public function UserTest::testGetMailFieldOnlyVisibleToOwner in JSON:API 8.2
Same name and namespace in other branches
- 8 tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()
Tests GETting privacy-sensitive base fields.
File
- tests/
src/ Functional/ UserTest.php, line 367
Class
- UserTest
- JSON:API integration test for the "User" content entity type.
Namespace
Drupal\Tests\jsonapi\FunctionalCode
public function testGetMailFieldOnlyVisibleToOwner() {
// Create user B, with the same roles (and hence permissions) as user A.
$user_a = $this->account;
$pass = user_password();
$user_b = User::create([
'name' => 'sibling-of-' . $user_a
->getAccountName(),
'mail' => 'sibling-of-' . $user_a
->getAccountName() . '@example.com',
'pass' => $pass,
'status' => 1,
'roles' => $user_a
->getRoles(),
]);
$user_b
->save();
$user_b->passRaw = $pass;
// Grant permission to role that both users use.
$this
->grantPermissionsToTestedRole([
'access user profiles',
]);
$collection_url = Url::fromRoute('jsonapi.user--user.collection', [], [
'query' => [
'sort' => 'drupal_internal__uid',
],
]);
// @todo Remove line below in favor of commented line in https://www.drupal.org/project/jsonapi/issues/2878463.
$user_a_url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
'entity' => $user_a
->uuid(),
]);
/* $user_a_url = $user_a->toUrl('jsonapi'); */
$request_options = [];
$request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
// Viewing user A as user A: "mail" field is accessible.
$response = $this
->request('GET', $user_a_url, $request_options);
$doc = Json::decode((string) $response
->getBody());
$this
->assertArrayHasKey('mail', $doc['data']['attributes']);
// Also when looking at the collection.
$response = $this
->request('GET', $collection_url, $request_options);
$doc = Json::decode((string) $response
->getBody());
$this
->assertSame($user_a
->uuid(), $doc['data']['2']['id']);
$this
->assertArrayHasKey('mail', $doc['data'][2]['attributes'], "Own user--user resource's 'mail' field is visible.");
$this
->assertSame($user_b
->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
$this
->assertArrayNotHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
// Now request the same URLs, but as user B (same roles/permissions).
$this->account = $user_b;
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
// Viewing user A as user B: "mail" field should be inaccessible.
$response = $this
->request('GET', $user_a_url, $request_options);
$doc = Json::decode((string) $response
->getBody());
$this
->assertArrayNotHasKey('mail', $doc['data']['attributes']);
// Also when looking at the collection.
$response = $this
->request('GET', $collection_url, $request_options);
$doc = Json::decode((string) $response
->getBody());
$this
->assertSame($user_a
->uuid(), $doc['data']['2']['id']);
$this
->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
$this
->assertSame($user_b
->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
$this
->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
}