Add tests for entity access

I'm postponing this on #2328659: Convert all existing entity_embed tests from WebTestBase to BrowserTestBase.

Blocker is in.

Here's a basic test of embedding an unpublished node, confirming it is not rendered for the unpublished user.

It looks like unpublished nodes were already handled in EntityEmbedFilterTest::testFilter():

    // Tests that embedded entity is not rendered if not accessible.
    $this->node->setPublished(FALSE)->save();
    $settings = [];
    $settings['type'] = 'page';
    $settings['title'] = 'Test un-accessible entity embed with entity-id and view-mode';
    $settings['body'] = [['value' => $content, 'format' => 'custom_format']];
    $node = $this->drupalCreateNode($settings);
    $this->drupalGet('node/' . $node->id());
    $this->assertNoRaw('<drupal-entity data-entity-type="node" data-entity');
    $this->assertNoText($this->node->body->value, 'Embedded node does not exist in the page.');
    $this->assertNoText(strip_tags($content), 'Placeholder does not appear in the output when embed is successful.');
    // Tests that embedded entity is displayed to the user who has the view
    // unpublished content permission.
    $this->createRole(['view own unpublished content'], 'access_unpublished');
    $this->webUser->addRole('access_unpublished');
    $this->webUser->save();
    $this->drupalGet('node/' . $node->id());
    $this->assertNoRaw('<drupal-entity data-entity-type="node" data-entity');
    $this->assertText($this->node->body->value, 'Embedded node exists in the page.');
    $this->assertNoText(strip_tags($content), 'Placeholder does not appear in the output when embed is successful.');
    $this->assertRaw('<article class="embedded-entity">', 'Embed container found.');
    $this->webUser->removeRole('access_unpublished');
    $this->webUser->save();
    $this->node->setPublished(TRUE)->save();

I think maybe testFilter could be broken up, otherwise, I think patch #6 is redundant to code starting on line 46.

Also patch doesn't handle "private file". I'm not sure what a private file is. When you serve files from the private file system. What would testing instructions be for that? What's a use case where you'd be embedding files from outside the web root?

#7++ — great point!

#8:

What's a use case where you'd be embedding files from outside the web root?

Perhaps not realistic, but the whole point of this issue is that we ensure edge cases are not disclosing information inappropriately. an article where there's sneak previews for paying members?

Working on adding test coverage added for private files. Borrowing some code from \Drupal\Tests\editor\Functional\EditorPrivateFileReferenceFilterTest::testEditorPrivateFileReferenceFilter(). Patch tomorrow; it's late here.

I banged my head against the wall for hours wrt private files. Turns out I've been foiled by code I've written myself over 5 years ago in #1932652: Add image uploading to WYSIWYGs through editor.module. Turns out that you don't need to enable the \Drupal\editor\Plugin\Filter\EditorFileReference filter to have it start tracking usage; editor_entity_insert() will automatically scan all entities' text fields and track their usage, with since #2744197: Proper private file support for images uploaded via EditorImageDialog the editor_file_download() hook implementation granting access to private files if they're tracked by the Text Editor module and the referencing entity is accessible.

So … creating Entity Embed private file test coverage is actually pretty pointless. It'd just be duplicating test coverage of \Drupal\Tests\cdn\Kernel\EditorFileReferenceFilterTest.

Thanks A LOT to @phenaproxima to help find the root cause of this! He agreed with this assessment.