageAccess() {
66 // Initially disable access grant records in
67 // node_access_test_node_access_records().
68 \Drupal::state()->set('node_access_test.private', TRUE);
70 $this->drupalLogin($this->adminUser);
72 // Access the node form before moderation is enabled, the publication state
73 // should now be visible.
74 $this->drupalGet('node/add/moderated_content');
75 $this->assertSession()->fieldExists('Published');
77 // Now enable the workflow.
78 $this->enableModerationThroughUi('moderated_content', 'editorial');
80 // Access that the status field is no longer visible.
81 $this->drupalGet('node/add/moderated_content');
82 $this->assertSession()->fieldNotExists('Published');
84 // Create a node to test with.
85 $this->drupalPostForm(NULL, [
86 'title[0][value]' => 'moderated content',
87 'moderation_state[0][state]' => 'draft',
89 $node = $this->getNodeByTitle('moderated content');
91 $this->fail('Test node was not saved correctly.');
94 $view_path = 'node/' . $node->id();
95 $edit_path = 'node/' . $node->id() . '/edit';
96 $latest_path = 'node/' . $node->id() . '/latest';
98 // Now make a new user and verify that the new user's access is correct.
99 $user = $this->createUser([
100 'use editorial transition create_new_draft',
101 'view latest version',
102 'view any unpublished content',
104 $this->drupalLogin($user);
106 $this->drupalGet($edit_path);
107 $this->assertResponse(403);
109 $this->drupalGet($latest_path);
110 $this->assertResponse(403);
111 $this->drupalGet($view_path);
112 $this->assertResponse(200);
115 $this->drupalLogin($this->adminUser);
116 $this->drupalPostForm($edit_path, [
117 'moderation_state[0][state]' => 'published',
120 // Ensure access works correctly for anonymous users.
121 $this->drupalLogout();
123 $this->drupalGet($edit_path);
124 $this->assertResponse(403);
126 $this->drupalGet($latest_path);
127 $this->assertResponse(403);
128 $this->drupalGet($view_path);
129 $this->assertResponse(200);
131 // Create a pending revision for the 'Latest revision' tab.
132 $this->drupalLogin($this->adminUser);
133 $this->drupalPostForm($edit_path, [
134 'title[0][value]' => 'moderated content revised',
135 'moderation_state[0][state]' => 'draft',
138 $this->drupalLogin($user);
140 $this->drupalGet($edit_path);
141 $this->assertResponse(403);
143 $this->drupalGet($latest_path);
144 $this->assertResponse(200);
145 $this->drupalGet($view_path);
146 $this->assertResponse(200);
148 // Now make another user, who should not be able to see pending revisions.
149 $user = $this->createUser([
150 'use editorial transition create_new_draft',
152 $this->drupalLogin($user);
154 $this->drupalGet($edit_path);
155 $this->assertResponse(403);
157 $this->drupalGet($latest_path);
158 $this->assertResponse(403);
159 $this->drupalGet($view_path);
160 $this->assertResponse(200);
162 // Now create a private node that the user is not granted access to by the
163 // node grants, but is granted access via hook_node_access().
164 // @see node_access_test_node_access
165 $node = $this->createNode([
166 'type' => 'moderated_content',
168 'uid' => $this->adminUser->id(),
170 $user = $this->createUser([
171 'use editorial transition publish',
173 $this->drupalLogin($user);
175 // Grant access to the node via node_access_test_node_access().
176 \Drupal::state()->set('node_access_test.allow_uid', $user->id());
178 $this->drupalGet($node->toUrl());
179 $this->assertResponse(200);
181 // Verify the moderation form is in place by publishing the node.
182 $this->drupalPostForm(NULL, [], t('Apply'));
183 $node = \Drupal::entityTypeManager()->getStorage('node')->loadUnchanged($node->id());
184 $this->assertEquals('published', $node->moderation_state->value);