function AccessTest::testFileAccess

Same name and namespace in other branches
  1. 11.x core/modules/file/tests/src/Kernel/AccessTest.php \Drupal\Tests\file\Kernel\AccessTest::testFileAccess()

Tests 'update' and 'delete' access to file entities.

File

core/modules/file/tests/src/Kernel/AccessTest.php, line 42

Class

AccessTest
Tests for the File access control.

Namespace

Drupal\Tests\file\Kernel

Code

public function testFileAccess() : void {
  // Create a user so the tested users do not have the magic ID of user 1.
  $this->createUser();
  $user_any = $this->createUser([
    'delete any file',
  ]);
  $this->assertGreaterThan(1, (int) $user_any->id());
  $user_own = $this->createUser([
    'delete own files',
  ]);
  $test_files = $this->getTestFiles('text');
  $file1 = File::create((array) $test_files[0]);
  $file1->set('uid', $user_any->id());
  $file1->save();
  $file2 = File::create((array) $test_files[1]);
  $file2->set('uid', $user_own->id());
  $file2->save();
  // User with "* any file" permissions should delete all files and update
  // their own.
  $this->assertTrue($file1->access('delete', $user_any));
  $this->assertTrue($file1->access('update', $user_any));
  $this->assertTrue($file2->access('delete', $user_any));
  $this->assertFalse($file2->access('update', $user_any));
  // User with "* own files" permissions should access only own files.
  $this->assertFalse($file1->access('delete', $user_own));
  $this->assertFalse($file1->access('update', $user_own));
  $this->assertTrue($file2->access('delete', $user_own));
  $this->assertTrue($file2->access('update', $user_own));
  // Ensure cacheability metadata is correct.
  /** @var \Drupal\Core\Access\AccessResult $access */
  $access = $file2->access('delete', $user_any, TRUE);
  $this->assertSame([
    'user.permissions',
  ], $access->getCacheContexts());
  $this->assertSame([], $access->getCacheTags());
  /** @var \Drupal\Core\Access\AccessResult $access */
  $access = $file2->access('delete', $user_own, TRUE);
  $this->assertSame([
    'user.permissions',
    'user',
  ], $access->getCacheContexts());
  $this->assertSame([
    'file:2',
  ], $access->getCacheTags());
  /** @var \Drupal\Core\Access\AccessResult $access */
  $access = $file2->access('update', $user_any, TRUE);
  $this->assertSame([], $access->getCacheContexts());
  $this->assertSame([], $access->getCacheTags());
  /** @var \Drupal\Core\Access\AccessResult $access */
  $access = $file2->access('update', $user_own, TRUE);
  $this->assertSame([], $access->getCacheContexts());
  $this->assertSame([], $access->getCacheTags());
  // User without permissions should not be able to delete files even if they
  // are the owner.
  $user_none = $this->createUser();
  $file3 = File::create([
    'uid' => $user_none->id(),
    'filename' => 'druplicon.txt',
    'filemime' => 'text/plain',
  ]);
  $this->assertFalse($file3->access('delete', $user_none));
  $this->assertTrue($file3->access('update', $user_none));
  // Create a file with no user entity.
  $file4 = File::create([
    'filename' => 'druplicon.txt',
    'filemime' => 'text/plain',
  ]);
  $this->assertFalse($file4->access('delete', $user_own));
  $this->assertFalse($file4->access('update', $user_own));
  $this->assertTrue($file4->access('delete', $user_any));
  $this->assertFalse($file4->access('update', $user_any));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.