Problem/Motivation
In #3100386: Create contrib update module test cases that use semantic versioning @dww pointed out the administer themes
is not a needed for permission for the tests to pass.
Since code was just being copied in that issue it was out of scope.
But we should review the functional tests and determine if we have unneeded permissions. After that issue `UpdateSemverTestBase` will be the class to look at but we should look at all Update module functional tests.
Proposed resolution
See if we can get rid of some of the permissions given to user accounts for the tests.
Remaining tasks
User interface changes
NOne
API changes
NOne
Data model changes
None
Release notes snippet
None
Issue fork drupal-3205909
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
tedbowComment #3
tedbowPostpone on #3205909: Ensure only needed permissions are used for Update module functional tests
Comment #5
tedbowwhoops in #3 I postponed this on itself 😂
I assume I meant #3100386: Create contrib update module test cases that use semantic versioning which is now fixed. Marking as active
Comment #8
tedbowComment #9
kunal.sachdev CreditAttribution: kunal.sachdev at Acquia commentedI checked all the functional tests to remove any unnecessary permissions. This method
\Drupal\Tests\update\Functional\UpdateSemverCoreTest::testModulePageSecurityUpdate
was failing without the 'administer themes' permission.core/modules/update/tests/src/Functional/FileTransferAuthorizeFormTest.php
had a unnecessary permission 'administer site configuration'.Comment #10
phenaproximaComment #11
phenaproximaThe merge request looks pretty good to me, but I'm not clear on the issue scope. Are we intending to fix this problem for all of Update's functional tests, or just the ones in the merge request? Looking at other functional tests in the Update module, like
UpdateUploadTest
, I'm seeing some permissions (likeadminister site configuration
) that may or may not be needed.So I guess my thoughts are: if we're doing this for UpdateSemverTestBase and its descendants, then this merge request seems good to me (although we should probably re-title the issue and adjust the summary). If we want to check this for all of Update's tests, then we might need to go through all of them and try cutting out permissions to verify that the ones that are there, are actually needed.
Comment #12
tedbowfor review
Comment #13
phenaproximaI did a thorough review of this by running all of the Update module's functional tests locally, in turn, with permissions disabled one-by-one to see what kinds of failures they cause. It would appear we've pretty much got everything covered here, except for one suggestion.
I'm leaving this at "needs review" so that @kunal.sachdev and/or @tedbow can implement or reject that suggestion at their discretion. Otherwise, I consider this very much RTBC.
Comment #14
phenaproximaLooks great. RTBC on green.
Comment #16
alexpottCommitted and pushed 20f3c89d02f to 10.0.x and 2a5f29ee579 to 9.4.x and 00e48f5b3ed to 9.3.x. Thanks!