"Mark as default" action

1. +++ b/src/Tests/ProfileCRUDTest.php
   @@ -248,9 +248,121 @@ class ProfileCRUDTest extends ProfileTestBase {
   +    $this->assertUrl($profile1->toUrl('collection')->toString());
   
   +++ b/src/Tests/ProfileTabTest.php
   @@ -95,7 +95,7 @@ class ProfileTabTest extends LocalTasksTest {
   +    $this->assertUrl($profile1->toUrl('collection')->toString());
   

   I know I said to fix these, but let's wait until later since they failed, too.

2. +++ b/src/Tests/ProfileCRUDTest.php
   @@ -248,9 +248,121 @@ class ProfileCRUDTest extends ProfileTestBase {
   +  /**
   +   * Tests mark as default action.
   +   */
   +  public function testDefaultAction() {
   

   I made a ProfileDefaultTest, let's move this there.

3. +++ b/src/Tests/ProfileCRUDTest.php
   @@ -248,9 +248,121 @@ class ProfileCRUDTest extends ProfileTestBase {
   +    $profile_profile_type_1_user1 = Profile::create($expected = [
   +      'type' => $types['profile_type_1']->id(),
   +      'uid' => $this->user1->id(),
   +      'status' => PROFILE_ACTIVE,
   +    ]);
   

   This wasn't working for me. I had to manually run ->setActive(TRUE) before save. See examples in ProfileDefaultTest.

+++ b/profile.routing.yml
@@ -46,3 +46,14 @@ entity.profile.multiple_delete_confirm:
+    _permission: 'administer profiles'

Do we need a _csrf_token: 'TRUE' here to prevent CSRF ?
as in this function we are updating the profile entity.
Although this route is behind 'administer profiles' but with chain attack of XSS(with twig in core its no where by default) it can be exploitable.

Per #12: Yeah, let's do it. I was thinking "nah, it still needs a valid profile ID", but Core does it for comment approval.

comment.approve:
  path: '/comment/{comment}/approve'
  defaults:
    _title: 'Approve'
    _controller: '\Drupal\comment\Controller\CommentController::commentApprove'
    entity_type: 'comment'
  requirements:
    _entity_access: 'comment.approve'
    _csrf_token: 'TRUE'
    comment: \d+

It can't hurt.

Shoot. Remove whatever is asserting the link

+++ b/src/Tests/ProfileDefaultTest.php
@@ -123,4 +123,129 @@ class ProfileDefaultTest extends ProfileTestBase {
+    // Check whether all have links "Mark as default".
+    $this->assertLinkByHref($profile_profile_type_0_user1_1->toUrl('set-default')->toString());
+    $this->assertLinkByHref($profile_profile_type_0_user1_2->toUrl('set-default')->toString());
+    $this->assertLinkByHref($profile_profile_type_1_user1->toUrl('set-default')->toString());
+    $this->assertLinkByHref($profile_profile_type_1_user2->toUrl('set-default')->toString());
+    $this->assertLinkByHref($profile_profile_type_1_user1_inactive->toUrl('set-default')->toString());
+    $this->assertLinkByHref($profile_profile_type_1_user1_active->toUrl('set-default')->toString());

:/ We can't do this on D.o test bot. I think it's just because paths are goofy. I wish we could assert text, maybe by the index?

I'd be fine skipping it.

Looks good. I just want to get bojanz to take a peak and verify this is what we're going for, looks like it, though.

+  requirements:
+    _permission: 'administer profiles'
+    _csrf_token: 'TRUE'

So it won't work for ordinary users?

Oops. Good catch. Should be "edit own profiles"

Question: Do I need to show in the test that user having "edit own profiles" permission gets 403 error while marking profiles as default?

Wait, do you mean does not get 403? Or for other user profiles? Sorry I think I'm just reading comment wrong. We probably should show that "user1 cannot set user2's default profile without proper access"

+++ b/src/Tests/ProfileDefaultTest.php
@@ -144,7 +144,25 @@ class ProfileDefaultTest extends ProfileTestBase {
+      'administer profiles',

Does $restricted_user really needs the administer profiles permission ? I did not find any other use of restricted user other than creating its own profile.
Did I miss something ?

naveenvalecha, shoot. mind just opening a new issue to fix the test with the patch?

#32, cleared the usage of administer profiles.