You are here

public function UserTest::testGetMailFieldOnlyVisibleToOwner in JSON:API 8.2

Same name and namespace in other branches
  1. 8 tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()

Tests GETting privacy-sensitive base fields.

File

tests/src/Functional/UserTest.php, line 367

Class

UserTest
JSON:API integration test for the "User" content entity type.

Namespace

Drupal\Tests\jsonapi\Functional

Code

public function testGetMailFieldOnlyVisibleToOwner() {

  // Create user B, with the same roles (and hence permissions) as user A.
  $user_a = $this->account;
  $pass = user_password();
  $user_b = User::create([
    'name' => 'sibling-of-' . $user_a
      ->getAccountName(),
    'mail' => 'sibling-of-' . $user_a
      ->getAccountName() . '@example.com',
    'pass' => $pass,
    'status' => 1,
    'roles' => $user_a
      ->getRoles(),
  ]);
  $user_b
    ->save();
  $user_b->passRaw = $pass;

  // Grant permission to role that both users use.
  $this
    ->grantPermissionsToTestedRole([
    'access user profiles',
  ]);
  $collection_url = Url::fromRoute('jsonapi.user--user.collection', [], [
    'query' => [
      'sort' => 'drupal_internal__uid',
    ],
  ]);

  // @todo Remove line below in favor of commented line in https://www.drupal.org/project/jsonapi/issues/2878463.
  $user_a_url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
    'entity' => $user_a
      ->uuid(),
  ]);

  /* $user_a_url = $user_a->toUrl('jsonapi'); */
  $request_options = [];
  $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
  $request_options = NestedArray::mergeDeep($request_options, $this
    ->getAuthenticationRequestOptions());

  // Viewing user A as user A: "mail" field is accessible.
  $response = $this
    ->request('GET', $user_a_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertArrayHasKey('mail', $doc['data']['attributes']);

  // Also when looking at the collection.
  $response = $this
    ->request('GET', $collection_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertSame($user_a
    ->uuid(), $doc['data']['2']['id']);
  $this
    ->assertArrayHasKey('mail', $doc['data'][2]['attributes'], "Own user--user resource's 'mail' field is visible.");
  $this
    ->assertSame($user_b
    ->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
  $this
    ->assertArrayNotHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);

  // Now request the same URLs, but as user B (same roles/permissions).
  $this->account = $user_b;
  $request_options = NestedArray::mergeDeep($request_options, $this
    ->getAuthenticationRequestOptions());

  // Viewing user A as user B: "mail" field should be inaccessible.
  $response = $this
    ->request('GET', $user_a_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertArrayNotHasKey('mail', $doc['data']['attributes']);

  // Also when looking at the collection.
  $response = $this
    ->request('GET', $collection_url, $request_options);
  $doc = Json::decode((string) $response
    ->getBody());
  $this
    ->assertSame($user_a
    ->uuid(), $doc['data']['2']['id']);
  $this
    ->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
  $this
    ->assertSame($user_b
    ->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
  $this
    ->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
}