function UserTest::testGetMailFieldOnlyVisibleToOwner

Same name and namespace in other branches
  1. 9 core/modules/jsonapi/tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()
  2. 10 core/modules/jsonapi/tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()
  3. 11.x core/modules/jsonapi/tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()

Tests GETting privacy-sensitive base fields.

File

core/modules/jsonapi/tests/src/Functional/UserTest.php, line 364

Class

UserTest
JSON:API integration test for the "User" content entity type.

Namespace

Drupal\Tests\jsonapi\Functional

Code

public function testGetMailFieldOnlyVisibleToOwner() {
    // Create user B, with the same roles (and hence permissions) as user A.
    $user_a = $this->account;
    $pass = user_password();
    $user_b = User::create([
        'name' => 'sibling-of-' . $user_a->getAccountName(),
        'mail' => 'sibling-of-' . $user_a->getAccountName() . '@example.com',
        'pass' => $pass,
        'status' => 1,
        'roles' => $user_a->getRoles(),
    ]);
    $user_b->save();
    $user_b->passRaw = $pass;
    // Grant permission to role that both users use.
    $this->grantPermissionsToTestedRole([
        'access user profiles',
    ]);
    $collection_url = Url::fromRoute('jsonapi.user--user.collection', [], [
        'query' => [
            'sort' => 'drupal_internal__uid',
        ],
    ]);
    // @todo Remove line below in favor of commented line in https://www.drupal.org/project/drupal/issues/2878463.
    $user_a_url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
        'entity' => $user_a->uuid(),
    ]);
    
    /* $user_a_url = $user_a->toUrl('jsonapi'); */
    $request_options = [];
    $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
    $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
    // Viewing user A as user A: "mail" field is accessible.
    $response = $this->request('GET', $user_a_url, $request_options);
    $doc = Json::decode((string) $response->getBody());
    $this->assertArrayHasKey('mail', $doc['data']['attributes']);
    // Also when looking at the collection.
    $response = $this->request('GET', $collection_url, $request_options);
    $doc = Json::decode((string) $response->getBody());
    $this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
    $this->assertArrayHasKey('mail', $doc['data'][2]['attributes'], "Own user--user resource's 'mail' field is visible.");
    $this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
    $this->assertArrayNotHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
    // Now request the same URLs, but as user B (same roles/permissions).
    $this->account = $user_b;
    $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
    // Viewing user A as user B: "mail" field should be inaccessible.
    $response = $this->request('GET', $user_a_url, $request_options);
    $doc = Json::decode((string) $response->getBody());
    $this->assertArrayNotHasKey('mail', $doc['data']['attributes']);
    // Also when looking at the collection.
    $response = $this->request('GET', $collection_url, $request_options);
    $doc = Json::decode((string) $response->getBody());
    $this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
    $this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
    $this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
    $this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.