When checking access to update or edit an entity the operation to use for that is update. \Drupal\Tests\contact\Kernel\MessageEntityTest incorrectly uses edit instead.
Note that arguably using the wrong operation could in principle be seen as a bug, but since it is in test code and for a specific entity type (and not in a base test class, for example) it's really hard to argue that this is actually problematic in any concrete way, so marking as task.
-
Change the test to use update instead. The test currently passes, because the operation is not explicitly checked (so in effect we could pass anything as the operation and the test would pass), but it's setting a wrong example for people looking at the code.
-
-
-
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 3260920-2.patch | 890 bytes | tstoeckler |
Comments
Comment #2
tstoecklerComment #3
larowlanDoes this mean we're missing a test of sorts?
Comment #4
tstoecklerHmm... good question. So this is testing access control for contact messages, but contact messages don't implement any specific entity access (only for the create access). So this basically just tests the base access control logic that checks the admin permission - and the fact that the admin permission is set correctly on contact messages, which is why I think those tests were introduced at the time. So I think the tests are fine in terms of coverage. For context, this was introduced all the way back in #2427713: Contact module doesn't implement AccessControlHandler.
The thing is that the admin permission is checked regardless of the passed operation and we don't validate the operation in any other way either. So basically if you pass
jump around(or whatever...) as the access operation it will grant access if you have the admin permission and it will deny access if you don't.So I don't think there's anything missing in the test coverage and there's nothing functionally wrong. I think it does really make sense to change it, though, because
updateis the correct operation that is used all over core what (I presume) is meant to be tested in the test and, furthermore,editis the correct operation for checking field access (i.e.$contactMessage->get('subject')->access('edit')) so this especially confusing and sets a bad example.Comment #5
larowlanThanks for all that background, makes sense to me
Comment #7
tstoecklerRandom test failure (see #3267124: Temporarily skip failing tests) and then random checkout failure on the testbot. Back to RTBC now.
Comment #9
tstoecklerAnother random failure: #3267754: AjaxTest is failing
Comment #11
tstoeckler...and #3055982: Remove resizing window in BlockFormMessagesTest::testValidationMessage
Comment #12
bradjones1From #4:
Yeah, it is... I found this issue trying to search for an issue that is basically "why do we have both 'edit' and 'update' for the U in CRUD?"
I guess I'll open one?
Comment #13
alexpottCommitted and pushed 1922d82c4b to 10.0.x and a9d27d154a to 9.5.x and 04b84b6abb to 9.4.x and 2925ad48c7 to 9.3.x. Thanks!
Backported to 9..3x to keep the tests aligned.