public function UserTest::testPatchDxForSecuritySensitiveBaseFields in JSON:API 8.2
Same name and namespace in other branches
- 8 tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testPatchDxForSecuritySensitiveBaseFields()
Tests PATCHing security-sensitive base fields of the logged in account.
File
- tests/
src/ Functional/ UserTest.php, line 201
Class
- UserTest
- JSON:API integration test for the "User" content entity type.
Namespace
Drupal\Tests\jsonapi\FunctionalCode
public function testPatchDxForSecuritySensitiveBaseFields() {
// @todo Remove line below in favor of commented line in https://www.drupal.org/project/jsonapi/issues/2878463.
$url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
'entity' => $this->account
->uuid(),
]);
/* $url = $this->account->toUrl('jsonapi'); */
$original_normalization = $this
->normalize($this->account, $url);
// @todo Remove the array_diff_key() call in https://www.drupal.org/node/2821077.
$original_normalization['data']['attributes'] = array_diff_key($original_normalization['data']['attributes'], [
'created' => TRUE,
'changed' => TRUE,
'name' => TRUE,
]);
// Since this test must be performed by the user that is being modified,
// we must use $this->account, not $this->entity.
$request_options = [];
$request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
$request_options[RequestOptions::HEADERS]['Content-Type'] = 'application/vnd.api+json';
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
// Test case 1: changing email.
$normalization = $original_normalization;
$normalization['data']['attributes']['mail'] = 'new-email@example.com';
$request_options[RequestOptions::BODY] = Json::encode($normalization);
// DX: 405 when read-only mode is enabled.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceErrorResponse(405, sprintf("JSON:API is configured to accept only read operations. Site administrators can configure this at %s.", Url::fromUri('base:/admin/config/services/jsonapi')
->setAbsolute()
->toString(TRUE)
->getGeneratedUrl()), $url, $response);
$this
->assertSame([
'GET',
], $response
->getHeader('Allow'));
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
// DX: 422 when changing email without providing the password.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceErrorResponse(422, 'mail: Your current password is missing or incorrect; it\'s required to change the Email.', NULL, $response, '/data/attributes/mail');
$normalization['data']['attributes']['pass']['existing'] = 'wrong';
$request_options[RequestOptions::BODY] = Json::encode($normalization);
// DX: 422 when changing email while providing a wrong password.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceErrorResponse(422, 'mail: Your current password is missing or incorrect; it\'s required to change the Email.', NULL, $response, '/data/attributes/mail');
$normalization['data']['attributes']['pass']['existing'] = $this->account->passRaw;
$request_options[RequestOptions::BODY] = Json::encode($normalization);
// 200 for well-formed request.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceResponse(200, FALSE, $response);
// Test case 2: changing password.
$normalization = $original_normalization;
$normalization['data']['attributes']['mail'] = 'new-email@example.com';
$new_password = $this
->randomString();
$normalization['data']['attributes']['pass']['value'] = $new_password;
$request_options[RequestOptions::BODY] = Json::encode($normalization);
// DX: 422 when changing password without providing the current password.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceErrorResponse(422, 'pass: Your current password is missing or incorrect; it\'s required to change the Password.', NULL, $response, '/data/attributes/pass');
$normalization['data']['attributes']['pass']['existing'] = $this->account->passRaw;
$request_options[RequestOptions::BODY] = Json::encode($normalization);
// 200 for well-formed request.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceResponse(200, FALSE, $response);
// Verify that we can log in with the new password.
$this
->assertRpcLogin($this->account
->getAccountName(), $new_password);
// Update password in $this->account, prepare for future requests.
$this->account->passRaw = $new_password;
$request_options = [];
$request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
$request_options[RequestOptions::HEADERS]['Content-Type'] = 'application/vnd.api+json';
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
// Test case 3: changing name.
$normalization = $original_normalization;
$normalization['data']['attributes']['mail'] = 'new-email@example.com';
$normalization['data']['attributes']['pass']['existing'] = $new_password;
$normalization['data']['attributes']['name'] = 'Cooler Llama';
$request_options[RequestOptions::BODY] = Json::encode($normalization);
// DX: 403 when modifying username without required permission.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceErrorResponse(403, 'The current user is not allowed to PATCH the selected field (name).', $url, $response, '/data/attributes/name');
$this
->grantPermissionsToTestedRole([
'change own username',
]);
// 200 for well-formed request.
$response = $this
->request('PATCH', $url, $request_options);
$this
->assertResourceResponse(200, FALSE, $response);
// Verify that we can log in with the new username.
$this
->assertRpcLogin('Cooler Llama', $new_password);
}