diff --git a/entity.test b/entity.test index 746713e..6ad1637 100644 --- a/entity.test +++ b/entity.test @@ -1619,3 +1619,59 @@ class EntityMetadataIntegrationTestCase extends EntityWebTestCase { } } } + +class EntityMetadataUserCreateAccessTest extends EntityWebTestCase { + + public static function getInfo() { + return array( + 'name' => 'Metadata User Create Access', + 'description' => 'Makes sure metadata wrapper are working right.', + 'group' => 'Entity API', + ); + } + + function setUp() { + parent::setUp('entity'); + } + + public function testUserWrapperCreateAccess() { + // Create some users: + // One with super-powers + // A blocked admin + // One with no perms. + $admin_account = $this->drupalCreateUser(array( + 'administer users', + )); + $blocked_admin_account = $this->drupalCreateUser(array( + 'administer users', + )); + $blocked_admin_account->status = 0; + $auth_only_account = $this->drupalCreateUser(array()); + + // The callback alone. + $this->assertTrue(entity_metadata_user_access('create', NULL, $admin_account, 'user'), 'Create access allowed for ADMIN, for user callback.'); + $this->assertFalse(entity_metadata_user_access('create', NULL, $blocked_admin_account, 'user'), 'Create access DENIED for BLOCKED_ADMIN, for user callback.'); + $this->assertFalse(entity_metadata_user_access('create', NULL, $auth_only_account, 'user'), 'Create access DENIED for AUTH_ONLY, for user callback.'); + + // A mock user wrapper. + $user = new stdClass(); + $user->uid = 0; + $wrapper = entity_metadata_wrapper('user', $user); + $this->assertTrue($wrapper->entityAccess('create', $admin_account), + 'Create access allowed for ADMIN, for mock user wrapper.'); + $this->assertFalse($wrapper->entityAccess('create', $blocked_admin_account), + 'Create access DENIED for BLOCKED_ADMIN, for mock user wrapper.'); + $this->assertFalse($wrapper->entityAccess('create', $auth_only_account), + 'Create access DENIED for AUTH_ONLY, for mock user wrapper.'); + + // The empty wrapper. + $wrapper = entity_metadata_wrapper('user'); + $this->assertTrue($wrapper->entityAccess('create', $admin_account), + 'Create access allowed for ADMIN, for empty wrapper.'); + $this->assertFalse($wrapper->entityAccess('create', $blocked_admin_account), + 'Create access DENIED for BLOCKED_ADMIN, for empty wrapper.'); + $this->assertFalse($wrapper->entityAccess('create', $auth_only_account), + 'Create access DENIED for AUTH_ONLY, for empty wrapper.'); + } + +} diff --git a/modules/callbacks.inc b/modules/callbacks.inc index 304f53f..2fb69fc 100644 --- a/modules/callbacks.inc +++ b/modules/callbacks.inc @@ -637,14 +637,24 @@ function entity_metadata_no_hook_node_access($op, $node = NULL, $account = NULL) /** * Access callback for the user entity. */ -function entity_metadata_user_access($op, $entity = NULL, $account = NULL, $entity_type) { - $account = isset($account) ? $account : $GLOBALS['user']; - // Grant access to the users own user account and to the anonymous one. - if (isset($entity) && $op != 'delete' && (($entity->uid == $account->uid && $entity->uid) || (!$entity->uid && $op == 'view'))) { - return TRUE; - } - if (user_access('administer users', $account) || user_access('access user profiles', $account) && $op == 'view' && $entity->status) { - return TRUE; +function entity_metadata_user_access($op, $user_entity = NULL, $account = NULL) { + // Make sure $account is useful. + $account = is_object($account) ? $account : $GLOBALS['user']; + // Make sure $account isn't blocked + if ($account->status) { + // If the account isn't blocked and is an admin, then TRUE. + if (user_access('administer users', $account)) { + return TRUE; + } + // Make sure $user_entity is an object with a uid. + if (is_object($user_entity) && isset($user_entity->uid)) { + if ('view' == $op) { + // Allow viewing for same user or those with view perms. + if (($user_entity->uid == $account->uid) || user_access('access user profiles', $account)) { + return TRUE; + } + } + } } return FALSE; }