You are here

Home » API reference » RESTful Web Services 7 » restws.test » RestWSTestCase

public function RestWSTestCase::testFieldAccess in RESTful Web Services 7

Same name and namespace in other branches
  1. 7.2 restws.test \RestWSTestCase::testFieldAccess()

Test field level access restrictions.

See also

restws_test_field_access()

File

./restws.test, line 164
RESTful web services tests.

Class

RestWSTestCase
@file RESTful web services tests.

Code

public function testFieldAccess() {
  module_enable(array(
    'restws_test',
  ));

  // Add text field to nodes.
  $field_info = array(
    'field_name' => 'field_text',
    'type' => 'text',
    'entity_types' => array(
      'node',
    ),
  );
  field_create_field($field_info);
  $instance = array(
    'label' => 'Text Field',
    'field_name' => 'field_text',
    'entity_type' => 'node',
    'bundle' => 'page',
    'settings' => array(),
    'required' => FALSE,
  );
  field_create_instance($instance);

  // A user without the "administer users" permission should not be able to
  // create a node with the access protected field.
  $unprivileged_account = $this
    ->drupalCreateUser(array(
    'bypass node access',
    'access resource node',
  ));
  $title = $this
    ->randomName(8);
  $new_node = array(
    'title' => $title,
    'type' => 'page',
    'field_text' => 'test',
  );
  $json = drupal_json_encode($new_node);
  $this
    ->httpRequest('node', 'PUT', $unprivileged_account, $json);
  $this
    ->assertResponse('403');
  $nodes = entity_load('node', FALSE, array(
    'title' => $title,
  ));
  $this
    ->assertEqual(count($nodes), 0, "Node with access protected field wasn't created");

  // Test again with the additional permission, this should work now.
  $privileged_account = $this
    ->drupalCreateUser(array(
    'bypass node access',
    'access resource node',
    'administer users',
  ));
  $this
    ->httpRequest('node', 'PUT', $privileged_account, $json);
  $this
    ->assertResponse('201');
  $node = node_load(1, NULL, TRUE);
  $this
    ->assertEqual($node->field_text[LANGUAGE_NONE][0]['value'], 'test');

  // Update test: unpriviledged users should not be able to change the
  // protected field.
  $update = array(
    'field_text' => 'newvalue',
  );
  $json = drupal_json_encode($update);
  $result = $this
    ->httpRequest('node/1', 'POST', $unprivileged_account, $json);
  $this
    ->assertResponse('403');
  $this
    ->assertEqual($result, '403 Forbidden: Not authorized to set property field_text');
  $node = node_load(1, NULL, TRUE);
  $this
    ->assertEqual($node->field_text[LANGUAGE_NONE][0]['value'], 'test');

  // Check that the update is allowed if the permission is present.
  $this
    ->httpRequest('node/1', 'POST', $privileged_account, $json);
  $this
    ->assertResponse('200');
  $node = node_load(1, NULL, TRUE);
  $this
    ->assertEqual($node->field_text[LANGUAGE_NONE][0]['value'], 'newvalue');
}