Fix file access handling.

This includes tests.

Fix file access handling.
c86deed6 · Kevin Kaland · 34a6cfe6 · c86deed6 · c86deed6 · c86deed6
Commit c86deed6 authored 7 years ago by Kevin Kaland
--- a/fillpdf.module
+++ b/fillpdf.module
@@ -225,6 +225,21 @@ function fillpdf_file_download($uri) {
  return NULL;
 }

+/**
+ * Implements hook_file_download_access_alter().
+ */
+function fillpdf_file_download_access_alter(&$grants, $file_item, $entity_type, $entity) {
+  // If the user has the Publish All PDFs permission but does not have access,
+  // to the entity used to generate the file, another module might have denied
+  // them access in hook_file_download(). However, if they have Publish All
+  // PDFs, then we would have allowed them to generate the file anwyay. We
+  // therefore do a second check here and grant access definitively.
+  if (user_access('publish all pdfs') && !!fillpdf_file_download($file_item['uri'])) {
+    $grants['fillpdf'] = TRUE;
+    return;
+  }
+}
+
 /**
 * Gets a link to the printable PDF, merged with the passed-in data.
 *
@@ -1140,6 +1155,9 @@ function fillpdf_execute_merge($method, $fields, $fillpdf, $mode = 'url', $flatt
      }
      file_unmanaged_delete($xfdffile);
      break;
+
+    case 'test':
+      $data = file_get_contents(drupal_get_path('module', 'fillpdf') . '/tests/fillpdf_test_v4.pdf');
  }
  if ($data) {
    return $data;
@@ -1300,6 +1318,26 @@ function fillpdf_execute_parse($method, $fillpdf, $mode = 'url') {
        }
      }
      break;
+
+    case 'test':
+      $fields = array(
+        0 => array(
+          'name' => 'ImageField',
+          'value' => '',
+          'type' => 'Pushbutton',
+        ),
+        1 => array(
+          'name' => 'Button',
+          'value' => '',
+          'type' => 'Pushbutton',
+        ),
+        2 => array(
+          'name' => 'TextField',
+          'value' => '',
+          'type' => 'Text',
+        ),
+      );
+      break;
  }
  if ($mode == 'stream') {
    file_unmanaged_delete($filename);

--- a/tests/fillpdf.test
+++ b/tests/fillpdf.test
@@ -10,8 +10,9 @@
 *
 * @todo Add a test based on an Acrobat-created PDF.
 */
-class FillPdfWebTestCase extends DrupalWebTestCase {
+class FillPdfWebTestCase extends FileFieldTestCase {
  protected $privileged_user;
+  protected $nonPrivilegedUser;

  /**
   *
@@ -31,7 +32,7 @@ class FillPdfWebTestCase extends DrupalWebTestCase {
  public function setUp() {
    // Enable any modules required for the test. This should be an array of
    // module names.
-    parent::setUp(array('fillpdf'));
+    parent::setUp(array('fillpdf_test'));

    // Create and log in our privileged user.
    $this->privileged_user = $this->drupalCreateUser(array(
@@ -39,6 +40,11 @@ class FillPdfWebTestCase extends DrupalWebTestCase {
      'administer pdfs',
      'publish all pdfs',
    ));
+
+    $this->nonPrivilegedUser = $this->drupalCreateUser(array(
+      'access content',
+    ));
+
    $this->drupalLogin($this->privileged_user);
  }

@@ -109,4 +115,59 @@ class FillPdfWebTestCase extends DrupalWebTestCase {
    $this->assertEqual($expected_link2, $actual_link2, 'fillpdf_context_to_link() generates a link with multiple Webforms correctly.');
  }

+  /**
+   * Make sure that file access works properly.
+   */
+  public function testFileAccess() {
+    $this->createFileField('field_pdf', 'page');
+
+    // Make a basic page.
+    $new_node = new stdClass();
+    $new_node->type = 'page';
+    $new_node->title = t('Test node');
+    $new_node->field_body = array(
+      LANGUAGE_NONE => array(
+        0 => array(
+          'value' => 'This is test text.',
+        ),
+      ),
+    );
+    $new_node->uid = 1;
+    node_save($new_node);
+
+    variable_set('fillpdf_service', 'test');
+    variable_set('fillpdf_scheme', 'private');
+
+    // Upload a template.
+    $this->drupalPost('admin/structure/fillpdf', array(
+      'files[upload_pdf]' => drupal_realpath(drupal_get_path('module', 'fillpdf') . '/tests/fillpdf_test_v4.pdf'),
+    ), t('Upload'));
+
+    $this->drupalGet('node/1');
+    $this->assertResponse(403, 'Access properly denied for non-admin.');
+
+    db_update('fillpdf_forms')
+      ->fields(array('destination_path' => 'output'))
+      ->condition('fid', 1)
+      ->execute();
+
+    $fillpdf_object = fillpdf_merge_pdf(1, array(1), NULL, NULL, FALSE, FALSE, TRUE, FALSE);
+    $saved_file = fillpdf_action_save_to_file($fillpdf_object, 'fillpdf_test_v4.pdf', FALSE, FALSE);
+    $saved_file->display = 1;
+
+    $new_node->field_pdf = array(
+      LANGUAGE_NONE => array(
+        0 => (array) $saved_file,
+      ),
+    );
+    node_save($new_node);
+
+    $this->drupalGet('system/files/fillpdf/output/fillpdf_test_v4.pdf');
+    $this->assertResponse(200, 'User can generate and access PDF from any data when they have the Publish All PDFs permission.');
+
+    $this->drupalLogin($this->nonPrivilegedUser);
+    $this->drupalGet('system/files/fillpdf/output/fillpdf_test_v4.pdf');
+    $this->assertResponse(403, 'User without Administer PDFs and without Publish All PDFs cannot access PDF they cannot view the node for.');
+  }
+
 }
--- a/tests/fillpdf_test_v4.pdf
+++ b/tests/fillpdf_test_v4.pdf
--- a/tests/modules/fillpdf_test.info
+++ b/tests/modules/fillpdf_test.info
+name = FillPDF Testing
+description = Supports FillPDF tests. Do not enable manually.
+core = 7.x
+package = Other
+dependencies[] = fillpdf
+
+; This is a test module.
+hidden = TRUE
--- a/tests/modules/fillpdf_test.module
+++ b/tests/modules/fillpdf_test.module
+<?php
+/**
+ * Implements hook_node_access().
+ */
+function fillpdf_test_node_access($node, $op, $account) {
+  if (is_string($node)) {
+    $node = new stdClass();
+    $node->type = $node;
+  }
+
+  if ($node->type !== 'page') {
+    return NODE_ACCESS_IGNORE;
+  }
+
+  if (!empty($account->uid) && (int) $account->uid === 1) {
+    return NODE_ACCESS_ALLOW;
+  }
+
+  return NODE_ACCESS_DENY;
+}