You are here

Home » API reference » RESTful 7.2 » RestfulEntityUserAccessTestCase.test » RestfulEntityUserAccessTestCase

public function RestfulEntityUserAccessTestCase::testViewAccess in RESTful 7.2

Same name and namespace in other branches
  1. 7 tests/RestfulEntityUserAccessTestCase.test \RestfulEntityUserAccessTestCase::testViewAccess()

Test access control for viewing the "users" resource.

File

tests/RestfulEntityUserAccessTestCase.test, line 37
Contains RestfulEntityUserAccessTestCase.

Class

RestfulEntityUserAccessTestCase
Class RestfulEntityUserAccessTestCase.

Code

public function testViewAccess() {
  $resource_manager = restful()
    ->getResourceManager();
  $user1 = $this
    ->drupalCreateUser();
  $user2 = $this
    ->drupalCreateUser(array(
    'access user profiles',
  ));

  // Non-privileged user.
  $handler = $resource_manager
    ->getPlugin('users:1.0');
  $handler
    ->setAccount($user1);
  try {
    $handler
      ->setRequest(Request::create('api/v1.0/users/' . $user2->uid));
    $handler
      ->setPath($user2->uid);
    $handler
      ->process();
    $this
      ->fail('Non-privileged user can view another user.');
  } catch (InaccessibleRecordException $e) {
    $this
      ->pass('Non-privileged user cannot view another user.');
  } catch (\Exception $e) {
    $this
      ->fail('Incorrect exception thrown for non-privileged user accessing another user.');
  }

  // Listing of users.
  $handler
    ->setRequest(Request::create('api/v1.0/users'));
  $handler
    ->setPath('');
  $result = drupal_json_decode(restful()
    ->getFormatterManager()
    ->format($handler
    ->process(), 'json'));
  $result = $result['data'];
  $this
    ->assertEqual($result[0]['self'], url('api/v1.0/users/0', array(
    'absolute' => TRUE,
  )));
  $this
    ->assertEqual($result[1]['self'], url('api/v1.0/users/2', array(
    'absolute' => TRUE,
  )));
  $this
    ->assertEqual(count($result), 2, 'Unprivileged users can only see themselves and the anonymous user.');

  // View own user account.
  $handler
    ->setRequest(Request::create('api/v1.0/users/' . $user1->uid));
  $handler
    ->setPath($user1->uid);
  $response = drupal_json_decode(restful()
    ->getFormatterManager()
    ->format($handler
    ->process(), 'json'));
  $response = $response['data'];
  $result = $response[0];
  $this
    ->assertEqual($result['mail'], $user1->mail, 'User can see own mail.');

  // Privileged user, watching another user's profile.
  $handler
    ->setAccount($user2);
  $response = drupal_json_decode(restful()
    ->getFormatterManager()
    ->format($handler
    ->process(), 'json'));
  $response = $response['data'];
  $result = $response[0];
  $expected_result = array(
    'id' => $user1->uid,
    'label' => $user1->name,
    'self' => $handler
      ->versionedUrl($user1->uid),
  );
  $this
    ->assertEqual($result, $expected_result, "Privileged user can access another user's resource.");

  // Listing of users.
  $handler
    ->setRequest(Request::create('api/v1.0/users'));
  $handler
    ->setPath('');
  $result = drupal_json_decode(restful()
    ->getFormatterManager()
    ->format($handler
    ->process(), 'json'));
  $result = $result['data'];

  // Check we have all the expected users count (user ID 1 and our declared
  // users plus the anon user).
  $this
    ->assertTrue(count($result) == 4, 'Privileged user can access listing of users.');
}