public function ApiTest::testForbidden in Lightning API 8.3
Same name and namespace in other branches
- 8.4 tests/src/Functional/ApiTest.php \Drupal\Tests\lightning_api\Functional\ApiTest::testForbidden()
Tests that authenticated and anonymous users cannot get unauthorized data.
File
- tests/
src/ Functional/ ApiTest.php, line 260
Class
- ApiTest
- Tests OAuth and JSON:API authentication and interactions with entities.
Namespace
Drupal\Tests\lightning_api\FunctionalCode
public function testForbidden() {
$this
->createContentType([
'type' => 'page',
]);
// Cannot get unauthorized data (not in role/scope) even when authenticated.
$response = $this
->request('/jsonapi/user_role/user_role', 'get', $this
->getCreator('page'));
$body = $this
->decodeResponse($response);
$this
->assertInternalType('array', $body['meta']['omitted']['links']);
$this
->assertNotEmpty($body['meta']['omitted']['links']);
unset($body['meta']['omitted']['links']['help']);
foreach ($body['meta']['omitted']['links'] as $link) {
// This user/client should not have access to any of the roles' data.
$this
->assertSame("The current user is not allowed to GET the selected resource. The 'administer permissions' permission is required.", $link['meta']['detail']);
}
// Cannot get unauthorized data anonymously.
$unpublished_node = $this
->drupalCreateNode()
->setUnpublished();
$unpublished_node
->save();
$url = $this
->buildUrl('/jsonapi/node/page/' . $unpublished_node
->uuid());
// Unlike the roles test which requests a list, JSON API sends a 403 status
// code when requesting a specific unauthorized resource instead of list.
$this
->setExpectedException(ClientException::class, "Client error: `GET {$url}` resulted in a `403 Forbidden`");
$this->container
->get('http_client')
->get($url);
}