You are here

Home » API reference » Simple OAuth (OAuth2) & OpenID Connect 8.3 » RolesNegotiationFunctionalTest.php » RolesNegotiationFunctionalTest

public function RolesNegotiationFunctionalTest::testRequestWithRoleRemovedFromClient in Simple OAuth (OAuth2) & OpenID Connect 8.3

Same name and namespace in other branches
  1. 8.2 simple_oauth_extras/tests/src/Functional/RolesNegotiationFunctionalTest.php \Drupal\Tests\simple_oauth_extras\Functional\RolesNegotiationFunctionalTest::testRequestWithRoleRemovedFromClient()

Test access to own unpublished node but with the role removed from client.

File

simple_oauth_extras/tests/src/Functional/RolesNegotiationFunctionalTest.php, line 181

Class

RolesNegotiationFunctionalTest
@group simple_oauth_extras

Namespace

Drupal\Tests\simple_oauth_extras\Functional

Code

public function testRequestWithRoleRemovedFromClient() {
  $access_token = $this
    ->getAccessToken([
    'oof',
  ]);

  // Get detailed information about the authenticated user.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());
  $this
    ->assertEquals($this->user
    ->id(), $parsed_response['id']);
  $this
    ->assertEquals([
    'authenticated',
    'oof',
  ], $parsed_response['roles']);
  $this
    ->assertTrue($parsed_response['permissions']['delete own simple_oauth entities']['access']);
  $this->client
    ->set('roles', []);

  // After saving the client entity, the token should be deleted.
  $this->client
    ->save();

  // User should NOT have access to view own simple_oauth entities,
  // because the scope is indicated in the token request, but
  // missing from the client content entity.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());

  // The token was successfully removed. The negotiated user is the anonymous
  // user.
  $this
    ->assertEquals(0, $parsed_response['id']);
  $this
    ->assertEquals([
    'anonymous',
  ], $parsed_response['roles']);
  $this
    ->assertFalse($parsed_response['permissions']['view own simple_oauth entities']['access']);
  $access_token = $this
    ->getAccessToken([
    'oof',
  ]);

  // Get detailed information about the authenticated user.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());
  $this
    ->assertEquals($this->user
    ->id(), $parsed_response['id']);
  $this
    ->assertEquals([
    'authenticated',
  ], $parsed_response['roles']);
  $this
    ->assertFalse($parsed_response['permissions']['delete own simple_oauth entities']['access']);
}