From aa9bdef2d9c1341078771d4e4f6ff4d695032a56 Mon Sep 17 00:00:00 2001 From: amontero Date: Fri, 19 Jul 2013 17:41:04 +0200 Subject: [PATCH] "Administer Users" permission should be separate from "User Settings" --- .../Drupal/contact/Tests/ContactPersonalTest.php | 2 +- .../Drupal/contact/Tests/ContactSitewideTest.php | 1 + .../lib/Drupal/field_ui/Tests/FieldUiTestBase.php | 2 +- .../Upgrade/UserPermissionUpgradePathTest.php | 64 ++++++++++++++++++++ .../upgrade/drupal-7.user_permission.database.php | 60 ++++++++++++++++++ .../user/lib/Drupal/user/Tests/UserAdminTest.php | 2 +- .../lib/Drupal/user/Tests/UserPermissionsTest.php | 2 +- core/modules/user/user.install | 29 +++++++-- core/modules/user/user.module | 9 ++- core/modules/user/user.routing.yml | 2 +- 10 files changed, 163 insertions(+), 10 deletions(-) create mode 100644 core/modules/system/lib/Drupal/system/Tests/Upgrade/UserPermissionUpgradePathTest.php create mode 100644 core/modules/system/tests/upgrade/drupal-7.user_permission.database.php diff --git a/core/modules/contact/lib/Drupal/contact/Tests/ContactPersonalTest.php b/core/modules/contact/lib/Drupal/contact/Tests/ContactPersonalTest.php index 61f1fb9..e9badf3 100644 --- a/core/modules/contact/lib/Drupal/contact/Tests/ContactPersonalTest.php +++ b/core/modules/contact/lib/Drupal/contact/Tests/ContactPersonalTest.php @@ -54,7 +54,7 @@ function setUp() { parent::setUp(); // Create an admin user. - $this->admin_user = $this->drupalCreateUser(array('administer contact forms', 'administer users')); + $this->admin_user = $this->drupalCreateUser(array('administer contact forms', 'administer users', 'administer account settings')); // Create some normal users with their contact forms enabled by default. config('contact.settings')->set('user_default_enabled', 1)->save(); diff --git a/core/modules/contact/lib/Drupal/contact/Tests/ContactSitewideTest.php b/core/modules/contact/lib/Drupal/contact/Tests/ContactSitewideTest.php index 42f4423..132476c 100644 --- a/core/modules/contact/lib/Drupal/contact/Tests/ContactSitewideTest.php +++ b/core/modules/contact/lib/Drupal/contact/Tests/ContactSitewideTest.php @@ -39,6 +39,7 @@ function testSiteWideContact() { 'access site-wide contact form', 'administer contact forms', 'administer users', + 'administer account settings', 'administer contact_message fields', )); $this->drupalLogin($admin_user); diff --git a/core/modules/field_ui/lib/Drupal/field_ui/Tests/FieldUiTestBase.php b/core/modules/field_ui/lib/Drupal/field_ui/Tests/FieldUiTestBase.php index c836023..8d397f1 100644 --- a/core/modules/field_ui/lib/Drupal/field_ui/Tests/FieldUiTestBase.php +++ b/core/modules/field_ui/lib/Drupal/field_ui/Tests/FieldUiTestBase.php @@ -26,7 +26,7 @@ function setUp() { parent::setUp(); // Create test user. - $admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer node fields', 'administer node form display', 'administer node display', 'administer taxonomy', 'administer taxonomy_term fields', 'administer taxonomy_term display', 'administer users', 'administer user display', 'bypass node access')); + $admin_user = $this->drupalCreateUser(array('access content', 'administer content types', 'administer node fields', 'administer node form display', 'administer node display', 'administer taxonomy', 'administer taxonomy_term fields', 'administer taxonomy_term display', 'administer users', 'administer account settings', 'administer user display', 'bypass node access')); $this->drupalLogin($admin_user); // Create content type, with underscores. diff --git a/core/modules/system/lib/Drupal/system/Tests/Upgrade/UserPermissionUpgradePathTest.php b/core/modules/system/lib/Drupal/system/Tests/Upgrade/UserPermissionUpgradePathTest.php new file mode 100644 index 0000000..ecb8b3a --- /dev/null +++ b/core/modules/system/lib/Drupal/system/Tests/Upgrade/UserPermissionUpgradePathTest.php @@ -0,0 +1,64 @@ + 'User permission upgrade test', + 'description' => 'Upgrade tests for user permissions.', + 'group' => 'Upgrade path', + ); + } + + public function setUp() { + $this->databaseDumpFiles = array( + drupal_get_path('module', 'system') . '/tests/upgrade/drupal-7.bare.standard_all.database.php.gz', + drupal_get_path('module', 'system') . '/tests/upgrade/drupal-7.user_permission.database.php', + ); + parent::setUp(); + } + + /** + * Tests user-related permissions after a successful upgrade. + */ + public function testUserPermissionUpgrade() { + $this->assertTrue($this->performUpgrade(), 'The upgrade was completed successfully.'); + + $this->drupalGet(''); + $this->assertResponse(200); + + // Verify that we are still logged in. + $this->drupalGet('user'); + $this->clickLink(t('Edit')); + $this->assertEqual($this->getUrl(), url('user/1/edit', array('absolute' => TRUE)), 'We are still logged in as admin at the end of the upgrade.'); + + // Login as another 'administrator' role user whose uid != 1 + $this->drupalLogout(); + $user = new UserSession(array( + 'uid' => 2, + 'name' => 'user1', + 'pass_raw' => 'user1', + )); + $this->drupalLogin($user); + + // Check that user with permission 'administer users' also gets + // 'administer account settings' access. + $this->drupalGet('admin/config/people/accounts'); + $this->assertResponse(200, '"Administer account settings" page was found.'); + } + +} diff --git a/core/modules/system/tests/upgrade/drupal-7.user_permission.database.php b/core/modules/system/tests/upgrade/drupal-7.user_permission.database.php new file mode 100644 index 0000000..dc6cd5a --- /dev/null +++ b/core/modules/system/tests/upgrade/drupal-7.user_permission.database.php @@ -0,0 +1,60 @@ +fields(array( + 'uid', + 'rid', +)) +->values(array( + 'uid' => '2', + 'rid' => '3', +)) +->execute(); + +db_insert('users')->fields(array( + 'uid', + 'name', + 'pass', + 'mail', + 'theme', + 'signature', + 'signature_format', + 'created', + 'access', + 'login', + 'status', + 'timezone', + 'language', + 'picture', + 'init', + 'data', +)) +->values(array( + 'uid' => '2', + 'name' => 'user1', + 'pass' => '$S$D9JgycE33DawX/9Iv2SfAjkQEi5alDZhxycfan6dDkUKf9lH0Nfo', + 'mail' => 'user1@example.com', + 'theme' => '', + 'signature' => '', + 'signature_format' => NULL, + 'created' => '1376147347', + 'access' => '0', + 'login' => '0', + 'status' => '1', + 'timezone' => 'Europe/Berlin', + 'language' => '', + 'picture' => '0', + 'init' => 'user1@example.com', + 'data' => NULL, +)) +->execute(); diff --git a/core/modules/user/lib/Drupal/user/Tests/UserAdminTest.php b/core/modules/user/lib/Drupal/user/Tests/UserAdminTest.php index 1dd89b2..69384b5 100644 --- a/core/modules/user/lib/Drupal/user/Tests/UserAdminTest.php +++ b/core/modules/user/lib/Drupal/user/Tests/UserAdminTest.php @@ -120,7 +120,7 @@ function testUserAdmin() { */ function testNotificationEmailAddress() { // Test that the Notification E-mail address field is on the config page. - $admin_user = $this->drupalCreateUser(array('administer users')); + $admin_user = $this->drupalCreateUser(array('administer users', 'administer account settings')); $this->drupalLogin($admin_user); $this->drupalGet('admin/config/people/accounts'); $this->assertRaw('id="edit-mail-notification-address"', 'Notification E-mail address field exists'); diff --git a/core/modules/user/lib/Drupal/user/Tests/UserPermissionsTest.php b/core/modules/user/lib/Drupal/user/Tests/UserPermissionsTest.php index e2e97a1..a336372 100644 --- a/core/modules/user/lib/Drupal/user/Tests/UserPermissionsTest.php +++ b/core/modules/user/lib/Drupal/user/Tests/UserPermissionsTest.php @@ -25,7 +25,7 @@ public static function getInfo() { function setUp() { parent::setUp(); - $this->admin_user = $this->drupalCreateUser(array('administer permissions', 'access user profiles', 'administer site configuration', 'administer modules', 'administer users')); + $this->admin_user = $this->drupalCreateUser(array('administer permissions', 'access user profiles', 'administer site configuration', 'administer modules', 'administer account settings')); // Find the new role ID. $all_rids = $this->admin_user->getRoles(); diff --git a/core/modules/user/user.install b/core/modules/user/user.install index 62eb4a9..53e56ae 100644 --- a/core/modules/user/user.install +++ b/core/modules/user/user.install @@ -1013,11 +1013,32 @@ function user_update_8016() { } /** + * Grant "administer account settings" to roles with "administer users." + */ +function user_update_8017() { + $rids = array(); + $rids = db_query("SELECT rid FROM {role_permission} WHERE permission = :perm", array(':perm' => 'administer users'))->fetchCol(); + // None found. + if (empty($rids)) { + return; + } + $insert = db_insert('role_permission')->fields(array('rid', 'permission', 'module')); + foreach ($rids as $rid) { + $insert->values(array( + 'rid' => $rid, + 'permission' => 'administer account settings', + 'module' => 'user' + )); + } + $insert->execute(); +} + +/** * Migrate user roles into configuration. * * @ingroup config_upgrade */ -function user_update_8017() { +function user_update_8018() { $uuid = new Uuid(); $roles = db_select('role', 'r') @@ -1039,7 +1060,7 @@ function user_update_8017() { /** * Use the maximum allowed module name length in module name database fields. */ -function user_update_8018() { +function user_update_8019() { if (db_field_exists('role_permission', 'module')) { $spec = array( 'type' => 'varchar', @@ -1096,7 +1117,7 @@ function _user_update_map_rid($rid) { * * @ingroup config_upgrade */ -function user_update_8019() { +function user_update_8020() { $db_permissions = db_select('role_permission', 'p') ->fields('p') ->execute() @@ -1118,7 +1139,7 @@ function user_update_8019() { /** * Create the 'register' form mode. */ -function user_update_8020() { +function user_update_8021() { $uuid = new Uuid(); config("entity.form_mode.user.register") diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 0a8d4ab..85d5fd5 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -479,6 +479,13 @@ function user_permission() { 'title' => t('Administer permissions'), 'restrict access' => TRUE, ), + 'administer account settings' => array( + 'title' => t('Administer account settings'), + 'description' => user_access('administer account settings') + ? t('Configure site-wide settings and behavior for user accounts and registration.', array('@url' => url('admin/config/people'))) + : t('Configure site-wide settings and behavior for user accounts and registration.'), + 'restrict access' => TRUE, + ), 'administer users' => array( 'title' => t('Administer users'), 'restrict access' => TRUE, @@ -898,7 +905,7 @@ function user_menu() { 'position' => 'left', 'weight' => -20, 'page callback' => 'system_admin_menu_block_page', - 'access arguments' => array('access administration pages'), + 'access arguments' => array('administer account settings'), 'file' => 'system.admin.inc', 'file path' => drupal_get_path('module', 'system'), ); diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml index 90570ea..901d57b 100644 --- a/core/modules/user/user.routing.yml +++ b/core/modules/user/user.routing.yml @@ -31,7 +31,7 @@ user_account_settings: defaults: _form: '\Drupal\user\AccountSettingsForm' requirements: - _permission: 'administer users' + _permission: 'administer account settings' user_admin_create: pattern: '/admin/people/create' -- 1.7.9.5