Add tests for User serialization

+++ b/core/modules/serialization/lib/Drupal/serialization/Tests/Entity/UserNormalizationTest.php
@@ -0,0 +1,105 @@
+      'uid' => array(
+        array('value' => $user->get('uid')->offsetGet(0)->get('value')->getValue()),

This is a bit ugly - why does $user->uid->value not work? Same for the other fields.

+++ b/core/modules/serialization/lib/Drupal/serialization/Tests/Entity/UserNormalizationTest.php
@@ -0,0 +1,105 @@
+      // The serialization module doesn't do any access checking, so the
+      // password field is exposed if the calling function does not run access
+      // checks before calling serialize.
+      'pass' => array(
+        array('value' => $user->get('pass')->offsetGet(0)->get('value')->getValue()),

Is there an issue already to implement the access check for the password field? I only know the general issue #2028027: [META] Missing access control for base fields.

Why do we need a special normalize test case for users? It is just another entity + field normalization we already test, right?

Some people were in favor of getting rid of the magic entity field getters/setters, but I don't see that happening in an issue. Maybe I missed it, please post it here if you know it.

As long as we don't encounter any bugs in the actual serialization process of users I don't think we need an explicit test for that entity type. And the leaking password problem is an access problem, which should be tackled at a dedicated issue.

So I think we can leave this here lying around for later, when we find problems with user entities.

I just created an issue for access control of password and similar user Fields. It is linked from #2029855: Missing access control for user base fields

@klausi, what's the deal with this issue now? Do you think this should still be postponed?

AFAIK this is irrelevant now.