public function ApiTest::testForbidden in Lightning API 8.4
Same name and namespace in other branches
- 8.3 tests/src/Functional/ApiTest.php \Drupal\Tests\lightning_api\Functional\ApiTest::testForbidden()
Tests access to unauthorized data is denied, regardless of authentication.
File
- tests/
src/ Functional/ ApiTest.php, line 265
Class
- ApiTest
- Tests that OAuth and JSON:API authenticate and authorize entity operations.
Namespace
Drupal\Tests\lightning_api\FunctionalCode
public function testForbidden() {
$this
->createContentType([
'type' => 'page',
]);
// Cannot get unauthorized data (not in role/scope) even when authenticated.
$response = $this
->request('/jsonapi/user_role/user_role', 'get', $this
->getCreator('page'));
$body = $this
->decodeResponse($response);
$this
->assertSame('array', gettype($body['meta']['omitted']['links']));
$this
->assertNotEmpty($body['meta']['omitted']['links']);
unset($body['meta']['omitted']['links']['help']);
foreach ($body['meta']['omitted']['links'] as $link) {
// This user/client should not have access to any of the roles' data.
$this
->assertSame("The current user is not allowed to GET the selected resource. The 'administer permissions' permission is required.", $link['meta']['detail']);
}
// Cannot get unauthorized data anonymously.
$unpublished_node = $this
->drupalCreateNode()
->setUnpublished();
$unpublished_node
->save();
$url = $this
->buildUrl('/jsonapi/node/page/' . $unpublished_node
->uuid());
// Unlike the roles test which requests a list, JSON API sends a 403 status
// code when requesting a specific unauthorized resource instead of list.
$this
->expectException(ClientException::class);
$this
->expectExceptionMessage("Client error: `GET {$url}` resulted in a `403 Forbidden`");
$this->container
->get('http_client')
->get($url);
}