function UserTest::testCollectionFilterAccess

File

core/modules/jsonapi/tests/src/Functional/UserTest.php, line 512

Class

UserTest
JSON:API integration test for the "User" content entity type.

Namespace

Drupal\Tests\jsonapi\Functional

Code

public function testCollectionFilterAccess() : void {
  // Set up data model.
  $this->assertTrue($this->container
    ->get('module_installer')
    ->install([
    'node',
  ], TRUE), 'Installed modules.');
  FieldStorageConfig::create([
    'entity_type' => static::$entityTypeId,
    'field_name' => 'field_favorite_animal',
    'type' => 'string',
  ])->setCardinality(1)
    ->save();
  FieldConfig::create([
    'entity_type' => static::$entityTypeId,
    'field_name' => 'field_favorite_animal',
    'bundle' => 'user',
  ])->setLabel('Test field')
    ->setTranslatable(FALSE)
    ->save();
  $this->drupalCreateContentType([
    'type' => 'x',
  ]);
  $this->rebuildAll();
  $this->grantPermissionsToTestedRole([
    'access content',
  ]);
  // Create data.
  $user_a = User::create([])->setUsername('A')
    ->activate();
  $user_a->save();
  $user_b = User::create([])->setUsername('B')
    ->set('field_favorite_animal', 'stegosaurus')
    ->block();
  $user_b->save();
  $node_a = Node::create([
    'type' => 'x',
  ])->setTitle('Owned by A')
    ->setOwner($user_a);
  $node_a->save();
  $node_b = Node::create([
    'type' => 'x',
  ])->setTitle('Owned by B')
    ->setOwner($user_b);
  $node_b->save();
  $node_anon_1 = Node::create([
    'type' => 'x',
  ])->setTitle('Owned by anon #1')
    ->setOwnerId(0);
  $node_anon_1->save();
  $node_anon_2 = Node::create([
    'type' => 'x',
  ])->setTitle('Owned by anon #2')
    ->setOwnerId(0);
  $node_anon_2->save();
  $node_auth_1 = Node::create([
    'type' => 'x',
  ])->setTitle('Owned by auth #1')
    ->setOwner($this->account);
  $node_auth_1->save();
  $favorite_animal_test_url = Url::fromRoute('jsonapi.user--user.collection')->setOption('query', [
    'filter[field_favorite_animal]' => 'stegosaurus',
  ]);
  // Test.
  $collection_url = Url::fromRoute('jsonapi.node--x.collection');
  $request_options = [];
  $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
  $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
  // ?filter[uid.id]=OWN_UUID requires no permissions: 1 result.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.id]' => $this->account
      ->uuid(),
  ]), $request_options);
  $this->assertSession()
    ->responseHeaderContains('X-Drupal-Cache-Contexts', 'user.permissions');
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(1, $doc['data']);
  $this->assertSame($node_auth_1->uuid(), $doc['data'][0]['id']);
  // ?filter[uid.id]=ANONYMOUS_UUID: 0 results.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.id]' => User::load(0)->uuid(),
  ]), $request_options);
  $this->assertSession()
    ->responseHeaderContains('X-Drupal-Cache-Contexts', 'user.permissions');
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(0, $doc['data']);
  // ?filter[uid.name]=A: 0 results.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.name]' => 'A',
  ]), $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(0, $doc['data']);
  // /jsonapi/user/user?filter[field_favorite_animal]: 0 results.
  $response = $this->request('GET', $favorite_animal_test_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertCount(0, $doc['data']);
  // Grant "view" permission.
  $this->grantPermissionsToTestedRole([
    'access user profiles',
  ]);
  // ?filter[uid.id]=ANONYMOUS_UUID: 0 results.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.id]' => User::load(0)->uuid(),
  ]), $request_options);
  $this->assertSession()
    ->responseHeaderContains('X-Drupal-Cache-Contexts', 'user.permissions');
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(0, $doc['data']);
  // ?filter[uid.name]=A: 1 result since user A is active.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.name]' => 'A',
  ]), $request_options);
  $this->assertSession()
    ->responseHeaderContains('X-Drupal-Cache-Contexts', 'user.permissions');
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(1, $doc['data']);
  $this->assertSame($node_a->uuid(), $doc['data'][0]['id']);
  // ?filter[uid.name]=B: 0 results since user B is blocked.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.name]' => 'B',
  ]), $request_options);
  $this->assertSession()
    ->responseHeaderContains('X-Drupal-Cache-Contexts', 'user.permissions');
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(0, $doc['data']);
  // /jsonapi/user/user?filter[field_favorite_animal]: 0 results.
  $response = $this->request('GET', $favorite_animal_test_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertCount(0, $doc['data']);
  // Grant "admin" permission.
  $this->grantPermissionsToTestedRole([
    'administer users',
  ]);
  // ?filter[uid.name]=B: 1 result.
  $response = $this->request('GET', $collection_url->setOption('query', [
    'filter[uid.name]' => 'B',
  ]), $request_options);
  $this->assertSession()
    ->responseHeaderContains('X-Drupal-Cache-Contexts', 'user.permissions');
  $doc = $this->getDocumentFromResponse($response);
  $this->assertCount(1, $doc['data']);
  $this->assertSame($node_b->uuid(), $doc['data'][0]['id']);
  // /jsonapi/user/user?filter[field_favorite_animal]: 1 result.
  $response = $this->request('GET', $favorite_animal_test_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertCount(1, $doc['data']);
  $this->assertSame($user_b->uuid(), $doc['data'][0]['id']);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.