diff --git a/core/modules/node/node.module b/core/modules/node/node.module index 5ee9062..878a574 100644 --- a/core/modules/node/node.module +++ b/core/modules/node/node.module @@ -1916,12 +1916,12 @@ function theme_node_search_admin($variables) { */ function _node_revision_access($node, $op = 'view') { $access = &drupal_static(__FUNCTION__, array()); - if (!isset($access[$node->vid])) { + if (!isset($access[$node->vid]) || !isset($access[$node->vid][$op])) { // To save additional calls to the database, return early if the user // doesn't have the required permissions. $map = array('view' => 'view revisions', 'update' => 'revert revisions', 'delete' => 'delete revisions'); if (isset($map[$op]) && (!user_access($map[$op]) && !user_access('administer nodes'))) { - $access[$node->vid] = FALSE; + $access[$node->vid][$op] = FALSE; return FALSE; } @@ -1934,18 +1934,18 @@ function _node_revision_access($node, $op = 'view') { // Also, if you try to revert to or delete the current revision, that's // not good. if ($is_current_revision && (db_query('SELECT COUNT(vid) FROM {node_revision} WHERE nid = :nid', array(':nid' => $node->nid))->fetchField() == 1 || $op == 'update' || $op == 'delete')) { - $access[$node->vid] = FALSE; + $access[$node->vid][$op] = FALSE; } elseif (user_access('administer nodes')) { - $access[$node->vid] = TRUE; + $access[$node->vid][$op] = TRUE; } else { // First check the access to the current revision and finally, if the // node passed in is not the current revision then access to that, too. - $access[$node->vid] = node_access($op, $node_current_revision) && ($is_current_revision || node_access($op, $node)); + $access[$node->vid][$op] = node_access($op, $node_current_revision) && ($is_current_revision || node_access($op, $node)); } } - return $access[$node->vid]; + return $access[$node->vid][$op]; } /** diff --git a/core/modules/node/node.test b/core/modules/node/node.test index 02001c7..93a4d97 100644 --- a/core/modules/node/node.test +++ b/core/modules/node/node.test @@ -262,6 +262,87 @@ class NodeRevisionsTestCase extends DrupalWebTestCase { } } +/** + * Tests user permissions for node revisions. + */ +class NodeRevisionPermissionsTestCase extends DrupalWebTestCase { + protected $node_revisions; + protected $users; + + // Map revision permission names to node revision access ops. + protected $map = array( + 'view' => 'view revisions', + 'update' => 'revert revisions', + 'delete' => 'delete revisions', + ); + + public static function getInfo() { + return array( + 'name' => 'Node revision permissions', + 'description' => 'Tests user permssions for node revision operations.', + 'group' => 'Node', + ); + } + + function setUp() { + parent::setUp('node_revision_test'); + + // Create a node with several revisions. + $revisions = array(); + $node = $this->drupalCreateNode(); + $revisions[] = $node; + + // Create three additional revisions. + $settings = get_object_vars($node); + $settings['revision'] = 1; + + for ($i = 0; $i < 3; $i++) { + // Create a revision for the same nid and settings with a random log. + $settings['log'] = $this->randomName(32); + $this->drupalCreateNode($settings); + + // Load the new revision and update variables for the next revision. + $node = node_load($node->nid); + $revisions[] = $node; + $settings = get_object_vars($node); + } + + $this->node_revisions = $revisions; + + // Create three users, one with each revision permission. + $this->users = array(); + foreach ($this->map as $op => $permission) { + // Create the user. + $this->users[$op] = $this->drupalCreateUser( + array( + 'access content', + 'edit any page content', + 'delete any page content', + $permission, + ) + ); + } + } + + /** + * Tests multiple calls to _node_revision_access() within the same request. + */ + function testNodeRevisionAccessCaching() { + foreach ($this->users as $user_op => $user) { + $this->drupalLogin($user); + $this->drupalGet('node_revision_access_test/' . $this->node_revisions[1]->nid . '/' . $this->node_revisions[1]->vid); + foreach (array_keys($this->map) as $test_op) { + if ($test_op == $user_op) { + $this->assertText(format_string("@op granted", array('@op' => $test_op))); + } + else { + $this->assertNoText(format_string("@op granted", array('@op' => $test_op))); + } + } + } + } +} + class PageEditTestCase extends DrupalWebTestCase { protected $web_user; protected $admin_user; diff --git a/core/modules/node/tests/node_revision_test.info b/core/modules/node/tests/node_revision_test.info new file mode 100644 index 0000000..9981587 --- /dev/null +++ b/core/modules/node/tests/node_revision_test.info @@ -0,0 +1,6 @@ +name = "Node module revision tests" +description = "Support module for node revision testing." +package = Testing +version = VERSION +core = 8.x +hidden = TRUE diff --git a/core/modules/node/tests/node_revision_test.module b/core/modules/node/tests/node_revision_test.module new file mode 100644 index 0000000..874b662 --- /dev/null +++ b/core/modules/node/tests/node_revision_test.module @@ -0,0 +1,46 @@ + MENU_CALLBACK, + 'page callback' => 'node_revision_test_access_test', + 'page arguments' => array(1), + 'load arguments' => array(2), + 'access callback' => TRUE, + ); + return $items; +} + +/** + * Returns HTML listing the results of _node_revision_access(). + * + * @param $node + * The node object. + * + * @return + * An HTML string. + */ +function node_revision_test_access_test($node) { + $output = ''; + + // Test and output the result of _node_revision_access() twice for each op. + for ($i = 0; $i < 2; $i++) { + foreach (array('view', 'update', 'delete') as $op) { + if (_node_revision_access($node, $op)) { + $output .= format_string("@op granted", array('@op' => $op)); + $output .= '
'; + } + } + } + + return $output; +}