function UserResourceTestBase::testPatchSecurityOtherUser

Same name in other branches
  1. 9 core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()
  2. 8.9.x core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()
  3. 11.x core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()

Tests PATCHing security-sensitive base fields to change other users.

File

core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php, line 278

Class

UserResourceTestBase

Namespace

Drupal\Tests\user\Functional\Rest

Code

public function testPatchSecurityOtherUser() : void {
    $this->initAuthentication();
    $this->provisionEntityResource();
    
    /** @var \Drupal\user\UserInterface $user */
    $user = $this->account;
    $original_normalization = array_diff_key($this->serializer
        ->normalize($user, static::$format), [
        'changed' => TRUE,
    ]);
    // Since this test must be performed by the user that is being modified,
    // we cannot use $this->getUrl().
    $url = $user->toUrl()
        ->setOption('query', [
        '_format' => static::$format,
    ]);
    $request_options = [
        RequestOptions::HEADERS => [
            'Content-Type' => static::$mimeType,
        ],
    ];
    $request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions('PATCH'));
    $normalization = $original_normalization;
    $normalization['mail'] = [
        [
            'value' => 'new-email@example.com',
        ],
    ];
    $request_options[RequestOptions::BODY] = $this->serializer
        ->encode($normalization, static::$format);
    // Try changing user 1's email.
    $user1 = [
        'mail' => [
            [
                'value' => 'another_email_address@example.com',
            ],
        ],
        'uid' => [
            [
                'value' => 1,
            ],
        ],
        'name' => [
            [
                'value' => 'another_user_name',
            ],
        ],
        'pass' => [
            [
                'existing' => $this->account->passRaw,
            ],
        ],
        'uuid' => [
            [
                'value' => '2e9403a4-d8af-4096-a116-624710140be0',
            ],
        ],
    ] + $original_normalization;
    $request_options[RequestOptions::BODY] = $this->serializer
        ->encode($user1, static::$format);
    $response = $this->request('PATCH', $url, $request_options);
    // Ensure the email address has not changed.
    $this->assertEquals('admin@example.com', $this->entityStorage
        ->loadUnchanged(1)
        ->getEmail());
    $this->assertResourceErrorResponse(403, "Access denied on updating field 'uid'. The entity ID cannot be changed.", $response);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.