You are here

Home » API reference » RESTful Web Services 7.2 » restws.test » RestWSTestCase

public function RestWSTestCase::testPermissions in RESTful Web Services 7.2

Test that sensitive user data is hidden for the "access user profiles" permission and unpublished nodes.

File

./restws.test, line 493
RESTful web services tests.

Class

RestWSTestCase
@file RESTful web services tests.

Code

public function testPermissions() {

  // Test other user with "access user profiles" permission.
  $test_user = $this
    ->drupalCreateUser();
  $account = $this
    ->drupalCreateUser(array(
    'access resource user',
    'access user profiles',
  ));
  $result = $this
    ->httpRequest('user/' . $test_user->uid . '.json', 'GET', $account);
  $user_array = drupal_json_decode($result);
  $this
    ->assertEqual($test_user->name, $user_array['name'], 'User name was received correctly.');
  $this
    ->assertFalse(isset($user_array['mail']), 'User mail is not present in the response.');
  $this
    ->assertFalse(isset($user_array['roles']), 'User roles are not present in the response.');
  $this
    ->assertResponse('200', 'HTTP response code is correct.');
  $this
    ->assertEqual(curl_getinfo($this->curlHandle, CURLINFO_CONTENT_TYPE), 'application/json', 'HTTP content type is correct.');

  // Test the own user - access to sensitive information should be allowed.
  $result = $this
    ->httpRequest('user/' . $account->uid . '.json', 'GET', $account);
  $user_array = drupal_json_decode($result);
  $this
    ->assertEqual($account->name, $user_array['name'], 'User name was received correctly.');
  $this
    ->assertEqual($account->mail, $user_array['mail'], 'User mail is present in the response.');
  $role_keys = array_keys($account->roles);
  $this
    ->assertEqual(sort($role_keys), sort($user_array['roles']), 'User roles are present in the response.');
  $this
    ->assertResponse('200', 'HTTP response code is correct.');
  $this
    ->assertEqual(curl_getinfo($this->curlHandle, CURLINFO_CONTENT_TYPE), 'application/json', 'HTTP content type is correct.');

  // Test node access with an unpublished node.
  $this
    ->drupalCreateNode(array(
    'title' => 'foo',
    'status' => 0,
  ));
  $this
    ->drupalLogout();
  $account = $this
    ->drupalCreateUser(array(
    'access resource node',
  ));
  $this
    ->drupalLogin($account);
  $result = $this
    ->httpRequest('node.json', 'GET', $account);
  $nodes = drupal_json_decode($result);

  // No node should be returned.
  $this
    ->assertEqual(count($nodes['list']), 0, 'Unpublished node was successfully hidden.');
  $this
    ->assertNoResponse(404, 'An empty collection should not cause a 404 response.');
}