RestfulEntityUserAccessTestCase.test in RESTful 7.2

<?php

/**
 * @file
 * Contains RestfulEntityUserAccessTestCase.
 */
use Drupal\restful\Exception\InaccessibleRecordException;
use Drupal\restful\Http\Request;

/**
 * Class RestfulEntityUserAccessTestCase.
 */
class RestfulEntityUserAccessTestCase extends DrupalWebTestCase {

  /**
   * {@inheritdoc}
   */
  public static function getInfo() {
    return array(
      'name' => 'User resource access',
      'description' => 'Test access to the base "users" resource.',
      'group' => 'RESTful',
    );
  }

  /**
   * {@inheritdoc}
   */
  public function setUp() {
    parent::setUp('restful');
  }

  /**
   * Test access control for viewing the "users" resource.
   */
  public function testViewAccess() {
    $resource_manager = restful()
      ->getResourceManager();
    $user1 = $this
      ->drupalCreateUser();
    $user2 = $this
      ->drupalCreateUser(array(
      'access user profiles',
    ));

    // Non-privileged user.
    $handler = $resource_manager
      ->getPlugin('users:1.0');
    $handler
      ->setAccount($user1);
    try {
      $handler
        ->setRequest(Request::create('api/v1.0/users/' . $user2->uid));
      $handler
        ->setPath($user2->uid);
      $handler
        ->process();
      $this
        ->fail('Non-privileged user can view another user.');
    } catch (InaccessibleRecordException $e) {
      $this
        ->pass('Non-privileged user cannot view another user.');
    } catch (\Exception $e) {
      $this
        ->fail('Incorrect exception thrown for non-privileged user accessing another user.');
    }

    // Listing of users.
    $handler
      ->setRequest(Request::create('api/v1.0/users'));
    $handler
      ->setPath('');
    $result = drupal_json_decode(restful()
      ->getFormatterManager()
      ->format($handler
      ->process(), 'json'));
    $result = $result['data'];
    $this
      ->assertEqual($result[0]['self'], url('api/v1.0/users/0', array(
      'absolute' => TRUE,
    )));
    $this
      ->assertEqual($result[1]['self'], url('api/v1.0/users/2', array(
      'absolute' => TRUE,
    )));
    $this
      ->assertEqual(count($result), 2, 'Unprivileged users can only see themselves and the anonymous user.');

    // View own user account.
    $handler
      ->setRequest(Request::create('api/v1.0/users/' . $user1->uid));
    $handler
      ->setPath($user1->uid);
    $response = drupal_json_decode(restful()
      ->getFormatterManager()
      ->format($handler
      ->process(), 'json'));
    $response = $response['data'];
    $result = $response[0];
    $this
      ->assertEqual($result['mail'], $user1->mail, 'User can see own mail.');

    // Privileged user, watching another user's profile.
    $handler
      ->setAccount($user2);
    $response = drupal_json_decode(restful()
      ->getFormatterManager()
      ->format($handler
      ->process(), 'json'));
    $response = $response['data'];
    $result = $response[0];
    $expected_result = array(
      'id' => $user1->uid,
      'label' => $user1->name,
      'self' => $handler
        ->versionedUrl($user1->uid),
    );
    $this
      ->assertEqual($result, $expected_result, "Privileged user can access another user's resource.");

    // Listing of users.
    $handler
      ->setRequest(Request::create('api/v1.0/users'));
    $handler
      ->setPath('');
    $result = drupal_json_decode(restful()
      ->getFormatterManager()
      ->format($handler
      ->process(), 'json'));
    $result = $result['data'];

    // Check we have all the expected users count (user ID 1 and our declared
    // users plus the anon user).
    $this
      ->assertTrue(count($result) == 4, 'Privileged user can access listing of users.');
  }

}