public function UserTest::testPatchDxForSecuritySensitiveBaseFields in JSON:API 8

Same name and namespace in other branches
8.2 tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testPatchDxForSecuritySensitiveBaseFields()
Tests PATCHing security-sensitive base fields of the logged in account.
File

tests/src/Functional/UserTest.php, line 191
Class

UserTest: JSON API integration test for the "User" content entity type.
Namespace

Drupal\Tests\jsonapi\Functional
Code

public function testPatchDxForSecuritySensitiveBaseFields() {

  // @todo Remove line below in favor of commented line in https://www.drupal.org/project/jsonapi/issues/2878463.
  $url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
    'user' => $this->account
      ->uuid(),
  ]);

  /* $url = $this->account->toUrl('jsonapi'); */
  $original_normalization = $this
    ->normalize($this->account, $url);

  // @todo Remove the array_diff_key() call in https://www.drupal.org/node/2821077.
  $original_normalization['data']['attributes'] = array_diff_key($original_normalization['data']['attributes'], [
    'created' => TRUE,
    'changed' => TRUE,
    'name' => TRUE,
  ]);

  // Since this test must be performed by the user that is being modified,
  // we must use $this->account, not $this->entity.
  $request_options = [];
  $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
  $request_options = NestedArray::mergeDeep($request_options, $this
    ->getAuthenticationRequestOptions());

  // Test case 1: changing email.
  $normalization = $original_normalization;
  $normalization['data']['attributes']['mail'] = 'new-email@example.com';
  $request_options[RequestOptions::BODY] = Json::encode($normalization);

  // DX: 422 when changing email without providing the password.
  $response = $this
    ->request('PATCH', $url, $request_options);

  // @todo Remove $expected + assertResourceResponse() in favor of the commented line below once https://www.drupal.org/project/jsonapi/issues/2943176 lands.
  $expected_document = [
    'errors' => [
      [
        'title' => 'Unprocessable Entity',
        'status' => 422,
        'detail' => 'mail: Your current password is missing or incorrect; it\'s required to change the Email.',
        'code' => 0,
        'source' => [
          'pointer' => '/data/attributes/mail',
        ],
      ],
    ],
  ];
  $this
    ->assertResourceResponse(422, $expected_document, $response);

  /* $this->assertResourceErrorResponse(422, 'Unprocessable Entity', 'mail: Your current password is missing or incorrect; it\'s required to change the Email.', $response, '/data/attributes/mail'); */
  $normalization['data']['attributes']['pass']['existing'] = 'wrong';
  $request_options[RequestOptions::BODY] = Json::encode($normalization);

  // DX: 422 when changing email while providing a wrong password.
  $response = $this
    ->request('PATCH', $url, $request_options);
  $this
    ->assertResourceResponse(422, $expected_document, $response);
  $normalization['data']['attributes']['pass']['existing'] = $this->account->passRaw;
  $request_options[RequestOptions::BODY] = Json::encode($normalization);

  // 200 for well-formed request.
  $response = $this
    ->request('PATCH', $url, $request_options);
  $this
    ->assertResourceResponse(200, FALSE, $response);

  // Test case 2: changing password.
  $normalization = $original_normalization;
  $normalization['data']['attributes']['mail'] = 'new-email@example.com';
  $new_password = $this
    ->randomString();
  $normalization['data']['attributes']['pass']['value'] = $new_password;
  $request_options[RequestOptions::BODY] = Json::encode($normalization);

  // DX: 422 when changing password without providing the current password.
  $response = $this
    ->request('PATCH', $url, $request_options);

  // @todo Remove $expected + assertResourceResponse() in favor of the commented line below once https://www.drupal.org/project/jsonapi/issues/2943176 lands.
  $expected_document = [
    'errors' => [
      [
        'title' => 'Unprocessable Entity',
        'status' => 422,
        'detail' => 'pass: Your current password is missing or incorrect; it\'s required to change the Password.',
        'code' => 0,
        'source' => [
          'pointer' => '/data/attributes/pass',
        ],
      ],
    ],
  ];
  $this
    ->assertResourceResponse(422, $expected_document, $response);

  /* $this->assertResourceErrorResponse(422, 'Unprocessable Entity', 'pass: Your current password is missing or incorrect; it\'s required to change the Password.', $response, '/data/attributes/pass'); */
  $normalization['data']['attributes']['pass']['existing'] = $this->account->passRaw;
  $request_options[RequestOptions::BODY] = Json::encode($normalization);

  // 200 for well-formed request.
  $response = $this
    ->request('PATCH', $url, $request_options);
  $this
    ->assertResourceResponse(200, FALSE, $response);

  // Verify that we can log in with the new password.
  $this
    ->assertRpcLogin($this->account
    ->getAccountName(), $new_password);

  // Update password in $this->account, prepare for future requests.
  $this->account->passRaw = $new_password;
  $request_options = [];
  $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
  $request_options = NestedArray::mergeDeep($request_options, $this
    ->getAuthenticationRequestOptions());

  // Test case 3: changing name.
  $normalization = $original_normalization;
  $normalization['data']['attributes']['mail'] = 'new-email@example.com';
  $normalization['data']['attributes']['pass']['existing'] = $new_password;
  $normalization['data']['attributes']['name'] = 'Cooler Llama';
  $request_options[RequestOptions::BODY] = Json::encode($normalization);

  // DX: 403 when modifying username without required permission.
  $response = $this
    ->request('PATCH', $url, $request_options);

  // @todo Remove $expected + assertResourceResponse() in favor of the commented line below once https://www.drupal.org/project/jsonapi/issues/2943176 lands.
  $expected_document = [
    'errors' => [
      [
        'title' => 'Forbidden',
        'status' => 403,
        'detail' => 'The current user is not allowed to PATCH the selected field (name).',
        'links' => [
          'info' => HttpExceptionNormalizer::getInfoUrl(403),
        ],
        'code' => 0,
        'id' => '/user--user/' . $this->account
          ->uuid(),
        'source' => [
          'pointer' => '/data/attributes/name',
        ],
      ],
    ],
  ];
  $this
    ->assertResourceResponse(403, $expected_document, $response);

  /* $this->assertResourceErrorResponse(403, 'Forbidden', 'The current user is not allowed to PATCH the selected field (name).', $response, '/data/attributes/name'); */
  $this
    ->grantPermissionsToTestedRole([
    'change own username',
  ]);

  // 200 for well-formed request.
  $response = $this
    ->request('PATCH', $url, $request_options);
  $this
    ->assertResourceResponse(200, FALSE, $response);

  // Verify that we can log in with the new username.
  $this
    ->assertRpcLogin('Cooler Llama', $new_password);
}
You are here

public function UserTest::testPatchDxForSecuritySensitiveBaseFields in JSON:API 8

File

Class

Namespace

Code

API Navigation
