Security update for Core, with self-updated composer

[yaffs-website] / web / core / modules / content_moderation / tests / src / Functional / NodeAccessTest.php

diff --git a/web/core/modules/content_moderation/tests/src/Functional/NodeAccessTest.php b/web/core/modules/content_moderation/tests/src/Functional/NodeAccessTest.php
index f3c27146d48e10172a54b474e98be0b25eb3232e..76e9d97608c48c44f52c945bc8aff40448f6ab03 100644 (file)
--- a/web/core/modules/content_moderation/tests/src/Functional/NodeAccessTest.php
+++ b/web/core/modules/content_moderation/tests/src/Functional/NodeAccessTest.php
@@ -2,6 +2,8 @@
 
 namespace Drupal\Tests\content_moderation\Functional;
 
+use Drupal\node\Entity\NodeType;
+
 /**
  * Tests permission access control around nodes.
  *
@@ -19,7 +21,7 @@ class NodeAccessTest extends ModerationStateTestBase {
     'block',
     'block_content',
     'node',
-    'node_access_test_empty',
+    'node_access_test',
   ];
 
   /**
@@ -28,7 +30,7 @@ class NodeAccessTest extends ModerationStateTestBase {
    * @var array
    */
   protected $permissions = [
-    'administer content moderation',
+    'administer workflows',
     'access administration pages',
     'administer content types',
     'administer nodes',
@@ -46,9 +48,12 @@ class NodeAccessTest extends ModerationStateTestBase {
   protected function setUp() {
     parent::setUp();
     $this->drupalLogin($this->adminUser);
-    $this->createContentTypeFromUi('Moderated content', 'moderated_content', TRUE);
+    $this->createContentTypeFromUi('Moderated content', 'moderated_content', FALSE);
     $this->grantUserPermissionToCreateContentOfType($this->adminUser, 'moderated_content');
 
+    // Add the private field to the node type.
+    node_access_test_add_field(NodeType::load('moderated_content'));
+
     // Rebuild permissions because hook_node_grants() is implemented by the
     // node_access_test_empty module.
     node_access_rebuild();
@@ -58,12 +63,29 @@ class NodeAccessTest extends ModerationStateTestBase {
    * Verifies that a non-admin user can still access the appropriate pages.
    */
   public function testPageAccess() {
+    // Initially disable access grant records in
+    // node_access_test_node_access_records().
+    \Drupal::state()->set('node_access_test.private', TRUE);
+
     $this->drupalLogin($this->adminUser);
 
+    // Access the node form before moderation is enabled, the publication state
+    // should now be visible.
+    $this->drupalGet('node/add/moderated_content');
+    $this->assertSession()->fieldExists('Published');
+
+    // Now enable the workflow.
+    $this->enableModerationThroughUi('moderated_content', 'editorial');
+
+    // Access that the status field is no longer visible.
+    $this->drupalGet('node/add/moderated_content');
+    $this->assertSession()->fieldNotExists('Published');
+
     // Create a node to test with.
-    $this->drupalPostForm('node/add/moderated_content', [
+    $this->drupalPostForm(NULL, [
       'title[0][value]' => 'moderated content',
-    ], t('Save and Create New Draft'));
+      'moderation_state[0][state]' => 'draft',
+    ], t('Save'));
     $node = $this->getNodeByTitle('moderated content');
     if (!$node) {
       $this->fail('Test node was not saved correctly.');
@@ -91,7 +113,9 @@ class NodeAccessTest extends ModerationStateTestBase {
 
     // Publish the node.
     $this->drupalLogin($this->adminUser);
-    $this->drupalPostForm($edit_path, [], t('Save and Publish'));
+    $this->drupalPostForm($edit_path, [
+      'moderation_state[0][state]' => 'published',
+    ], t('Save'));
 
     // Ensure access works correctly for anonymous users.
     $this->drupalLogout();
@@ -104,11 +128,12 @@ class NodeAccessTest extends ModerationStateTestBase {
     $this->drupalGet($view_path);
     $this->assertResponse(200);
 
-    // Create a forward revision for the 'Latest revision' tab.
+    // Create a pending revision for the 'Latest revision' tab.
     $this->drupalLogin($this->adminUser);
     $this->drupalPostForm($edit_path, [
       'title[0][value]' => 'moderated content revised',
-    ], t('Save and Create New Draft'));
+      'moderation_state[0][state]' => 'draft',
+    ], t('Save'));
 
     $this->drupalLogin($user);
 
@@ -120,7 +145,7 @@ class NodeAccessTest extends ModerationStateTestBase {
     $this->drupalGet($view_path);
     $this->assertResponse(200);
 
-    // Now make another user, who should not be able to see forward revisions.
+    // Now make another user, who should not be able to see pending revisions.
     $user = $this->createUser([
       'use editorial transition create_new_draft',
     ]);
@@ -133,6 +158,30 @@ class NodeAccessTest extends ModerationStateTestBase {
     $this->assertResponse(403);
     $this->drupalGet($view_path);
     $this->assertResponse(200);
+
+    // Now create a private node that the user is not granted access to by the
+    // node grants, but is granted access via hook_node_access().
+    // @see node_access_test_node_access
+    $node = $this->createNode([
+      'type' => 'moderated_content',
+      'private' => TRUE,
+      'uid' => $this->adminUser->id(),
+    ]);
+    $user = $this->createUser([
+      'use editorial transition publish',
+    ]);
+    $this->drupalLogin($user);
+
+    // Grant access to the node via node_access_test_node_access().
+    \Drupal::state()->set('node_access_test.allow_uid', $user->id());
+
+    $this->drupalGet($node->toUrl());
+    $this->assertResponse(200);
+
+    // Verify the moderation form is in place by publishing the node.
+    $this->drupalPostForm(NULL, [], t('Apply'));
+    $node = \Drupal::entityTypeManager()->getStorage('node')->loadUnchanged($node->id());
+    $this->assertEquals('published', $node->moderation_state->value);
   }
 
 }