You are here

Home » API reference » Simple OAuth (OAuth2) & OpenID Connect 5.x » RolesNegotiationFunctionalTest.php » RolesNegotiationFunctionalTest

public function RolesNegotiationFunctionalTest::testRequestWithRoleRemovedFromUser in Simple OAuth (OAuth2) & OpenID Connect 5.x

Same name and namespace in other branches
  1. 8.4 tests/src/Functional/RolesNegotiationFunctionalTest.php \Drupal\Tests\simple_oauth\Functional\RolesNegotiationFunctionalTest::testRequestWithRoleRemovedFromUser()

Test access to own published node with missing role on User entity.

File

tests/src/Functional/RolesNegotiationFunctionalTest.php, line 146

Class

RolesNegotiationFunctionalTest
Tests for the roles negotiation.

Namespace

Drupal\Tests\simple_oauth\Functional

Code

public function testRequestWithRoleRemovedFromUser() {
  $access_token = $this
    ->getAccessToken([
    'foo',
    'bar',
  ]);

  // Get detailed information about the authenticated user.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());
  $this
    ->assertEquals($this->user
    ->id(), $parsed_response['id']);
  $this
    ->assertEquals([
    'foo',
    'bar',
    'authenticated',
    'oof',
  ], $parsed_response['roles']);
  $this
    ->assertTrue($parsed_response['permissions']['view own simple_oauth entities']['access']);
  $this
    ->assertTrue($parsed_response['permissions']['administer simple_oauth entities']['access']);
  $this->user
    ->removeRole('bar');
  $this->user
    ->save();

  // We have edited the user, but there was a non-expired existing token for
  // that user. Even though the TokenUser has the roles assigned, the
  // underlying user doesn't, so access should not be granted.
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);

  // The token was successfully removed and we were denied access.
  $this
    ->assertEquals(401, $response
    ->getStatusCode());

  // Request the access token again. This time the user doesn't have the role
  // requested at the time of generating the token.
  $access_token = $this
    ->getAccessToken([
    'foo',
    'bar',
  ]);
  $response = $this
    ->get($this->tokenTestUrl, [
    'query' => [
      '_format' => 'json',
    ],
    'headers' => [
      'Authorization' => 'Bearer ' . $access_token,
    ],
  ]);
  $parsed_response = Json::decode((string) $response
    ->getBody());

  // The negotiated user is the expected user.
  $this
    ->assertEquals($this->user
    ->id(), $parsed_response['id']);
  $this
    ->assertEquals([
    'foo',
    'authenticated',
    'oof',
  ], $parsed_response['roles']);
  $this
    ->assertTrue($parsed_response['permissions']['view own simple_oauth entities']['access']);
  $this
    ->assertFalse($parsed_response['permissions']['administer simple_oauth entities']['access']);
}