#284887 by Dave Reid and dww: Disable autocomplete if user does not have access to the callback.

1 files changed, 47 insertions, 0 deletions

diff --git a/modules/user/user.test b/modules/user/user.test
index 7a152fa5b..91e1df32e 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -523,3 +523,50 @@ class UserAdminTestCase extends DrupalWebTestCase {
     $this->assertEqual($account->status, 0, 'User B blocked');
   }
 }
+
+/**
+ * Test user autocompletion.
+ */
+class UserAutocompleteTestCase extends DrupalWebTestCase {
+
+  /**
+   * Implementation of getInfo().
+   */
+  function getInfo() {
+    return array(
+      'name' => t('User autocompletion'),
+      'description' => t('Test user autocompletion functionality.'),
+      'group' => t('User')
+    );
+  }
+
+  /**
+   * Implementation of setUp().
+   */
+  function setUp() {
+    parent::setUp();
+
+    // Set up two users with different permissions to test access.
+    $this->unprivileged_user = $this->drupalCreateUser();
+    $this->privileged_user = $this->drupalCreateUser(array('access user profiles'));
+  }
+
+  /**
+   * Tests access to user autocompletion and verify the correct results.
+   */
+  function testUserAutocomplete() {
+    // Check access from unprivileged user, should be denied.
+    $this->drupalLogin($this->unprivileged_user);
+    $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
+    $this->assertResponse(403, t('Autocompletion access denied to user without permission.'));
+
+    // Check access from privileged user.
+    $this->drupalLogout();
+    $this->drupalLogin($this->privileged_user);
+    $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
+    $this->assertResponse(200, t('Autocompletion access allowed.'));
+
+    // Using first letter of the user's name, make sure the user's full name is in the results.
+    $this->assertRaw($this->unprivileged_user->name, t('User name found in autocompletion results.'));
+  }
+}