Security update for Core, with self-updated composer

[yaffs-website] / web / core / modules / comment / tests / src / Functional / CommentAccessTest.php

diff --git a/web/core/modules/comment/tests/src/Functional/CommentAccessTest.php b/web/core/modules/comment/tests/src/Functional/CommentAccessTest.php
new file mode 100644 (file)
index 0000000..4094ec6
--- /dev/null
+++ b/web/core/modules/comment/tests/src/Functional/CommentAccessTest.php
@@ -0,0 +1,120 @@
+<?php
+
+namespace Drupal\Tests\comment\Functional;
+
+use Drupal\comment\Entity\Comment;
+use Drupal\comment\Tests\CommentTestTrait;
+use Drupal\node\Entity\NodeType;
+use Drupal\Tests\BrowserTestBase;
+
+/**
+ * Tests comment administration and preview access.
+ *
+ * @group comment
+ */
+class CommentAccessTest extends BrowserTestBase {
+
+  use CommentTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = [
+    'node',
+    'comment',
+  ];
+
+  /**
+   * Node for commenting.
+   *
+   * @var \Drupal\node\NodeInterface
+   */
+  protected $unpublishedNode;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    $node_type = NodeType::create([
+      'type' => 'article',
+      'name' => 'Article',
+    ]);
+    $node_type->save();
+    $node_author = $this->drupalCreateUser([
+      'create article content',
+      'access comments',
+    ]);
+
+    $this->drupalLogin($this->drupalCreateUser([
+      'edit own comments',
+      'skip comment approval',
+      'post comments',
+      'access comments',
+      'access content',
+    ]));
+
+    $this->addDefaultCommentField('node', 'article');
+    $this->unpublishedNode = $this->createNode([
+      'title' => 'This is unpublished',
+      'uid' => $node_author->id(),
+      'status' => 0,
+      'type' => 'article',
+    ]);
+    $this->unpublishedNode->save();
+  }
+
+  /**
+   * Tests commenting disabled for access-blocked entities.
+   */
+  public function testCannotCommentOnEntitiesYouCannotView() {
+    $assert = $this->assertSession();
+
+    $comment_url = 'comment/reply/node/' . $this->unpublishedNode->id() . '/comment';
+
+    // Commenting on an unpublished node results in access denied.
+    $this->drupalGet($comment_url);
+    $assert->statusCodeEquals(403);
+
+    // Publishing the node grants access.
+    $this->unpublishedNode->setPublished(TRUE)->save();
+    $this->drupalGet($comment_url);
+    $assert->statusCodeEquals(200);
+  }
+
+  /**
+   * Tests cannot view comment reply form on entities you cannot view.
+   */
+  public function testCannotViewCommentReplyFormOnEntitiesYouCannotView() {
+    $assert = $this->assertSession();
+
+    // Create a comment on an unpublished node.
+    $comment = Comment::create([
+      'entity_type' => 'node',
+      'name' => 'Tony',
+      'hostname' => 'magic.example.com',
+      'mail' => 'foo@example.com',
+      'subject' => 'Comment on unpublished node',
+      'entity_id' => $this->unpublishedNode->id(),
+      'comment_type' => 'comment',
+      'field_name' => 'comment',
+      'pid' => 0,
+      'uid' => $this->unpublishedNode->getOwnerId(),
+      'status' => 1,
+    ]);
+    $comment->save();
+
+    $comment_url = 'comment/reply/node/' . $this->unpublishedNode->id() . '/comment/' . $comment->id();
+
+    // Replying to a comment on an unpublished node results in access denied.
+    $this->drupalGet($comment_url);
+    $assert->statusCodeEquals(403);
+
+    // Publishing the node grants access.
+    $this->unpublishedNode->setPublished(TRUE)->save();
+    $this->drupalGet($comment_url);
+    $assert->statusCodeEquals(200);
+  }
+
+}