3 namespace Drupal\Tests\file\Functional;
5 use Drupal\Core\Entity\Plugin\Validation\Constraint\ReferenceAccessConstraint;
6 use Drupal\Component\Render\FormattableMarkup;
7 use Drupal\file\Entity\File;
8 use Drupal\node\Entity\NodeType;
9 use Drupal\user\RoleInterface;
12 * Uploads a test to a private node and checks access.
16 class FilePrivateTest extends FileFieldTestBase {
23 public static $modules = ['node_access_test', 'field_test'];
25 protected function setUp() {
27 node_access_test_add_field(NodeType::load('article'));
28 node_access_rebuild();
29 \Drupal::state()->set('node_access_test.private', TRUE);
30 // This test expects unused managed files to be marked as a temporary file.
31 $this->config('file.settings')
32 ->set('make_unused_managed_files_temporary', TRUE)
37 * Tests file access for file uploaded to a private node.
39 public function testPrivateFile() {
40 $node_storage = $this->container->get('entity.manager')->getStorage('node');
41 /** @var \Drupal\Core\File\FileSystemInterface $file_system */
42 $file_system = \Drupal::service('file_system');
43 $type_name = 'article';
44 $field_name = strtolower($this->randomMachineName());
45 $this->createFileField($field_name, 'node', $type_name, ['uri_scheme' => 'private']);
47 $test_file = $this->getTestFile('text');
48 $nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, ['private' => TRUE]);
49 \Drupal::entityManager()->getStorage('node')->resetCache([$nid]);
50 /* @var \Drupal\node\NodeInterface $node */
51 $node = $node_storage->load($nid);
52 $node_file = File::load($node->{$field_name}->target_id);
53 // Ensure the file can be viewed.
54 $this->drupalGet('node/' . $node->id());
55 $this->assertRaw($node_file->getFilename(), 'File reference is displayed after attaching it');
56 // Ensure the file can be downloaded.
57 $this->drupalGet(file_create_url($node_file->getFileUri()));
58 $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
59 $this->drupalLogOut();
60 $this->drupalGet(file_create_url($node_file->getFileUri()));
61 $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
63 // Create a field with no view access. See
64 // field_test_entity_field_access().
65 $no_access_field_name = 'field_no_view_access';
66 $this->createFileField($no_access_field_name, 'node', $type_name, ['uri_scheme' => 'private']);
67 // Test with the field that should deny access through field access.
68 $this->drupalLogin($this->adminUser);
69 $nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, ['private' => TRUE]);
70 \Drupal::entityManager()->getStorage('node')->resetCache([$nid]);
71 $node = $node_storage->load($nid);
72 $node_file = File::load($node->{$no_access_field_name}->target_id);
74 // Ensure the file cannot be downloaded.
75 $file_url = file_create_url($node_file->getFileUri());
76 $this->drupalGet($file_url);
77 $this->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission.');
79 // Attempt to reuse the file when editing a node.
81 $edit['title[0][value]'] = $this->randomMachineName();
82 $this->drupalPostForm('node/add/' . $type_name, $edit, t('Save'));
83 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
85 // Can't use drupalPostForm() to set hidden fields.
86 $this->drupalGet('node/' . $new_node->id() . '/edit');
87 $this->getSession()->getPage()->find('css', 'input[name="' . $field_name . '[0][fids]"]')->setValue($node_file->id());
88 $this->getSession()->getPage()->pressButton(t('Save'));
89 // Make sure the form submit failed - we stayed on the edit form.
90 $this->assertUrl('node/' . $new_node->id() . '/edit');
91 // Check that we got the expected constraint form error.
92 $constraint = new ReferenceAccessConstraint();
93 $this->assertRaw(new FormattableMarkup($constraint->message, ['%type' => 'file', '%id' => $node_file->id()]));
94 // Attempt to reuse the existing file when creating a new node, and confirm
95 // that access is still denied.
97 $edit['title[0][value]'] = $this->randomMachineName();
98 // Can't use drupalPostForm() to set hidden fields.
99 $this->drupalGet('node/add/' . $type_name);
100 $this->getSession()->getPage()->find('css', 'input[name="title[0][value]"]')->setValue($edit['title[0][value]']);
101 $this->getSession()->getPage()->find('css', 'input[name="' . $field_name . '[0][fids]"]')->setValue($node_file->id());
102 $this->getSession()->getPage()->pressButton(t('Save'));
103 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
104 $this->assertTrue(empty($new_node), 'Node was not created.');
105 $this->assertUrl('node/add/' . $type_name);
106 $this->assertRaw(new FormattableMarkup($constraint->message, ['%type' => 'file', '%id' => $node_file->id()]));
108 // Now make file_test_file_download() return everything.
109 \Drupal::state()->set('file_test.allow_all', TRUE);
112 // Ensure the file can still be downloaded by the owner.
113 $this->drupalGet($file_url);
114 $this->assertResponse(200, 'Confirmed that the owner still has access to the temporary file.');
116 // Ensure the file cannot be downloaded by an anonymous user.
117 $this->drupalLogout();
118 $this->drupalGet($file_url);
119 $this->assertResponse(403, 'Confirmed that access is denied for an anonymous user to the temporary file.');
121 // Ensure the file cannot be downloaded by another user.
122 $account = $this->drupalCreateUser();
123 $this->drupalLogin($account);
124 $this->drupalGet($file_url);
125 $this->assertResponse(403, 'Confirmed that access is denied for another user to the temporary file.');
127 // As an anonymous user, create a temporary file with no references and
128 // confirm that only the session that uploaded it may view it.
129 $this->drupalLogout();
130 user_role_change_permissions(
131 RoleInterface::ANONYMOUS_ID,
133 "create $type_name content" => TRUE,
134 'access content' => TRUE,
137 $test_file = $this->getTestFile('text');
138 $this->drupalGet('node/add/' . $type_name);
139 $edit = ['files[' . $field_name . '_0]' => $file_system->realpath($test_file->getFileUri())];
140 $this->drupalPostForm(NULL, $edit, t('Upload'));
141 /** @var \Drupal\file\FileStorageInterface $file_storage */
142 $file_storage = $this->container->get('entity.manager')->getStorage('file');
143 $files = $file_storage->loadByProperties(['uid' => 0]);
144 $this->assertEqual(1, count($files), 'Loaded one anonymous file.');
146 $this->assertTrue($file->isTemporary(), 'File is temporary.');
147 $usage = $this->container->get('file.usage')->listUsage($file);
148 $this->assertFalse($usage, 'No file usage found.');
149 $file_url = file_create_url($file->getFileUri());
150 $this->drupalGet($file_url);
151 $this->assertResponse(200, 'Confirmed that the anonymous uploader has access to the temporary file.');
152 // Close the prior connection and remove the session cookie.
153 $this->getSession()->reset();
154 $this->drupalGet($file_url);
155 $this->assertResponse(403, 'Confirmed that another anonymous user cannot access the temporary file.');
157 // As an anonymous user, create a permanent file, then remove all
158 // references to the file (so that it becomes temporary again) and confirm
159 // that only the session that uploaded it may view it.
160 $test_file = $this->getTestFile('text');
161 $this->drupalGet('node/add/' . $type_name);
163 $edit['title[0][value]'] = $this->randomMachineName();
164 $edit['files[' . $field_name . '_0]'] = $file_system->realpath($test_file->getFileUri());
165 $this->drupalPostForm(NULL, $edit, t('Save'));
166 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
167 $file_id = $new_node->{$field_name}->target_id;
168 $file = File::load($file_id);
169 $this->assertTrue($file->isPermanent(), 'File is permanent.');
170 // Remove the reference to this file.
171 $new_node->{$field_name} = [];
173 $file = File::load($file_id);
174 $this->assertTrue($file->isTemporary(), 'File is temporary.');
175 $usage = $this->container->get('file.usage')->listUsage($file);
176 $this->assertFalse($usage, 'No file usage found.');
177 $file_url = file_create_url($file->getFileUri());
178 $this->drupalGet($file_url);
179 $this->assertResponse(200, 'Confirmed that the anonymous uploader has access to the file whose references were removed.');
180 // Close the prior connection and remove the session cookie.
181 $this->getSession()->reset();
182 $this->drupalGet($file_url);
183 $this->assertResponse(403, 'Confirmed that another anonymous user cannot access the file whose references were removed.');
185 // As an anonymous user, create a permanent file that is referenced by a
186 // published node and confirm that all anonymous users may view it.
187 $test_file = $this->getTestFile('text');
188 $this->drupalGet('node/add/' . $type_name);
190 $edit['title[0][value]'] = $this->randomMachineName();
191 $edit['files[' . $field_name . '_0]'] = $file_system->realpath($test_file->getFileUri());
192 $this->drupalPostForm(NULL, $edit, t('Save'));
193 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
194 $file = File::load($new_node->{$field_name}->target_id);
195 $this->assertTrue($file->isPermanent(), 'File is permanent.');
196 $usage = $this->container->get('file.usage')->listUsage($file);
197 $this->assertTrue($usage, 'File usage found.');
198 $file_url = file_create_url($file->getFileUri());
199 $this->drupalGet($file_url);
200 $this->assertResponse(200, 'Confirmed that the anonymous uploader has access to the permanent file that is referenced by a published node.');
201 // Close the prior connection and remove the session cookie.
202 $this->getSession()->reset();
203 $this->drupalGet($file_url);
204 $this->assertResponse(200, 'Confirmed that another anonymous user also has access to the permanent file that is referenced by a published node.');
206 // As an anonymous user, create a permanent file that is referenced by an
207 // unpublished node and confirm that no anonymous users may view it (even
208 // the session that uploaded the file) because they cannot view the
210 $test_file = $this->getTestFile('text');
211 $this->drupalGet('node/add/' . $type_name);
213 $edit['title[0][value]'] = $this->randomMachineName();
214 $edit['files[' . $field_name . '_0]'] = $file_system->realpath($test_file->getFileUri());
215 $this->drupalPostForm(NULL, $edit, t('Save'));
216 $new_node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
217 $new_node->setUnpublished();
219 $file = File::load($new_node->{$field_name}->target_id);
220 $this->assertTrue($file->isPermanent(), 'File is permanent.');
221 $usage = $this->container->get('file.usage')->listUsage($file);
222 $this->assertTrue($usage, 'File usage found.');
223 $file_url = file_create_url($file->getFileUri());
224 $this->drupalGet($file_url);
225 $this->assertResponse(403, 'Confirmed that the anonymous uploader cannot access the permanent file when it is referenced by an unpublished node.');
226 // Close the prior connection and remove the session cookie.
227 $this->getSession()->reset();
228 $this->drupalGet($file_url);
229 $this->assertResponse(403, 'Confirmed that another anonymous user cannot access the permanent file when it is referenced by an unpublished node.');