You are here

Home » API reference » RESTful 7.2 » RestfulEntityAndPropertyAccessTestCase.test » RestfulEntityAndPropertyAccessTestCase

public function RestfulEntityAndPropertyAccessTestCase::testUpdateAccess in RESTful 7.2

Same name and namespace in other branches
  1. 7 tests/RestfulEntityAndPropertyAccessTestCase.test \RestfulEntityAndPropertyAccessTestCase::testUpdateAccess()

Test access control for updating an entity.

File

tests/RestfulEntityAndPropertyAccessTestCase.test, line 79
Contains RestfulEntityAndPropertyAccessTestCase

Class

RestfulEntityAndPropertyAccessTestCase

Code

public function testUpdateAccess() {
  $label = $this
    ->randomName();
  $new_label = $this
    ->randomName();
  $settings = array(
    'type' => 'article',
    'title' => $label,
  );
  $node = $this
    ->drupalCreateNode($settings);
  $id = $node->nid;
  $handler = restful()
    ->getResourceManager()
    ->getPlugin('test_articles:1.0');
  $parsed_body = array(
    'label' => $new_label,
  );

  // Non-privileged user.
  $user1 = $this
    ->drupalCreateUser();
  try {
    $handler
      ->setAccount($user1);
    $this
      ->doRequest(\Drupal\restful\Http\RequestInterface::METHOD_PUT, $handler, $parsed_body, $id);
    $this
      ->fail('Non-privileged user can update entity.');
  } catch (Exception $e) {
    $this
      ->pass('Non-privileged user cannot update entity.');
  }

  // Privileged user.
  $user2 = $this
    ->drupalCreateUser(array(
    'edit any article content',
  ));
  $handler
    ->setAccount($user2);
  $result = $this
    ->doRequest(\Drupal\restful\Http\RequestInterface::METHOD_PUT, $handler, $parsed_body, $id);
  $this
    ->assertTrue($result['data'][0], 'Privileged user can update entity.');
  $this
    ->assertEqual($result['data'][0]['id'], $id, 'Updated entity has the same entity ID.');
  $this
    ->assertEqual($result['data'][0]['label'], $new_label, 'Entity label was updated.');

  // Privileged user, with limited access to property.
  restful_test_deny_access_field();
  $handler
    ->setAccount($user2);
  $result = $this
    ->doRequest(\Drupal\restful\Http\RequestInterface::METHOD_PUT, $handler, $parsed_body, $id);
  $this
    ->assertTrue($result['data'][0], 'Privileged user can update entity, with limited access to property.');

  // Privileged user, with limited access to property, and that property
  // passed in the request.
  $text1 = $this
    ->randomName();
  $parsed_body['body'] = $text1;
  try {
    $handler
      ->setAccount($user1);
    $this
      ->doRequest(\Drupal\restful\Http\RequestInterface::METHOD_PUT, $handler, $parsed_body, $id);
    $this
      ->fail('Non-privileged user can update entity with inaccessible property that was passed in the request.');
  } catch (Exception $e) {
    $this
      ->pass('Non-privileged user cannot update entity with inaccessible property that was passed in the request.');
  }
  restful_test_clear_access_field();
}