You are here

public function UserResourceTestBase::testPatchSecurityOtherUser in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()

Tests PATCHing security-sensitive base fields to change other users.

2 methods override UserResourceTestBase::testPatchSecurityOtherUser()
UserXmlBasicAuthTest::testPatchSecurityOtherUser in core/modules/user/tests/src/Functional/Rest/UserXmlBasicAuthTest.php
Tests PATCHing security-sensitive base fields to change other users.
UserXmlCookieTest::testPatchSecurityOtherUser in core/modules/user/tests/src/Functional/Rest/UserXmlCookieTest.php
Tests PATCHing security-sensitive base fields to change other users.

File

core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php, line 261

Class

UserResourceTestBase

Namespace

Drupal\Tests\user\Functional\Rest

Code

public function testPatchSecurityOtherUser() {

  // The anonymous user is never allowed to modify other users.
  if (!static::$auth) {
    $this
      ->markTestSkipped();
  }
  $this
    ->initAuthentication();
  $this
    ->provisionEntityResource();

  /** @var \Drupal\user\UserInterface $user */
  $user = $this->account;
  $original_normalization = array_diff_key($this->serializer
    ->normalize($user, static::$format), [
    'changed' => TRUE,
  ]);

  // Since this test must be performed by the user that is being modified,
  // we cannot use $this->getUrl().
  $url = $user
    ->toUrl()
    ->setOption('query', [
    '_format' => static::$format,
  ]);
  $request_options = [
    RequestOptions::HEADERS => [
      'Content-Type' => static::$mimeType,
    ],
  ];
  $request_options = array_merge_recursive($request_options, $this
    ->getAuthenticationRequestOptions('PATCH'));
  $normalization = $original_normalization;
  $normalization['mail'] = [
    [
      'value' => 'new-email@example.com',
    ],
  ];
  $request_options[RequestOptions::BODY] = $this->serializer
    ->encode($normalization, static::$format);

  // Try changing user 1's email.
  $user1 = [
    'mail' => [
      [
        'value' => 'another_email_address@example.com',
      ],
    ],
    'uid' => [
      [
        'value' => 1,
      ],
    ],
    'name' => [
      [
        'value' => 'another_user_name',
      ],
    ],
    'pass' => [
      [
        'existing' => $this->account->passRaw,
      ],
    ],
    'uuid' => [
      [
        'value' => '2e9403a4-d8af-4096-a116-624710140be0',
      ],
    ],
  ] + $original_normalization;
  $request_options[RequestOptions::BODY] = $this->serializer
    ->encode($user1, static::$format);
  $response = $this
    ->request('PATCH', $url, $request_options);

  // Ensure the email address has not changed.
  $this
    ->assertEquals('admin@example.com', $this->entityStorage
    ->loadUnchanged(1)
    ->getEmail());
  $this
    ->assertResourceErrorResponse(403, "Access denied on updating field 'uid'. The entity ID cannot be changed.", $response);
}