From fad8ed335d324c1764a45b1971bc09442d408f53 Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Fri, 9 Nov 2018 11:22:43 +0100
Subject: [PATCH] Add regression test for email crawling vulnerability

Refs #1628.
---
 .../Controller/UpdateUserControllerTest.php   | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 framework/core/tests/Api/Controller/UpdateUserControllerTest.php

diff --git a/framework/core/tests/Api/Controller/UpdateUserControllerTest.php b/framework/core/tests/Api/Controller/UpdateUserControllerTest.php
new file mode 100644
index 000000000..2ea9ecb3e
--- /dev/null
+++ b/framework/core/tests/Api/Controller/UpdateUserControllerTest.php
@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Tests\Api\Controller;
+
+use Flarum\Api\Controller\UpdateUserController;
+
+class UpdateUserControllerTest extends ApiControllerTestCase
+{
+    protected $controller = UpdateUserController::class;
+
+    protected $data = [
+        'email' => 'newemail@machine.local',
+    ];
+
+    protected $userAttributes = [
+        'username' => 'timtom',
+        'password' => 'too-obscure',
+        'email' => 'timtom@machine.local',
+        'is_email_confirmed' => true,
+    ];
+
+    /**
+     * @test
+     */
+    public function users_can_see_their_private_information()
+    {
+        $this->actor = $this->getNormalUser();
+        $response = $this->callWith([], ['id' => $this->actor->id]);
+
+        // Test for successful response and that the email is included in the response
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertContains('timtom@machine.local', (string) $response->getBody());
+    }
+
+    /**
+     * @test
+     */
+    public function users_can_not_see_other_users_private_information()
+    {
+        $this->actor = $this->getNormalUser();
+
+        $response = $this->callWith([], ['id' => 1]);
+
+        // Make sure sensitive information is not made public
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertNotContains('admin@example.com', (string) $response->getBody());
+    }
+
+    public function tearDown()
+    {
+        parent::tearDown();
+    }
+}