Merge branch 'feature/ISTWCMS-5085-lkmorlan-menu-link-admin-access' into '3.0.x'

ISTWCMS-5085: Prevent non-admin access to menu add, edit, and delete See merge request !243

Merge branch 'feature/ISTWCMS-5085-lkmorlan-menu-link-admin-access' into '3.0.x'
ISTWCMS-5085: Prevent non-admin access to menu add, edit, and delete See merge request !243
86459338 · Lily Yan · e6ae4bf0 · cfa47055 · 86459338 · 86459338
Commit 86459338 authored Oct 15, 2021 by Lily Yan
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 11 deletions

composer.json composer.json +1 -1

tests/src/Functional/UwWcmsBasicTest.php tests/src/Functional/UwWcmsBasicTest.php +24 -10

No files found.
--- a/composer.json
+++ b/composer.json
@@ -78,7 +78,7 @@
        "drupal/media_entity_browser": "2.0-alpha3",
        "drupal/media_library_edit": "2.0",
        "drupal/media_library_form_element": "2.0.3",
-        "drupal/menu_admin_per_menu": "1.3",
+        "drupal/menu_admin_per_menu": "dev-8.x-1.3+4-dev-uw_wcms1",
        "drupal/metatag": "1.16",
        "drupal/module_filter": "3.2",
        "drupal/node_revision_delete": "dev-1.0-rc3-uw_wcms1",

--- a/tests/src/Functional/UwWcmsBasicTest.php
+++ b/tests/src/Functional/UwWcmsBasicTest.php
@@ -1563,17 +1563,18 @@ class UwWcmsBasicTest extends BrowserTestBase {
    $this->assertSession()->statusCodeEquals(200);
    $this->assertSession()->elementExists('css', 'input#edit-weight[value="-51"]');

-    $this->drupalLogin($this->drupalUsers['uw_role_site_manager']);
+    // Menu admin. These are tested again below as site manager who does not
+    // have access.
+    // Edit link for home page.
+    $this->drupalGet('admin/structure/menu/manage/main');
+    $path = 'admin/structure/menu/link/uw_base_profile.front_page/edit';
+    $this->assertSession()->elementExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
+    // Menu add item link.
+    $this->drupalGet('admin/structure/menu');
+    $path = 'admin/structure/menu/manage/main/add';
+    $this->assertSession()->elementExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');

-    // No access to edit home page menu entry.
-    $this->drupalGet('admin/structure/menu/link/uw_base_profile.front_page/edit');
-    $this->assertSession()->statusCodeEquals(403);
-    // Test that the home page cannot be the parent of any item. Using first
-    // menu item that was created.
-    $this->drupalGet('admin/structure/menu/item/1/edit');
-    $this->assertSession()->statusCodeEquals(200);
-    $this->assertSession()->elementExists('css', 'select#edit-menu-parent');
-    $this->assertSession()->elementNotExists('css', 'select#edit-menu-parent > option[value="main:uw_base_profile.front_page"]');
+    $this->drupalLogin($this->drupalUsers['uw_role_site_manager']);

    // Test that main menu has disabled Catalogs menu link.
    $this->drupalGet('admin/structure/menu/manage/main');
@@ -1585,6 +1586,19 @@ class UwWcmsBasicTest extends BrowserTestBase {
    // to validate if checkbox is unchecked.
    $menu_uuid = $this->getSession()->getPage()->findLink('Catalogs')->getParent()->getParent()->getAttribute('data-drupal-selector');
    $this->assertSession()->checkboxNotChecked($menu_uuid . '-enabled');
+
+    // No access to menu admin.
+    // No access to edit home page menu entry.
+    $path = 'admin/structure/menu/link/uw_base_profile.front_page/edit';
+    $this->assertSession()->elementNotExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
+    $this->drupalGet($path);
+    $this->assertSession()->statusCodeEquals(403);
+    // Menu add item link.
+    $this->drupalGet('admin/structure/menu');
+    $path = 'admin/structure/menu/manage/main/add';
+    $this->assertSession()->elementNotExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
+    $this->drupalGet($path);
+    $this->assertSession()->statusCodeEquals(403);
  }

  /**