function UserResourceTestBase::testPatchSecurityOtherUser
Same name in other branches
- 9 core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()
- 8.9.x core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()
- 11.x core/modules/user/tests/src/Functional/Rest/UserResourceTestBase.php \Drupal\Tests\user\Functional\Rest\UserResourceTestBase::testPatchSecurityOtherUser()
Tests PATCHing security-sensitive base fields to change other users.
File
-
core/
modules/ user/ tests/ src/ Functional/ Rest/ UserResourceTestBase.php, line 278
Class
Namespace
Drupal\Tests\user\Functional\RestCode
public function testPatchSecurityOtherUser() : void {
$this->initAuthentication();
$this->provisionEntityResource();
/** @var \Drupal\user\UserInterface $user */
$user = $this->account;
$original_normalization = array_diff_key($this->serializer
->normalize($user, static::$format), [
'changed' => TRUE,
]);
// Since this test must be performed by the user that is being modified,
// we cannot use $this->getUrl().
$url = $user->toUrl()
->setOption('query', [
'_format' => static::$format,
]);
$request_options = [
RequestOptions::HEADERS => [
'Content-Type' => static::$mimeType,
],
];
$request_options = array_merge_recursive($request_options, $this->getAuthenticationRequestOptions('PATCH'));
$normalization = $original_normalization;
$normalization['mail'] = [
[
'value' => 'new-email@example.com',
],
];
$request_options[RequestOptions::BODY] = $this->serializer
->encode($normalization, static::$format);
// Try changing user 1's email.
$user1 = [
'mail' => [
[
'value' => 'another_email_address@example.com',
],
],
'uid' => [
[
'value' => 1,
],
],
'name' => [
[
'value' => 'another_user_name',
],
],
'pass' => [
[
'existing' => $this->account->passRaw,
],
],
'uuid' => [
[
'value' => '2e9403a4-d8af-4096-a116-624710140be0',
],
],
] + $original_normalization;
$request_options[RequestOptions::BODY] = $this->serializer
->encode($user1, static::$format);
$response = $this->request('PATCH', $url, $request_options);
// Ensure the email address has not changed.
$this->assertEquals('admin@example.com', $this->entityStorage
->loadUnchanged(1)
->getEmail());
$this->assertResourceErrorResponse(403, "Access denied on updating field 'uid'. The entity ID cannot be changed.", $response);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.