diff --git a/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php b/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php new file mode 100644 index 0000000..5aa2800 --- /dev/null +++ b/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php @@ -0,0 +1,48 @@ +getRequirements()); + } + + + /** + * {@inheritdoc} + */ + public function access(Route $route, Request $request) { + // Requirements just allow strings, so this might be a comma separated list. + $rid_string = $route->getRequirement('_role'); + $rids = array_map('trim', explode(',', $rid_string)); + // @todo Replace the role check with a correctly injected and session-using + // alternative. + $account = $GLOBALS['user']; + + $diff = array_diff(array_filter($rids), array_keys($account->roles)); + if (empty($diff)) { + return TRUE; + } + // If there is no allowed role, return NULL to give other checks a chance. + else { + return NULL; + } + } + +} diff --git a/core/modules/user/user.services.yml b/core/modules/user/user.services.yml index e8c5e52..77f93e2 100644 --- a/core/modules/user/user.services.yml +++ b/core/modules/user/user.services.yml @@ -7,6 +7,10 @@ services: class: Drupal\user\Access\RegisterAccessCheck tags: - { name: access_check } + access_check.user.role: + class: Drupal\user\Access\RoleAccessCheck + tags: + - { name: access_check } user.data: class: Drupal\user\UserData arguments: ['@database'] diff --git a/core/tests/Drupal/Tests/Core/Route/RouterRoleTest.php b/core/tests/Drupal/Tests/Core/Route/RouterRoleTest.php new file mode 100644 index 0000000..b593a1b --- /dev/null +++ b/core/tests/Drupal/Tests/Core/Route/RouterRoleTest.php @@ -0,0 +1,177 @@ + 'Router Role tests', + 'description' => 'Test for the role based access checker in the routing system.', + 'group' => 'Routing', + ); + } + + /** + * Generates the test route collection. + * + * @return \Symfony\Component\Routing\RouteCollection + * Returns the test route collection. + */ + protected function getTestRouteCollection() { + $route_collection = new RouteCollection(); + $route_collection->add('role_test_1', new Route('/role_test_1', + array( + '_controller' => '\Drupal\router_test\TestControllers::test1', + ), + array( + '_role' => 'role_test_1', + ) + )); + $route_collection->add('role_test_2', new Route('/role_test_2', + array( + '_controller' => '\Drupal\router_test\TestControllers::test1', + ), + array( + '_role' => 'role_test_2', + ) + )); + $route_collection->add('role_test_3', new Route('/role_test_3', + array( + '_controller' => '\Drupal\router_test\TestControllers::test1', + ), + array( + '_role' => 'role_test_1, role_test_2', + ) + )); + + return $route_collection; + } + + /** + * Provides data for the role access test. + * + * @see \Drupal\Tests\Core\Route\RouterRoleTest::testRoleAccess + */ + public function roleAccessProvider() { + // Setup two different roles used in the test. + $rid_1 = 'role_test_1'; + $rid_2 = 'role_test_2'; + + // Setup one user with the first role, one with the second, one with both + // and one final without any of these two roles. + $this->accounts = array(); + + $account_1 = new User(array('uid' => 1), 'user'); + $account_1->roles[$rid_1] = $rid_1; + $this->accounts[] = $account_1; + + $account_2 = new User(array('uid' => 2), 'user'); + $account_2->roles[$rid_2] = $rid_2; + $this->accounts[] = $account_2; + + $account_12 = new User(array('uid' => 3), 'user'); + $account_12->roles[$rid_1] = $rid_1; + $account_12->roles[$rid_2] = $rid_2; + $this->accounts[] = $account_12; + + $account_none = new User(array('uid' => 4), 'user'); + $this->accounts[] = $account_none; + + // Setup expected values; specify which paths can be accessed by which user. + return array( + array('role_test_1', array($account_1, $account_12)), + array('role_test_2', array($account_2, $account_12)), + array('role_test_3', array($account_12)), + ); + } + + /** + * Returns accounts filtered by the passed in accounts. + * + * @param array $grant_users + * A list of users which should not be part of the result list. + * + * @return array + * All users which are not granted. + */ + protected function accountsToDeny($grant_users) { + return array_filter($this->accounts, function($account) use ($grant_users) { + foreach ($grant_users as $grant_user) { + if ($account == $grant_user) { + return FALSE; + } + } + return TRUE; + }); + } + + /** + * Tests role requirements on routes. + * + * @param string $path + * The path to check access for. + * @param array $grant_accounts + * A list of accounts which should have access to the given path. + * + * @see \Drupal\Tests\Core\Route\RouterRoleTest::getTestRouteCollection + * @see \Drupal\Tests\Core\Route\RouterRoleTest::roleAccessProvider + * + * @dataProvider roleAccessProvider + */ + public function testRoleAccess($path, $grant_accounts) { + $role_access_check = new RoleAccessCheck(); + $collection = $this->getTestRouteCollection(); + + foreach ($grant_accounts as $account) { + // @todo Replace the global user with a properly injection session. + $GLOBALS['user'] = $account; + + $subrequest = Request::create($path, 'GET'); + $message = sprintf('Access granted for user with the roles %s on path: %s', implode(', ', $account->roles), $path); + $this->assertTrue($role_access_check->access($collection->get($path), $subrequest), $message); + } + + // Check all users which don't have access. + foreach ($this->accountsToDeny($grant_accounts) as $account) { + $GLOBALS['user'] = $account; + + $subrequest = Request::create($path, 'GET'); + $message = sprintf('Access denied for user %s with the roles %s on path: %s', $account->id(), implode(', ', $account->roles), $path); + $has_access = $role_access_check->access($collection->get($path), $subrequest); + $this->assertEmpty($has_access , $message); + } + } + +}