3 namespace Drupal\file\Tests;
5 use Drupal\Core\Entity\Plugin\Validation\Constraint\ReferenceAccessConstraint;
6 use Drupal\Component\Utility\SafeMarkup;
7 use Drupal\file\Entity\File;
8 use Drupal\node\Entity\NodeType;
9 use Drupal\user\RoleInterface;
12 * Uploads a test to a private node and checks access.
16 class FilePrivateTest extends FileFieldTestBase {
23 public static $modules = ['node_access_test', 'field_test'];
25 protected function setUp() {
27 node_access_test_add_field(NodeType::load('article'));
28 node_access_rebuild();
29 \Drupal::state()->set('node_access_test.private', TRUE);
33 * Tests file access for file uploaded to a private node.
35 public function testPrivateFile() {
36 $node_storage = $this->container->get('entity.manager')->getStorage('node');
37 $type_name = 'article';
38 $field_name = strtolower($this->randomMachineName());
39 $this->createFileField($field_name, 'node', $type_name, ['uri_scheme' => 'private']);
41 $test_file = $this->getTestFile('text');
42 $nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, ['private' => TRUE]);
43 \Drupal::entityManager()->getStorage('node')->resetCache([$nid]);
44 /* @var \Drupal\node\NodeInterface $node */
45 $node = $node_storage->load($nid);
46 $node_file = File::load($node->{$field_name}->target_id);
47 // Ensure the file can be viewed.
48 $this->drupalGet('node/' . $node->id());
49 $this->assertRaw($node_file->getFilename(), 'File reference is displayed after attaching it');
50 // Ensure the file can be downloaded.
51 $this->drupalGet(file_create_url($node_file->getFileUri()));
52 $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
53 $this->drupalLogOut();
54 $this->drupalGet(file_create_url($node_file->getFileUri()));
55 $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
57 // Create a field with no view access. See
58 // field_test_entity_field_access().
59 $no_access_field_name = 'field_no_view_access';
60 $this->createFileField($no_access_field_name, 'node', $type_name, ['uri_scheme' => 'private']);
61 // Test with the field that should deny access through field access.
62 $this->drupalLogin($this->adminUser);
63 $nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, ['private' => TRUE]);
64 \Drupal::entityManager()->getStorage('node')->resetCache([$nid]);
65 $node = $node_storage->load($nid);
66 $node_file = File::load($node->{$no_access_field_name}->target_id);
68 // Ensure the file cannot be downloaded.
69 $file_url = file_create_url($node_file->getFileUri());
70 $this->drupalGet($file_url);
71 $this->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission.');
73 // Attempt to reuse the file when editing a node.
75 $edit['title[0][value]'] = $this->randomMachineName();
76 $this->drupalPostForm('node/add/' . $type_name, $edit, t('Save and publish'));
77 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
78 $edit[$field_name . '[0][fids]'] = $node_file->id();
79 $this->drupalPostForm('node/' . $new_node->id() . '/edit', $edit, t('Save and keep published'));
80 // Make sure the form submit failed - we stayed on the edit form.
81 $this->assertUrl('node/' . $new_node->id() . '/edit');
82 // Check that we got the expected constraint form error.
83 $constraint = new ReferenceAccessConstraint();
84 $this->assertRaw(SafeMarkup::format($constraint->message, ['%type' => 'file', '%id' => $node_file->id()]));
85 // Attempt to reuse the existing file when creating a new node, and confirm
86 // that access is still denied.
88 $edit['title[0][value]'] = $this->randomMachineName();
89 $edit[$field_name . '[0][fids]'] = $node_file->id();
90 $this->drupalPostForm('node/add/' . $type_name, $edit, t('Save and publish'));
91 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
92 $this->assertTrue(empty($new_node), 'Node was not created.');
93 $this->assertUrl('node/add/' . $type_name);
94 $this->assertRaw(SafeMarkup::format($constraint->message, ['%type' => 'file', '%id' => $node_file->id()]));
96 // Now make file_test_file_download() return everything.
97 \Drupal::state()->set('file_test.allow_all', TRUE);
100 // Ensure the file can still be downloaded by the owner.
101 $this->drupalGet($file_url);
102 $this->assertResponse(200, 'Confirmed that the owner still has access to the temporary file.');
104 // Ensure the file cannot be downloaded by an anonymous user.
105 $this->drupalLogout();
106 $this->drupalGet($file_url);
107 $this->assertResponse(403, 'Confirmed that access is denied for an anonymous user to the temporary file.');
109 // Ensure the file cannot be downloaded by another user.
110 $account = $this->drupalCreateUser();
111 $this->drupalLogin($account);
112 $this->drupalGet($file_url);
113 $this->assertResponse(403, 'Confirmed that access is denied for another user to the temporary file.');
115 // As an anonymous user, create a temporary file with no references and
116 // confirm that only the session that uploaded it may view it.
117 $this->drupalLogout();
118 user_role_change_permissions(
119 RoleInterface::ANONYMOUS_ID,
121 "create $type_name content" => TRUE,
122 'access content' => TRUE,
125 $test_file = $this->getTestFile('text');
126 $this->drupalGet('node/add/' . $type_name);
127 $edit = ['files[' . $field_name . '_0]' => drupal_realpath($test_file->getFileUri())];
128 $this->drupalPostForm(NULL, $edit, t('Upload'));
129 /** @var \Drupal\file\FileStorageInterface $file_storage */
130 $file_storage = $this->container->get('entity.manager')->getStorage('file');
131 $files = $file_storage->loadByProperties(['uid' => 0]);
132 $this->assertEqual(1, count($files), 'Loaded one anonymous file.');
134 $this->assertTrue($file->isTemporary(), 'File is temporary.');
135 $usage = $this->container->get('file.usage')->listUsage($file);
136 $this->assertFalse($usage, 'No file usage found.');
137 $file_url = file_create_url($file->getFileUri());
138 $this->drupalGet($file_url);
139 $this->assertResponse(200, 'Confirmed that the anonymous uploader has access to the temporary file.');
140 // Close the prior connection and remove the session cookie.
142 $this->curlCookies = [];
144 $this->drupalGet($file_url);
145 $this->assertResponse(403, 'Confirmed that another anonymous user cannot access the temporary file.');
147 // As an anonymous user, create a permanent file, then remove all
148 // references to the file (so that it becomes temporary again) and confirm
149 // that only the session that uploaded it may view it.
150 $test_file = $this->getTestFile('text');
151 $this->drupalGet('node/add/' . $type_name);
153 $edit['title[0][value]'] = $this->randomMachineName();
154 $edit['files[' . $field_name . '_0]'] = drupal_realpath($test_file->getFileUri());
155 $this->drupalPostForm(NULL, $edit, t('Save'));
156 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
157 $file_id = $new_node->{$field_name}->target_id;
158 $file = File::load($file_id);
159 $this->assertTrue($file->isPermanent(), 'File is permanent.');
160 // Remove the reference to this file.
161 $new_node->{$field_name} = [];
163 $file = File::load($file_id);
164 $this->assertTrue($file->isTemporary(), 'File is temporary.');
165 $usage = $this->container->get('file.usage')->listUsage($file);
166 $this->assertFalse($usage, 'No file usage found.');
167 $file_url = file_create_url($file->getFileUri());
168 $this->drupalGet($file_url);
169 $this->assertResponse(200, 'Confirmed that the anonymous uploader has access to the file whose references were removed.');
170 // Close the prior connection and remove the session cookie.
172 $this->curlCookies = [];
174 $this->drupalGet($file_url);
175 $this->assertResponse(403, 'Confirmed that another anonymous user cannot access the file whose references were removed.');
177 // As an anonymous user, create a permanent file that is referenced by a
178 // published node and confirm that all anonymous users may view it.
179 $test_file = $this->getTestFile('text');
180 $this->drupalGet('node/add/' . $type_name);
182 $edit['title[0][value]'] = $this->randomMachineName();
183 $edit['files[' . $field_name . '_0]'] = drupal_realpath($test_file->getFileUri());
184 $this->drupalPostForm(NULL, $edit, t('Save'));
185 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
186 $file = File::load($new_node->{$field_name}->target_id);
187 $this->assertTrue($file->isPermanent(), 'File is permanent.');
188 $usage = $this->container->get('file.usage')->listUsage($file);
189 $this->assertTrue($usage, 'File usage found.');
190 $file_url = file_create_url($file->getFileUri());
191 $this->drupalGet($file_url);
192 $this->assertResponse(200, 'Confirmed that the anonymous uploader has access to the permanent file that is referenced by a published node.');
193 // Close the prior connection and remove the session cookie.
195 $this->curlCookies = [];
197 $this->drupalGet($file_url);
198 $this->assertResponse(200, 'Confirmed that another anonymous user also has access to the permanent file that is referenced by a published node.');
200 // As an anonymous user, create a permanent file that is referenced by an
201 // unpublished node and confirm that no anonymous users may view it (even
202 // the session that uploaded the file) because they cannot view the
204 $test_file = $this->getTestFile('text');
205 $this->drupalGet('node/add/' . $type_name);
207 $edit['title[0][value]'] = $this->randomMachineName();
208 $edit['files[' . $field_name . '_0]'] = drupal_realpath($test_file->getFileUri());
209 $this->drupalPostForm(NULL, $edit, t('Save'));
210 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
211 $new_node->setPublished(FALSE);
213 $file = File::load($new_node->{$field_name}->target_id);
214 $this->assertTrue($file->isPermanent(), 'File is permanent.');
215 $usage = $this->container->get('file.usage')->listUsage($file);
216 $this->assertTrue($usage, 'File usage found.');
217 $file_url = file_create_url($file->getFileUri());
218 $this->drupalGet($file_url);
219 $this->assertResponse(403, 'Confirmed that the anonymous uploader cannot access the permanent file when it is referenced by an unpublished node.');
220 // Close the prior connection and remove the session cookie.
222 $this->curlCookies = [];
224 $this->drupalGet($file_url);
225 $this->assertResponse(403, 'Confirmed that another anonymous user cannot access the permanent file when it is referenced by an unpublished node.');