diff --git a/core/modules/workspace/src/EntityAccess.php b/core/modules/workspace/src/EntityAccess.php index d0d05bf..eb4a435 100644 --- a/core/modules/workspace/src/EntityAccess.php +++ b/core/modules/workspace/src/EntityAccess.php @@ -144,51 +144,13 @@ public function workspacePermissions() { foreach ($this->entityTypeManager->getStorage('workspace')->loadMultiple() as $workspace) { /** @var \Drupal\workspace\WorkspaceInterface $workspace */ - $perms += $this->createWorkspaceViewPermission($workspace) - + $this->createWorkspaceEditPermission($workspace) - + $this->createWorkspaceBypassPermission($workspace); + $perms += $this->createWorkspaceBypassPermission($workspace); } return $perms; } /** - * Derives the view permission for a specific workspace. - * - * @param \Drupal\workspace\WorkspaceInterface $workspace - * The workspace from which to derive the permission. - * - * @return array - * A single-item array with the permission to define. - */ - protected function createWorkspaceViewPermission(WorkspaceInterface $workspace) { - $perms['view workspace ' . $workspace->id()] = [ - 'title' => $this->t('View the %workspace workspace', ['%workspace' => $workspace->label()]), - 'description' => $this->t('View the %workspace workspace and content within it', ['%workspace' => $workspace->label()]), - ]; - - return $perms; - } - - /** - * Derives the edit permission for a specific workspace. - * - * @param \Drupal\workspace\WorkspaceInterface $workspace - * The workspace from which to derive the permission. - * - * @return array - * A single-item array with the permission to define. - */ - protected function createWorkspaceEditPermission(WorkspaceInterface $workspace) { - $perms['edit workspace ' . $workspace->id()] = [ - 'title' => $this->t('Edit the %workspace workspace', ['%workspace' => $workspace->label()]), - 'description' => $this->t('Edit the %workspace workspace itself', ['%workspace' => $workspace->label()]), - ]; - - return $perms; - } - - /** * Derives the delete permission for a specific workspace. * * @param \Drupal\workspace\WorkspaceInterface $workspace diff --git a/core/modules/workspace/src/Negotiator/SessionWorkspaceNegotiator.php b/core/modules/workspace/src/Negotiator/SessionWorkspaceNegotiator.php index 618a022..48eb528 100644 --- a/core/modules/workspace/src/Negotiator/SessionWorkspaceNegotiator.php +++ b/core/modules/workspace/src/Negotiator/SessionWorkspaceNegotiator.php @@ -10,6 +10,10 @@ /** * Defines the session workspace negotiator. + * + * This implementation uses the private tempstore of a user to store the ID of + * the active workspace in order to make it persistent between login/logout + * actions. */ class SessionWorkspaceNegotiator implements WorkspaceNegotiatorInterface { diff --git a/core/modules/workspace/src/WorkspaceAccessControlHandler.php b/core/modules/workspace/src/WorkspaceAccessControlHandler.php index 867e8e3..a779d90 100644 --- a/core/modules/workspace/src/WorkspaceAccessControlHandler.php +++ b/core/modules/workspace/src/WorkspaceAccessControlHandler.php @@ -41,12 +41,6 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter ->addCacheableDependency($entity); } - // Check if the user has permission to access an individual workspace. - if ($access_result->isNeutral()) { - $access_result = AccessResult::allowedIfHasPermission($account, $permission_operation . ' workspace ' . $entity->id()) - ->addCacheableDependency($entity); - } - return $access_result; } diff --git a/core/modules/workspace/tests/src/Functional/EntityResource/WorkspaceResourceTestBase.php b/core/modules/workspace/tests/src/Functional/EntityResource/WorkspaceResourceTestBase.php index 754a9c0..84933ad 100644 --- a/core/modules/workspace/tests/src/Functional/EntityResource/WorkspaceResourceTestBase.php +++ b/core/modules/workspace/tests/src/Functional/EntityResource/WorkspaceResourceTestBase.php @@ -45,16 +45,16 @@ protected function setUpAuthorization($method) { switch ($method) { case 'GET': - $this->grantPermissionsToTestedRole(['view workspace layla']); + $this->grantPermissionsToTestedRole(['view any workspace']); break; case 'POST': $this->grantPermissionsToTestedRole(['create workspace']); break; case 'PATCH': - $this->grantPermissionsToTestedRole(['edit workspace layla']); + $this->grantPermissionsToTestedRole(['edit any workspace']); break; case 'DELETE': - $this->grantPermissionsToTestedRole(['delete workspace layla']); + $this->grantPermissionsToTestedRole(['delete any workspace']); break; } } @@ -182,16 +182,16 @@ protected function getExpectedUnauthorizedAccessMessage($method) { switch ($method) { case 'GET': - return "The 'view workspace layla' permission is required."; + return "The 'view any workspace' permission is required."; break; case 'POST': return "The 'create workspace' permission is required."; break; case 'PATCH': - return "The 'edit workspace layla' permission is required."; + return "The 'edit any workspace' permission is required."; break; case 'DELETE': - return "The 'delete workspace layla' permission is required."; + return "The 'delete any workspace' permission is required."; break; } return parent::getExpectedUnauthorizedAccessMessage($method); @@ -200,13 +200,6 @@ protected function getExpectedUnauthorizedAccessMessage($method) { /** * {@inheritdoc} */ - protected function getExpectedUnauthorizedAccessCacheability() { - return parent::getExpectedUnauthorizedAccessCacheability()->addCacheTags($this->entity->getCacheTags()); - } - - /** - * {@inheritdoc} - */ public function testDelete() { // @todo Workspaces can not yet be deleted. } diff --git a/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php b/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php index f302e23..04bd463 100644 --- a/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php +++ b/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php @@ -52,7 +52,7 @@ public function testBypassSpecificWorkspace() { // Create a new user that should be able to edit anything in the Bears // workspace. - $lombardi = $this->drupalCreateUser(array_merge($permissions, ['view workspace ' . $bears->id(), 'bypass entity access workspace ' . $bears->id()])); + $lombardi = $this->drupalCreateUser(array_merge($permissions, ['view any workspace', 'bypass entity access workspace ' . $bears->id()])); $this->drupalLogin($lombardi); $this->switchToWorkspace($bears); @@ -72,7 +72,7 @@ public function testBypassSpecificWorkspace() { // Create a new user that should NOT be able to edit anything in the Bears // workspace. - $belichick = $this->drupalCreateUser(array_merge($permissions, ['view workspace ' . $bears->id()])); + $belichick = $this->drupalCreateUser(array_merge($permissions, ['view any workspace'])); $this->drupalLogin($belichick); $this->switchToWorkspace($bears); @@ -111,7 +111,7 @@ public function testBypassOwnWorkspace() { // Create a new user that should be able to edit anything in the Bears // workspace. - $lombardi = $this->drupalCreateUser(array_merge($permissions, ['view workspace ' . $bears->id()])); + $lombardi = $this->drupalCreateUser(array_merge($permissions, ['view any workspace'])); $this->drupalLogin($lombardi); $this->switchToWorkspace($bears); diff --git a/core/modules/workspace/tests/src/Functional/WorkspaceIndividualPermissionsTest.php b/core/modules/workspace/tests/src/Functional/WorkspaceIndividualPermissionsTest.php deleted file mode 100644 index 71a5ca6..0000000 --- a/core/modules/workspace/tests/src/Functional/WorkspaceIndividualPermissionsTest.php +++ /dev/null @@ -1,92 +0,0 @@ -drupalCreateUser($permissions); - - // Login as a limited-access user and create a workspace. - $this->drupalLogin($editor1); - - $this->createWorkspaceThroughUi('Bears', 'bears'); - $bears = Workspace::load('bears'); - - // Now login as a different user with permission to edit that workspace, - // specifically. - $editor2 = $this->drupalCreateUser(array_merge($permissions, ['edit workspace ' . $bears->id()])); - - $this->drupalLogin($editor2); - - $this->drupalGet("/admin/config/workflow/workspace/{$bears->id()}/edit"); - $this->assertSession()->statusCodeEquals(200); - } - - /** - * Verifies that a user can view a specific workspace. - */ - public function testViewIndividualWorkspace() { - $permissions = [ - 'access administration pages', - 'administer site configuration', - 'create workspace', - 'edit own workspace', - ]; - - $editor1 = $this->drupalCreateUser($permissions); - - // Login as a limited-access user and create a workspace. - $this->drupalLogin($editor1); - $this->createWorkspaceThroughUi('Bears', 'bears'); - $bears = Workspace::load('bears'); - - // Now login as a different user and create a workspace. - $editor2 = $this->drupalCreateUser(array_merge($permissions, ['view workspace ' . $bears->id()])); - - $this->drupalLogin($editor2); - $this->createWorkspaceThroughUi('Packers', 'packers'); - $packers = Workspace::load('packers'); - - // Load the activate form for the Bears workspace. It should work, because - // the user has the permission specific to that workspace. - $this->drupalGet("admin/config/workflow/workspace/{$bears->id()}/activate"); - $this->assertSession()->statusCodeEquals(200); - - // But editor 1 cannot view the Packers workspace. - $this->drupalLogin($editor1); - $this->drupalGet("admin/config/workflow/workspace/{$packers->id()}/activate"); - $this->assertSession()->statusCodeEquals(403); - } - -} diff --git a/core/modules/workspace/tests/src/Kernel/WorkspaceAccessTest.php b/core/modules/workspace/tests/src/Kernel/WorkspaceAccessTest.php index 5284a79..76242ef 100644 --- a/core/modules/workspace/tests/src/Kernel/WorkspaceAccessTest.php +++ b/core/modules/workspace/tests/src/Kernel/WorkspaceAccessTest.php @@ -48,10 +48,8 @@ protected function setUp() { public function operationCases() { return [ ['create', 'create workspace'], - ['view', 'view workspace oak'], ['view', 'view any workspace'], ['view', 'view own workspace'], - ['update', 'edit workspace oak'], ['update', 'edit any workspace'], ['update', 'edit own workspace'], ];