public function RestWSBasicAuthTestCase::testCachePoisoning in RESTful Web Services 7
Same name and namespace in other branches
- 7.2 restws_basic_auth/restws_basic_auth.test \RestWSBasicAuthTestCase::testCachePoisoning()
Tests that an authenticated user response never gets into the page cache.
File
- restws_basic_auth/
restws_basic_auth.test, line 31 - RESTWS Basic Auth tests.
Class
- RestWSBasicAuthTestCase
- @file RESTWS Basic Auth tests.
Code
public function testCachePoisoning() {
// Enable page caching.
variable_set('cache', 1);
// Allow anyone to access the user resource.
user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array(
'access resource user',
'access user profiles',
));
user_role_grant_permissions(DRUPAL_AUTHENTICATED_RID, array(
'access resource user',
'access user profiles',
));
// Create an admin account that is allowed to read emails of users.
$admin = $this
->drupalCreateUser(array(
'administer users',
));
// The user name must start with "restws" in order to be able to
// authenticate.
$admin->name = 'restws_' . $admin->name;
user_save($admin);
$response = $this
->httpRequest('user/1.json', $admin);
$this
->assertResponse(200);
// Now access the resource as anonymous user and make sure that the response
// is not in the page cache.
$response = $this
->httpRequest('user/1.json');
$this
->assertResponse(200);
$response = drupal_json_decode($response);
$this
->assertTrue(empty($response['mail']), 'Protected email property is not present on response for anonymous users.');
// Access the resource as admin again and make sure that the response is not
// from the page cache.
$response = $this
->httpRequest('user/1.json', $admin);
$this
->assertResponse(200);
$response = drupal_json_decode($response);
$this
->assertFalse(empty($response['mail']), 'Protected email property is present on response for admin users.');
// Restrict access to view profiles for non-restws tests.
user_role_revoke_permissions(DRUPAL_ANONYMOUS_RID, array(
'access user profiles',
));
// Access non-restws resource as admin.
$response = $this
->httpRequest('user/1', $admin);
$this
->assertResponse(200, 'Admin can view user/1 (cache not set)');
// Access non-restws resource as anonymous and ensure denied.
$response = $this
->httpRequest('user/1');
$this
->assertResponse(403, 'Anonymous gets a 403 for user/1 after admin requested user/1');
}