EntityResource: Add an admin permission to RdfMapping entity and provide comprehensive test coverage

OK here we go.

We have the same access issue here. So this adds an access handler to \Drupal\rdf\Entity\RdfMapping.

Let's see what fails.

1. +++ b/core/modules/rdf/src/RdfMappingAccessControlHandler.php
   @@ -0,0 +1,29 @@
   + * Defines the access control handler for the rdf mapping entity type.
   

   s/rdf/RDF/

2. +++ b/core/modules/rdf/src/RdfMappingAccessControlHandler.php
   @@ -0,0 +1,29 @@
   +    // Allow all users to view vocabulary config entities.
   

   This is not for vocabulary config entities.

3. +++ b/core/modules/rest/tests/src/Functional/EntityResource/RdfMapping/RdfMappingJsonAnonTest.php
   @@ -0,0 +1,24 @@
   +class NodeTypeJsonAnonTest extends RdfMappingResourceTestBase {
   

   s/NodeType/RdfMapping/

   This is why the test failed :)

4. +++ b/core/modules/rest/tests/src/Functional/EntityResource/RdfMapping/RdfMappingResourceTestBase.php
   @@ -0,0 +1,137 @@
   +/**
   + * ResourceTestBase for RdfMapping entity.
   + */
   ...
   +   * The RdfMapping entity.
   

   These comments are pointless, and inconsistent with the others. But I don't care enough to insist on them being removed.

Thanks for the review Wim.

1. Done.
2. Removed.
3. Fixed. Thanks.
4. I do. Removed them. Let's keep things consistent :)

+++ b/core/modules/rest/tests/src/Functional/EntityResource/RdfMapping/RdfMappingResourceTestBase.php
@@ -0,0 +1,132 @@
+    $llama = rdf_get_mapping('node', 'camelids');

One more thing. Let's replace this with:

RdfMapping::create([
  'targetEntityType' => 'node',
  'bundle' => 'camelids',
]);

Then it's far more clear what's happening. Also consistent with the rest. No more magic!

Done. Thanks.

+++ b/core/modules/rdf/src/RdfMappingAccessControlHandler.php
@@ -0,0 +1,28 @@
+    if ($operation === 'view') {
+      return AccessResult::allowedIfHasPermission($account, 'access content');
+    }

I think we need an issue to discuss the applicability of this permission to config entities. It doesn't feel right. See #2843772-15: EntityResource: Provide comprehensive test coverage for DateFormat entity

This is blocked on #2870018: Should the 'access content' permission be used to control access to viewing configuration entities via REST reaching consensus.

Consensus was achieved! Quoting #2870018-35: Should the 'access content' permission be used to control access to viewing configuration entities via REST:

1. config entities that do not yet have an access control handler nor an admin_permission (RdfMapping, Tour): add an admin_permission.
2. update all access control handlers for entity types that currently grant access without requiring any permission (View, Menu, File, DateFormat): change them to require the entity type's admin_permission or the entity-type specific "view" permission (yet to be added), so for example: AccessResult::allowedIfHasPermissions($account, ['view menu', 'administer menu'], 'OR').

It seemed reasonable to use the same administer site configuration as the admin_permission for the RdfMapping config entity type, since \Drupal\Core\Datetime\Entity\DateFormat does this too, and it's very similar site builder-wise, and editing frequency-wise.

Rehashing title and issue summary to cover scope

This is a bug fix because the config entity should not be exposed to users without the admin permission via REST or JsonAPI.

Committed and pushed f135eb2 to 8.4.x and b986493 to 8.3.x. Thanks!

Backported to 8.3.x to close the anon access and for the additional test coverage.

Yay, thanks! Updated #2824572: Write EntityResourceTestBase subclasses for every other entity type., 16 now remain :)