function FilePrivateTest::testPrivateFile
Same name in other branches
- 8.9.x core/modules/file/tests/src/Functional/FilePrivateTest.php \Drupal\Tests\file\Functional\FilePrivateTest::testPrivateFile()
- 10 core/modules/file/tests/src/Functional/FilePrivateTest.php \Drupal\Tests\file\Functional\FilePrivateTest::testPrivateFile()
- 11.x core/modules/file/tests/src/Functional/FilePrivateTest.php \Drupal\Tests\file\Functional\FilePrivateTest::testPrivateFile()
Tests file access for file uploaded to a private node.
File
-
core/
modules/ file/ tests/ src/ Functional/ FilePrivateTest.php, line 45
Class
- FilePrivateTest
- Uploads a test to a private node and checks access.
Namespace
Drupal\Tests\file\FunctionalCode
public function testPrivateFile() {
$node_storage = $this->container
->get('entity_type.manager')
->getStorage('node');
/** @var \Drupal\Core\File\FileSystemInterface $file_system */
$file_system = \Drupal::service('file_system');
$type_name = 'article';
$field_name = strtolower($this->randomMachineName());
$this->createFileField($field_name, 'node', $type_name, [
'uri_scheme' => 'private',
]);
$test_file = $this->getTestFile('text');
$nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, [
'private' => TRUE,
]);
\Drupal::entityTypeManager()->getStorage('node')
->resetCache([
$nid,
]);
/** @var \Drupal\node\NodeInterface $node */
$node = $node_storage->load($nid);
$node_file = File::load($node->{$field_name}->target_id);
// Ensure the file can be viewed.
$this->drupalGet('node/' . $node->id());
$this->assertSession()
->responseContains($node_file->getFilename());
// Ensure the file can be downloaded.
$this->drupalGet($node_file->createFileUrl(FALSE));
$this->assertSession()
->statusCodeEquals(200);
$this->drupalLogOut();
// Ensure the file cannot be downloaded after logging out.
$this->drupalGet($node_file->createFileUrl(FALSE));
$this->assertSession()
->statusCodeEquals(403);
// Create a field with no view access. See
// field_test_entity_field_access().
$no_access_field_name = 'field_no_view_access';
$this->createFileField($no_access_field_name, 'node', $type_name, [
'uri_scheme' => 'private',
]);
// Test with the field that should deny access through field access.
$this->drupalLogin($this->adminUser);
$nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, [
'private' => TRUE,
]);
\Drupal::entityTypeManager()->getStorage('node')
->resetCache([
$nid,
]);
$node = $node_storage->load($nid);
$node_file = File::load($node->{$no_access_field_name}->target_id);
// Ensure the file cannot be downloaded.
$file_url = $node_file->createFileUrl(FALSE);
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
// Attempt to reuse the file when editing a node.
$edit = [];
$edit['title[0][value]'] = $this->randomMachineName();
$this->drupalGet('node/add/' . $type_name);
$this->submitForm($edit, 'Save');
$new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
// Can't use submitForm() to set hidden fields.
$this->drupalGet('node/' . $new_node->id() . '/edit');
$this->getSession()
->getPage()
->find('css', 'input[name="' . $field_name . '[0][fids]"]')
->setValue($node_file->id());
$this->getSession()
->getPage()
->pressButton('Save');
$this->assertSession()
->addressEquals('node/' . $new_node->id());
// Make sure the submitted hidden file field is empty.
$new_node = \Drupal::entityTypeManager()->getStorage('node')
->loadUnchanged($new_node->id());
$this->assertTrue($new_node->get($field_name)
->isEmpty());
// Attempt to reuse the existing file when creating a new node, and confirm
// that access is still denied.
$edit = [];
$edit['title[0][value]'] = $this->randomMachineName();
// Can't use submitForm() to set hidden fields.
$this->drupalGet('node/add/' . $type_name);
$this->getSession()
->getPage()
->find('css', 'input[name="title[0][value]"]')
->setValue($edit['title[0][value]']);
$this->getSession()
->getPage()
->find('css', 'input[name="' . $field_name . '[0][fids]"]')
->setValue($node_file->id());
$this->getSession()
->getPage()
->pressButton('Save');
$new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
$this->assertSession()
->addressEquals('node/' . $new_node->id());
// Make sure the submitted hidden file field is empty.
$new_node = \Drupal::entityTypeManager()->getStorage('node')
->loadUnchanged($new_node->id());
$this->assertTrue($new_node->get($field_name)
->isEmpty());
// Now make file_test_file_download() return everything.
\Drupal::state()->set('file_test.allow_all', TRUE);
// Delete the node.
$node->delete();
// Ensure the temporary file can still be downloaded by the owner.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(200);
// Ensure the temporary file cannot be downloaded by an anonymous user.
$this->drupalLogout();
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
// Ensure the temporary file cannot be downloaded by another user.
$account = $this->drupalCreateUser();
$this->drupalLogin($account);
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
// As an anonymous user, create a temporary file with no references and
// confirm that only the session that uploaded it may view it.
$this->drupalLogout();
user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [
"create {$type_name} content" => TRUE,
'access content' => TRUE,
]);
$test_file = $this->getTestFile('text');
$this->drupalGet('node/add/' . $type_name);
$edit = [
'files[' . $field_name . '_0]' => $file_system->realpath($test_file->getFileUri()),
];
$this->submitForm($edit, 'Upload');
/** @var \Drupal\file\FileStorageInterface $file_storage */
$file_storage = $this->container
->get('entity_type.manager')
->getStorage('file');
$files = $file_storage->loadByProperties([
'uid' => 0,
]);
$this->assertCount(1, $files, 'Loaded one anonymous file.');
$file = end($files);
$this->assertTrue($file->isTemporary(), 'File is temporary.');
$usage = $this->container
->get('file.usage')
->listUsage($file);
$this->assertEmpty($usage, 'No file usage found.');
$file_url = $file->createFileUrl(FALSE);
// Ensure the anonymous uploader has access to the temporary file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(200);
// Close the prior connection and remove the session cookie.
$this->getSession()
->reset();
// Ensure that a different anonymous user cannot access the temporary file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
// As an anonymous user, create a permanent file, then remove all
// references to the file (so that it becomes temporary again) and confirm
// that only the session that uploaded it may view it.
$test_file = $this->getTestFile('text');
$this->drupalGet('node/add/' . $type_name);
$edit = [];
$edit['title[0][value]'] = $this->randomMachineName();
$edit['files[' . $field_name . '_0]'] = $file_system->realpath($test_file->getFileUri());
$this->submitForm($edit, 'Save');
$new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
$file_id = $new_node->{$field_name}->target_id;
$file = File::load($file_id);
$this->assertTrue($file->isPermanent(), 'File is permanent.');
// Remove the reference to this file.
$new_node->{$field_name} = [];
$new_node->save();
$file = File::load($file_id);
$this->assertTrue($file->isTemporary(), 'File is temporary.');
$usage = $this->container
->get('file.usage')
->listUsage($file);
$this->assertEmpty($usage, 'No file usage found.');
$file_url = $file->createFileUrl(FALSE);
// Ensure the anonymous uploader has access to the temporary file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(200);
// Close the prior connection and remove the session cookie.
$this->getSession()
->reset();
// Ensure that a different anonymous user cannot access the temporary file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
// As an anonymous user, create a permanent file that is referenced by a
// published node and confirm that all anonymous users may view it.
$test_file = $this->getTestFile('text');
$this->drupalGet('node/add/' . $type_name);
$edit = [];
$edit['title[0][value]'] = $this->randomMachineName();
$edit['files[' . $field_name . '_0]'] = $file_system->realpath($test_file->getFileUri());
$this->submitForm($edit, 'Save');
$new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
$file = File::load($new_node->{$field_name}->target_id);
$this->assertTrue($file->isPermanent(), 'File is permanent.');
$usage = $this->container
->get('file.usage')
->listUsage($file);
$this->assertCount(1, $usage, 'File usage found.');
$file_url = $file->createFileUrl(FALSE);
// Ensure the anonymous uploader has access to the file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(200);
// Close the prior connection and remove the session cookie.
$this->getSession()
->reset();
// Ensure that a different anonymous user can access the file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(200);
// As an anonymous user, create a permanent file that is referenced by an
// unpublished node and confirm that no anonymous users may view it (even
// the session that uploaded the file) because they cannot view the
// unpublished node.
$test_file = $this->getTestFile('text');
$this->drupalGet('node/add/' . $type_name);
$edit = [];
$edit['title[0][value]'] = $this->randomMachineName();
$edit['files[' . $field_name . '_0]'] = $file_system->realpath($test_file->getFileUri());
$this->submitForm($edit, 'Save');
$new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
$new_node->setUnpublished();
$new_node->save();
$file = File::load($new_node->{$field_name}->target_id);
$this->assertTrue($file->isPermanent(), 'File is permanent.');
$usage = $this->container
->get('file.usage')
->listUsage($file);
$this->assertCount(1, $usage, 'File usage found.');
$file_url = $file->createFileUrl(FALSE);
// Ensure the anonymous uploader cannot access to the file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
// Close the prior connection and remove the session cookie.
$this->getSession()
->reset();
// Ensure that a different anonymous user cannot access the temporary file.
$this->drupalGet($file_url);
$this->assertSession()
->statusCodeEquals(403);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.