function UserTest::testGetMailFieldOnlyVisibleToOwner
Same name in other branches
- 8.9.x core/modules/jsonapi/tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()
- 10 core/modules/jsonapi/tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()
- 11.x core/modules/jsonapi/tests/src/Functional/UserTest.php \Drupal\Tests\jsonapi\Functional\UserTest::testGetMailFieldOnlyVisibleToOwner()
Tests GETting privacy-sensitive base fields.
File
-
core/
modules/ jsonapi/ tests/ src/ Functional/ UserTest.php, line 378
Class
- UserTest
- JSON:API integration test for the "User" content entity type.
Namespace
Drupal\Tests\jsonapi\FunctionalCode
public function testGetMailFieldOnlyVisibleToOwner() {
// Create user B, with the same roles (and hence permissions) as user A.
$user_a = $this->account;
$pass = \Drupal::service('password_generator')->generate();
$user_b = User::create([
'name' => 'sibling-of-' . $user_a->getAccountName(),
'mail' => 'sibling-of-' . $user_a->getAccountName() . '@example.com',
'pass' => $pass,
'status' => 1,
'roles' => $user_a->getRoles(),
]);
$user_b->save();
$user_b->passRaw = $pass;
// Grant permission to role that both users use.
$this->grantPermissionsToTestedRole([
'access user profiles',
]);
$collection_url = Url::fromRoute('jsonapi.user--user.collection', [], [
'query' => [
'sort' => 'drupal_internal__uid',
],
]);
// @todo Remove line below in favor of commented line in https://www.drupal.org/project/drupal/issues/2878463.
$user_a_url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
'entity' => $user_a->uuid(),
]);
/* $user_a_url = $user_a->toUrl('jsonapi'); */
$request_options = [];
$request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
$request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
// Viewing user A as user A: "mail" field is accessible.
$response = $this->request('GET', $user_a_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertArrayHasKey('mail', $doc['data']['attributes']);
// Also when looking at the collection.
$response = $this->request('GET', $collection_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
$this->assertArrayHasKey('mail', $doc['data'][2]['attributes'], "Own user--user resource's 'mail' field is visible.");
$this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
$this->assertArrayNotHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
// Now request the same URLs, but as user B (same roles/permissions).
$this->account = $user_b;
$request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
// Viewing user A as user B: "mail" field should be inaccessible.
$response = $this->request('GET', $user_a_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertArrayNotHasKey('mail', $doc['data']['attributes']);
// Also when looking at the collection.
$response = $this->request('GET', $collection_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
$this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
$this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
$this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
// Now grant permission to view user email addresses and verify.
$this->grantPermissionsToTestedRole([
'view user email addresses',
]);
// Viewing user A as user B: "mail" field should be accessible.
$response = $this->request('GET', $user_a_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertArrayHasKey('mail', $doc['data']['attributes']);
// Also when looking at the collection.
$response = $this->request('GET', $collection_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
$this->assertArrayHasKey('mail', $doc['data'][2]['attributes']);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.