function AccessTest::testFileAccess

Same name in other branches
  1. 11.x core/modules/file/tests/src/Kernel/AccessTest.php \Drupal\Tests\file\Kernel\AccessTest::testFileAccess()

Tests 'update' and 'delete' access to file entities.

File

core/modules/file/tests/src/Kernel/AccessTest.php, line 42

Class

AccessTest
Tests for the File access control.

Namespace

Drupal\Tests\file\Kernel

Code

public function testFileAccess() : void {
    // Create a user so the tested users do not have the magic ID of user 1.
    $this->createUser();
    $user_any = $this->createUser([
        'delete any file',
    ]);
    $this->assertGreaterThan(1, (int) $user_any->id());
    $user_own = $this->createUser([
        'delete own files',
    ]);
    $test_files = $this->getTestFiles('text');
    $file1 = File::create((array) $test_files[0]);
    $file1->set('uid', $user_any->id());
    $file1->save();
    $file2 = File::create((array) $test_files[1]);
    $file2->set('uid', $user_own->id());
    $file2->save();
    // User with "* any file" permissions should delete all files and update
    // their own.
    $this->assertTrue($file1->access('delete', $user_any));
    $this->assertTrue($file1->access('update', $user_any));
    $this->assertTrue($file2->access('delete', $user_any));
    $this->assertFalse($file2->access('update', $user_any));
    // User with "* own files" permissions should access only own files.
    $this->assertFalse($file1->access('delete', $user_own));
    $this->assertFalse($file1->access('update', $user_own));
    $this->assertTrue($file2->access('delete', $user_own));
    $this->assertTrue($file2->access('update', $user_own));
    // Ensure cacheability metadata is correct.
    
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('delete', $user_any, TRUE);
    $this->assertSame([
        'user.permissions',
    ], $access->getCacheContexts());
    $this->assertSame([], $access->getCacheTags());
    
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('delete', $user_own, TRUE);
    $this->assertSame([
        'user.permissions',
        'user',
    ], $access->getCacheContexts());
    $this->assertSame([
        'file:2',
    ], $access->getCacheTags());
    
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('update', $user_any, TRUE);
    $this->assertSame([], $access->getCacheContexts());
    $this->assertSame([], $access->getCacheTags());
    
    /** @var \Drupal\Core\Access\AccessResult $access */
    $access = $file2->access('update', $user_own, TRUE);
    $this->assertSame([], $access->getCacheContexts());
    $this->assertSame([], $access->getCacheTags());
    // User without permissions should not be able to delete files even if they
    // are the owner.
    $user_none = $this->createUser();
    $file3 = File::create([
        'uid' => $user_none->id(),
        'filename' => 'druplicon.txt',
        'filemime' => 'text/plain',
    ]);
    $this->assertFalse($file3->access('delete', $user_none));
    $this->assertTrue($file3->access('update', $user_none));
    // Create a file with no user entity.
    $file4 = File::create([
        'filename' => 'druplicon.txt',
        'filemime' => 'text/plain',
    ]);
    $this->assertFalse($file4->access('delete', $user_own));
    $this->assertFalse($file4->access('update', $user_own));
    $this->assertTrue($file4->access('delete', $user_any));
    $this->assertFalse($file4->access('update', $user_any));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.