Issue #2799049 by AaronBauman, jungle, hussainweb, Neograph734, a_mitch, dww,... (6e137b34) · Commits · project / drupal

core/modules/jsonapi/tests/src/Functional/UserTest.php

+12 −0

Original line number	Diff line number	Diff line
		@@ -412,6 +412,18 @@ public function testGetMailFieldOnlyVisibleToOwner() {
		$this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
		$this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
		$this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);

		// Now grant permission to view user email addresses and verify.
		$this->grantPermissionsToTestedRole(['view user email addresses']);
		// Viewing user A as user B: "mail" field should be accessible.
		$response = $this->request('GET', $user_a_url, $request_options);
		$doc = Json::decode((string) $response->getBody());
		$this->assertArrayHasKey('mail', $doc['data']['attributes']);
		// Also when looking at the collection.
		$response = $this->request('GET', $collection_url, $request_options);
		$doc = Json::decode((string) $response->getBody());
		$this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
		$this->assertArrayHasKey('mail', $doc['data'][2]['attributes']);
		}

		/**

+6 −1

Original line number	Diff line number	Diff line
		@@ -113,10 +113,15 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
		return AccessResult::neutral();
		}

		case 'mail':
		// Only check for the 'view user email addresses' permission and a view
		// operation. Use case fall-through for all other cases.
		if ($operation == 'view' && $account->hasPermission('view user email addresses')) {
		return AccessResult::allowed()->cachePerPermissions();
		}
		case 'preferred_langcode':
		case 'preferred_admin_langcode':
		case 'timezone':
		case 'mail':
		// Allow view access to own mail address and other personalization
		// settings.
		if ($operation == 'view') {

+27 −0

Original line number	Diff line number	Diff line
		@@ -32,6 +32,13 @@ class UserAccessControlHandlerTest extends UnitTestCase {
		*/
		protected $viewer;

		/**
		* The mock user account with 'view user email addresses' permission.
		*
		* @var \Drupal\Core\Session\AccountInterface
		*/
		protected $emailViewer;

		/**
		* The mock user account that is able to change their own account name.
		*
		@@ -96,6 +103,18 @@ protected function setUp(): void {
		->method('hasPermission')
		->will($this->returnValue(TRUE));

		$this->emailViewer = $this->createMock('\Drupal\Core\Session\AccountInterface');
		$this->emailViewer
		->expects($this->any())
		->method('hasPermission')
		->will($this->returnValueMap([
		['view user email addresses', TRUE],
		]));
		$this->emailViewer
		->expects($this->any())
		->method('id')
		->will($this->returnValue(3));

		$entity_type = $this->createMock('Drupal\Core\Entity\EntityTypeInterface');

		$this->accessControlHandler = new UserAccessControlHandler($entity_type);
		@@ -240,6 +259,14 @@ public function hiddenUserSettingsProvider() {
		'view' => TRUE,
		'edit' => TRUE,
		];
		$access_info[] = [
		'field' => $field,
		'viewer' => 'emailViewer',
		'target' => 'owner',
		'view' => $field === 'mail',
		// See note above.
		'edit' => TRUE,
		];
		}

		return $access_info;

+3 −0

Original line number	Diff line number	Diff line
		@@ -11,6 +11,9 @@ administer users:
		restrict access: true
		access user profiles:
		title: 'View user information'
		view user email addresses:
		title: 'View user email addresses'
		description: 'Users without this permission will not have access to email addresses on user pages or other places where they might be shown, such as Views and JSON:API responses.'
		change own username:
		title: 'Change own username'
		select account cancellation method: