AccessDeniedTest.php

Same filename in other branches
  1. 9 core/modules/system/tests/src/Functional/System/AccessDeniedTest.php
  2. 8.9.x core/modules/system/tests/src/Functional/System/AccessDeniedTest.php
  3. 10 core/modules/system/tests/src/Functional/System/AccessDeniedTest.php

Namespace

Drupal\Tests\system\Functional\System

File

core/modules/system/tests/src/Functional/System/AccessDeniedTest.php

View source
<?php

declare (strict_types=1);
namespace Drupal\Tests\system\Functional\System;

use Drupal\Tests\BrowserTestBase;
use Drupal\Tests\system\Functional\Cache\AssertPageCacheContextsAndTagsTrait;
use Drupal\user\RoleInterface;

/**
 * Tests page access denied functionality, including custom 403 pages.
 *
 * @group system
 */
class AccessDeniedTest extends BrowserTestBase {
    use AssertPageCacheContextsAndTagsTrait;
    
    /**
     * {@inheritdoc}
     */
    protected static $modules = [
        'block',
        'node',
        'system_test',
    ];
    
    /**
     * {@inheritdoc}
     */
    protected $defaultTheme = 'stark';
    protected $adminUser;
    
    /**
     * {@inheritdoc}
     */
    protected function setUp() : void {
        parent::setUp();
        $this->drupalPlaceBlock('page_title_block');
        // Create an administrative user.
        $this->adminUser = $this->drupalCreateUser([
            'access administration pages',
            'administer site configuration',
            'link to any page',
            'administer blocks',
        ]);
        $this->adminUser->roles[] = 'administrator';
        $this->adminUser
            ->save();
        user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, [
            'access user profiles',
        ]);
        user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, [
            'access user profiles',
        ]);
    }
    public function testAccessDenied() : void {
        $this->drupalGet('admin');
        $this->assertSession()
            ->pageTextContains('Access denied');
        $this->assertSession()
            ->statusCodeEquals(403);
        // Ensure that users without permission are denied access and have the
        // correct path information in drupalSettings.
        $this->drupalLogin($this->createUser([]));
        $this->drupalGet('admin', [
            'query' => [
                'foo' => 'bar',
            ],
        ]);
        $settings = $this->getDrupalSettings();
        $this->assertEquals('admin', $settings['path']['currentPath']);
        $this->assertTrue($settings['path']['currentPathIsAdmin']);
        $this->assertEquals([
            'foo' => 'bar',
        ], $settings['path']['currentQuery']);
        $this->drupalLogin($this->adminUser);
        // Set a custom 404 page without a starting slash.
        $edit = [
            'site_403' => 'user/' . $this->adminUser
                ->id(),
        ];
        $this->drupalGet('admin/config/system/site-information');
        $this->submitForm($edit, 'Save configuration');
        $this->assertSession()
            ->pageTextContains("The path '{$edit['site_403']}' has to start with a slash.");
        // Use a custom 403 page.
        $edit = [
            'site_403' => '/user/' . $this->adminUser
                ->id(),
        ];
        $this->drupalGet('admin/config/system/site-information');
        $this->submitForm($edit, 'Save configuration');
        // Enable the user login block.
        $block = $this->drupalPlaceBlock('user_login_block', [
            'id' => 'login',
        ]);
        // Log out and check that the user login block is shown on custom 403 pages.
        $this->drupalLogout();
        $this->drupalGet('admin');
        $this->assertSession()
            ->pageTextContains($this->adminUser
            ->getAccountName());
        $this->assertSession()
            ->pageTextContains('Username');
        // Log back in and remove the custom 403 page.
        $this->drupalLogin($this->adminUser);
        $edit = [
            'site_403' => '',
        ];
        $this->drupalGet('admin/config/system/site-information');
        $this->submitForm($edit, 'Save configuration');
        // Logout and check that the user login block is shown on default 403 pages.
        $this->drupalLogout();
        $this->drupalGet('admin');
        $this->assertSession()
            ->pageTextContains('Access denied');
        $this->assertSession()
            ->statusCodeEquals(403);
        $this->assertSession()
            ->pageTextContains('Username');
        // Log back in, set the custom 403 page to /user/login and remove the block
        $this->drupalLogin($this->adminUser);
        $this->config('system.site')
            ->set('page.403', '/user/login')
            ->save();
        $block->disable()
            ->save();
        // Check that we can log in from the 403 page.
        $this->drupalLogout();
        $edit = [
            'name' => $this->adminUser
                ->getAccountName(),
            'pass' => $this->adminUser->pass_raw,
        ];
        $this->drupalGet('admin/config/system/site-information');
        $this->submitForm($edit, 'Log in');
        // Check that we're still on the same page.
        $this->assertSession()
            ->pageTextContains('Basic site settings');
    }
    
    /**
     * Tests that an inaccessible custom 403 page falls back to the default.
     */
    public function testAccessDeniedCustomPageWithAccessDenied() : void {
        // Sets up a 403 page not accessible by the anonymous user.
        $this->config('system.site')
            ->set('page.403', '/system-test/custom-4xx')
            ->save();
        $this->drupalGet('/system-test/always-denied');
        $this->assertSession()
            ->pageTextNotContains('Admin-only 4xx response');
        $this->assertSession()
            ->pageTextContains('You are not authorized to access this page.');
        $this->assertSession()
            ->statusCodeEquals(403);
        // Verify the access cacheability metadata for custom 403 is bubbled.
        $this->assertCacheContext('user.roles');
        $this->drupalLogin($this->adminUser);
        $this->drupalGet('/system-test/always-denied');
        $this->assertSession()
            ->pageTextContains('Admin-only 4xx response');
        $this->assertSession()
            ->statusCodeEquals(403);
        // Verify the access cacheability metadata for custom 403 is bubbled.
        $this->assertCacheContext('user.roles');
    }

}

Classes

Title Deprecated Summary
AccessDeniedTest Tests page access denied functionality, including custom 403 pages.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.