node_access_test.module

<?php

/**
 * @file
 * Test module for testing the node access system.
 *
 * This module's functionality depends on the following state variables:
 * - node_access_test.no_access_uid: Used in NodeQueryAlterTest to enable the
 *   node_access_all grant realm.
 * - node_access_test.private: When TRUE, the module controls access for nodes
 *   with a 'private' property set, and inherits the default core access for
 *   nodes without this flag. When FALSE, the module controls access for all
 *   nodes.
 * - node_access_test_secret_catalan: When set to TRUE and using the Catalan
 *   'ca' language code, makes all Catalan content secret.
 *
 * @see node_access_test_node_grants()
 * @see \Drupal\node\Tests\NodeQueryAlterTest
 * @see \Drupal\node\Tests\NodeAccessBaseTableTest
 */
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Access\AccessResult;
use Drupal\field\Entity\FieldStorageConfig;
use Drupal\field\Entity\FieldConfig;
use Drupal\node\NodeTypeInterface;
use Drupal\node\NodeInterface;

/**
 * Implements hook_node_grants().
 *
 * Provides three grant realms:
 * - node_access_test_author: Grants users view, update, and delete privileges
 *   on nodes they have authored. Users receive a group ID matching their user
 *   ID on this realm.
 * - node_access_test: Grants users view privileges when they have the
 *   'node test view' permission. Users with this permission receive two group
 *   IDs for the realm, 8888 and 8889. Access for both realms is identical;
 *   the second group is added so that the interaction of multiple groups on
 *   a given grant realm can be tested in NodeAccessPagerTest.
 * - node_access_all: Provides grants for the user whose user ID matches the
 *   'node_access_test.no_access_uid' state variable. Access control on this
 *   realm is not provided in this module; instead,
 *   NodeQueryAlterTest::testNodeQueryAlterOverride() manually writes a node
 *   access record defining the access control for this realm.
 *
 * @see \Drupal\node\Tests\NodeQueryAlterTest::testNodeQueryAlterOverride()
 * @see \Drupal\node\Tests\NodeAccessPagerTest
 * @see node_access_test.permissions.yml
 * @see node_access_test_node_access_records()
 */
function node_access_test_node_grants($account, $operation) {
  $grants = [];
  $grants['node_access_test_author'] = [
    $account
      ->id(),
  ];
  if ($operation == 'view' && $account
    ->hasPermission('node test view')) {
    $grants['node_access_test'] = [
      8888,
      8889,
    ];
  }
  $no_access_uid = \Drupal::state()
    ->get('node_access_test.no_access_uid', 0);
  if ($operation == 'view' && $account
    ->id() == $no_access_uid) {
    $grants['node_access_all'] = [
      0,
    ];
  }
  return $grants;
}

/**
 * Implements hook_node_access_records().
 *
 * By default, records are written for all nodes. When the
 * 'node_access_test.private' state variable is set to TRUE, records
 * are only written for nodes with a "private" property set, which causes the
 * Node module to write the default global view grant for nodes that are not
 * marked private.
 *
 * @see \Drupal\node\Tests\NodeAccessBaseTableTest::setUp()
 * @see node_access_test_node_grants()
 * @see node_access_test.permissions.yml
 */
function node_access_test_node_access_records(NodeInterface $node) {
  $grants = [];

  // For NodeAccessBaseTableTestCase, only set records for private nodes.
  if (!\Drupal::state()
    ->get('node_access_test.private') || isset($node->private) && $node->private->value) {

    // Groups 8888 and 8889 for the node_access_test realm both receive a view
    // grant for all controlled nodes. See node_access_test_node_grants().
    $grants[] = [
      'realm' => 'node_access_test',
      'gid' => 8888,
      'grant_view' => 1,
      'grant_update' => 0,
      'grant_delete' => 0,
      'priority' => 0,
    ];
    $grants[] = [
      'realm' => 'node_access_test',
      'gid' => 8889,
      'grant_view' => 1,
      'grant_update' => 0,
      'grant_delete' => 0,
      'priority' => 0,
    ];

    // For the author realm, the group ID is equivalent to a user ID, which
    // means there are many groups of just 1 user.
    $grants[] = [
      'realm' => 'node_access_test_author',
      'gid' => $node
        ->getOwnerId(),
      'grant_view' => 1,
      'grant_update' => 1,
      'grant_delete' => 1,
      'priority' => 0,
    ];
  }
  return $grants;
}

/**
 * Adds the private field to a node type.
 *
 * @param \Drupal\node\NodeTypeInterface $type
 *   A node type entity.
 */
function node_access_test_add_field(NodeTypeInterface $type) {
  $field_storage = FieldStorageConfig::create([
    'field_name' => 'private',
    'entity_type' => 'node',
    'type' => 'integer',
  ]);
  $field_storage
    ->save();
  $field = FieldConfig::create([
    'field_name' => 'private',
    'entity_type' => 'node',
    'bundle' => $type
      ->id(),
    'label' => 'Private',
  ]);
  $field
    ->save();

  // Assign widget settings for the 'default' form mode.
  \Drupal::service('entity_display.repository')
    ->getFormDisplay('node', $type
    ->id())
    ->setComponent('private', [
    'type' => 'number',
  ])
    ->save();
}

/**
 * Implements hook_ENTITY_TYPE_access().
 */
function node_access_test_node_access(NodeInterface $node, $operation, AccountInterface $account) {
  $secret_catalan = \Drupal::state()
    ->get('node_access_test_secret_catalan') ?: 0;
  if ($secret_catalan && $node
    ->language()
    ->getId() == 'ca') {

    // Make all Catalan content secret.
    return AccessResult::forbidden()
      ->setCacheMaxAge(0);
  }

  // Grant access if a specific user is specified.
  if (\Drupal::state()
    ->get('node_access_test.allow_uid') === $account
    ->id()) {
    return AccessResult::allowed();
  }

  // No opinion.
  return AccessResult::neutral()
    ->setCacheMaxAge(0);
}