Follow-up to #2917584-49: Some tests only go green because they happen to run as UID1
Problem/Motivation
UserViewsFieldAccessTest
extends FieldFieldAccessTestBase
, where we have $userWithAccess
instance with unexpected user/1 mode.
As a result, the UserViewsFieldAccessTest::testUserFields()
checks access for user with full access, which is obviously not the goal of this test.
However, it would be good to keep assertions for user with 'administer users' permission too.
If we move this assertions to separate test, than another fun challenge arises. What to do with a commented code?
// $this->assertFieldAccess('user', 'mail', 'druplicon@drop.org');
// $this->assertFieldAccess('user', 'created', \Drupal::service('date.formatter')->format(123456));
// $this->assertFieldAccess('user', 'changed', \Drupal::service('date.formatter')->format(REQUEST_TIME));
Proposed resolution
- Decouple test on two tests:
- for user with
'view test entity field', 'access content'
permissions - for user with
'administer users'
permission
- for user with
- Do not touch the commented code (just duplicate it to both tests), because we already have issue about it (#2464635: Follow-up: Enable additional tests for base entity field access checking in Views)
- Fix unexpected user/1 access for
$userWithAccess
inFieldFieldAccessTestBase
, to prevent similar defects in the future. Override$userWithAccess
inside UserViewsFieldAccessTest tests, and fixing$userWithAccess
ofFieldFieldAccessTestBase
in #540008: Add a container parameter that can remove the special behavior of UID#1.
Remaining tasks
To choose the most suitable solution:
- fix the root of the problem - in the FieldFieldAccessTestBase class (see #2)
- fix only the effects of the problem in the UserViewsFieldAccessTest (see #4, #5).
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#24 | diff_13-24.txt | 1.58 KB | adityasingh |
#24 | 2928648-24.patch | 4.35 KB | adityasingh |
| |||
#13 | drupal-2928648-13.patch | 4.74 KB | kristiaanvandeneynde |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedvaplas created an issue. See original summary.
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedPatch from @kristiaanvandeneynde.
Comment #3
kristiaanvandeneyndeAwesome, thanks for creating the spin-off @vaplas!
In the other issue, we decided to remove the changes to the FileManagedUnitTestBase class because we could not know who could have extended that. Shouldn't we be doing the same here and fix the base class in the UID 1 patch?
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedThanks, @kristiaanvandeneynde. That's a great question. When I made the IS, I thought about it in passing, but I cast aside doubts after this part of FieldFieldAccessTestBase:
Which clearly indicates that limited permissions are assumed for
userWithAccess
. Other tests should only rely on'view test entity field'
permission for this user, and their fall will be a fair indication of the flaws in assertions. But for BC, I absolutely agree to transfer this to the main issue.Comment #5
Anonymous (not verified) CreditAttribution: Anonymous commentedHm.. trying to fix regression, because with #4 we cann't prevent userWithAccess/UID1 for new tests in
UserViewsFieldAccessTest
.Comment #6
kristiaanvandeneyndeWe could update UserViewsFieldAccessTest to recreate the user and load the admin role from the parent to add the proper permissions. Maybe it's overkill and we should just leave the test base as is. I'm not sure.
How about we stick with the patch in #2 and see what the core committers think of it?
Comment #7
Anonymous (not verified) CreditAttribution: Anonymous commentedSure :)
Comment #8
kristiaanvandeneyndeOkay, RTBC for #2 then. Let's see what core committers have to say about the base class change. Impact should be minimal to no as it adds the right permission for the base class to still function, but you never know.
Comment #9
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #11
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #12
larowlanis this correct? I thought user names were only available for those with the 'view user profiles' permission? Apologies if that is already granted but not present in the diff.
Let's punt this to the followup (existing followup)
yeah I'm with @kristiaanvandeneynde, lets not do this in the base class as it may lead to unexpected issues
Comment #13
kristiaanvandeneynde@larowlan in #12:
This test might fail as I threw out the 'access content' permission because I don't think we need it in the user test. We might need to add said permission in the node tests in the parent issue that strips UID 1 of its power. I'll add a comment in the parent issue if this one goes green.
The patch also contains the commented out lines still. I'm not sure which ones to remove (as stated in 2.)
Comment #15
kristiaanvandeneyndeUnrelated failure
Comment #16
kristiaanvandeneynde2018 bump. This is the first domino in a series that might lead to getting #540008: Add a container parameter that can remove the special behavior of UID#1 committed.
Comment #23
daffie CreditAttribution: daffie commentedComment #24
adityasingh CreditAttribution: adityasingh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedReroll the patch. Please review.
Comment #29
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.
Instead of creating roles and users this way think it should use UserCreationTrait