function UserTest::testGetMailFieldOnlyVisibleToOwner

Tests GETting privacy-sensitive base fields.

File

core/modules/jsonapi/tests/src/Functional/UserTest.php, line 396

Class

UserTest

JSON:API integration test for the "User" content entity type.

Namespace

Code

public function testGetMailFieldOnlyVisibleToOwner() : void {
  // Create user B, with the same roles (and hence permissions) as user A.
  $user_a = $this->account;
  $pass = \Drupal::service('password_generator')->generate();
  $user_b = User::create([
    'name' => 'sibling-of-' . $user_a->getAccountName(),
    'mail' => 'sibling-of-' . $user_a->getAccountName() . '@example.com',
    'pass' => $pass,
    'status' => 1,
    'roles' => $user_a->getRoles(),
  ]);
  $user_b->save();
  $user_b->passRaw = $pass;
  // Grant permission to role that both users use.
  $this->grantPermissionsToTestedRole([
    'access user profiles',
  ]);
  $collection_url = Url::fromRoute('jsonapi.user--user.collection', [], [
    'query' => [
      'sort' => 'drupal_internal__uid',
    ],
  ]);
  // @todo Remove line below in favor of commented line in https://www.drupal.org/project/drupal/issues/2878463.
  $user_a_url = Url::fromRoute(sprintf('jsonapi.user--user.individual'), [
    'entity' => $user_a->uuid(),
  ]);
  /* $user_a_url = $user_a->toUrl('jsonapi'); */
  $request_options = [];
  $request_options[RequestOptions::HEADERS]['Accept'] = 'application/vnd.api+json';
  $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
  // Viewing user A as user A: "mail" field is accessible.
  $response = $this->request('GET', $user_a_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertArrayHasKey('mail', $doc['data']['attributes']);
  // Also when looking at the collection.
  $response = $this->request('GET', $collection_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
  $this->assertArrayHasKey('mail', $doc['data'][2]['attributes'], "Own user--user resource's 'mail' field is visible.");
  $this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
  $this->assertArrayNotHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
  // Now request the same URLs, but as user B (same roles/permissions).
  $this->account = $user_b;
  $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());
  // Viewing user A as user B: "mail" field should be inaccessible.
  $response = $this->request('GET', $user_a_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertArrayNotHasKey('mail', $doc['data']['attributes']);
  // Also when looking at the collection.
  $response = $this->request('GET', $collection_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
  $this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
  $this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
  $this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
  // Now grant permission to view user email addresses and verify.
  $this->grantPermissionsToTestedRole([
    'view user email addresses',
  ]);
  // Viewing user A as user B: "mail" field should be accessible.
  $response = $this->request('GET', $user_a_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertArrayHasKey('mail', $doc['data']['attributes']);
  // Also when looking at the collection.
  $response = $this->request('GET', $collection_url, $request_options);
  $doc = $this->getDocumentFromResponse($response);
  $this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
  $this->assertArrayHasKey('mail', $doc['data'][2]['attributes']);
}