mirror of
https://github.com/silverstripe/silverstripe-cms
synced 2024-10-22 08:05:56 +02:00
FEATURE Allowing for field-level permissions in DataObject::$api_access - respecting those permissions for reading and writing in RestfulServer (#2918)
BUGFIX Fixed RestfulServerTest->testAuthenticatedGET() git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@64307 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
9a0e053c1e
commit
b9f9e74306
@ -9,7 +9,7 @@
|
|||||||
class RestfulServerTest extends SapphireTest {
|
class RestfulServerTest extends SapphireTest {
|
||||||
|
|
||||||
static $fixture_file = 'cms/tests/RestfulServerTest.yml';
|
static $fixture_file = 'cms/tests/RestfulServerTest.yml';
|
||||||
|
|
||||||
public function testApiAccess() {
|
public function testApiAccess() {
|
||||||
// normal GET should succeed with $api_access enabled
|
// normal GET should succeed with $api_access enabled
|
||||||
$url = "/api/v1/RestfulServerTest_Comment/1";
|
$url = "/api/v1/RestfulServerTest_Comment/1";
|
||||||
@ -25,10 +25,9 @@ class RestfulServerTest extends SapphireTest {
|
|||||||
$this->assertEquals($response->getStatusCode(), 403);
|
$this->assertEquals($response->getStatusCode(), 403);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
public function testAuthenticatedGET() {
|
public function testAuthenticatedGET() {
|
||||||
// @todo create additional mock object with authenticated VIEW permissions
|
// @todo create additional mock object with authenticated VIEW permissions
|
||||||
$url = "/api/v1/RestfulServerTest_Comment/1";
|
$url = "/api/v1/RestfulServerTest_SecretThing/1";
|
||||||
$response = Director::test($url, null, null, 'GET');
|
$response = Director::test($url, null, null, 'GET');
|
||||||
$this->assertEquals($response->getStatusCode(), 403);
|
$this->assertEquals($response->getStatusCode(), 403);
|
||||||
|
|
||||||
@ -39,7 +38,6 @@ class RestfulServerTest extends SapphireTest {
|
|||||||
$response = Director::test($url, null, null, 'GET');
|
$response = Director::test($url, null, null, 'GET');
|
||||||
$this->assertEquals($response->getStatusCode(), 200);
|
$this->assertEquals($response->getStatusCode(), 200);
|
||||||
}
|
}
|
||||||
*/
|
|
||||||
|
|
||||||
public function testAuthenticatedPUT() {
|
public function testAuthenticatedPUT() {
|
||||||
$url = "/api/v1/RestfulServerTest_Comment/1";
|
$url = "/api/v1/RestfulServerTest_Comment/1";
|
||||||
@ -165,6 +163,73 @@ class RestfulServerTest extends SapphireTest {
|
|||||||
$this->assertEquals($response->getStatusCode(), 415);
|
$this->assertEquals($response->getStatusCode(), 415);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testXMLValueFormatting() {
|
||||||
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating','rating1');
|
||||||
|
|
||||||
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID;
|
||||||
|
$response = Director::test($url, null, null, 'GET');
|
||||||
|
$this->assertContains('<ID>' . $rating1->ID . '</ID>', $response->getBody());
|
||||||
|
$this->assertContains('<Rating>' . $rating1->Rating . '</Rating>', $response->getBody());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testApiAccessFieldRestrictions() {
|
||||||
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating','rating1');
|
||||||
|
|
||||||
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID;
|
||||||
|
$response = Director::test($url, null, null, 'GET');
|
||||||
|
$this->assertContains('<ID>', $response->getBody());
|
||||||
|
$this->assertContains('<Rating>', $response->getBody());
|
||||||
|
$this->assertContains('<Author', $response->getBody());
|
||||||
|
$this->assertNotContains('<SecretField>', $response->getBody());
|
||||||
|
$this->assertNotContains('<SecretRelation>', $response->getBody());
|
||||||
|
|
||||||
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID . '?add_fields=SecretField,SecretRelation';
|
||||||
|
$response = Director::test($url, null, null, 'GET');
|
||||||
|
$this->assertNotContains('<SecretField>', $response->getBody(),
|
||||||
|
'"add_fields" URL parameter filters out disallowed fields from $api_access'
|
||||||
|
);
|
||||||
|
$this->assertNotContains('<SecretRelation>', $response->getBody(),
|
||||||
|
'"add_fields" URL parameter filters out disallowed relations from $api_access'
|
||||||
|
);
|
||||||
|
|
||||||
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID . '?fields=SecretField,SecretRelation';
|
||||||
|
$response = Director::test($url, null, null, 'GET');
|
||||||
|
$this->assertNotContains('<SecretField>', $response->getBody(),
|
||||||
|
'"fields" URL parameter filters out disallowed fields from $api_access'
|
||||||
|
);
|
||||||
|
$this->assertNotContains('<SecretRelation>', $response->getBody(),
|
||||||
|
'"fields" URL parameter filters out disallowed relations from $api_access'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testApiAccessWithPUT() {
|
||||||
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating','rating1');
|
||||||
|
|
||||||
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID;
|
||||||
|
$data = array(
|
||||||
|
'Rating' => '42',
|
||||||
|
'WriteProtectedField' => 'haxx0red'
|
||||||
|
);
|
||||||
|
$response = Director::test($url, $data, null, 'PUT');
|
||||||
|
// Assumption: XML is default output
|
||||||
|
$responseArr = Convert::xml2array($response->getBody());
|
||||||
|
$this->assertEquals($responseArr['Rating'], 42);
|
||||||
|
$this->assertNotEquals($responseArr['WriteProtectedField'], 'haxx0red');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testApiAccessWithPOST() {
|
||||||
|
$url = "/api/v1/RestfulServerTest_AuthorRating";
|
||||||
|
$data = array(
|
||||||
|
'Rating' => '42',
|
||||||
|
'WriteProtectedField' => 'haxx0red'
|
||||||
|
);
|
||||||
|
$response = Director::test($url, $data, null, 'POST');
|
||||||
|
// Assumption: XML is default output
|
||||||
|
$responseArr = Convert::xml2array($response->getBody());
|
||||||
|
$this->assertEquals($responseArr['Rating'], 42);
|
||||||
|
$this->assertNotEquals($responseArr['WriteProtectedField'], 'haxx0red');
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -181,7 +246,10 @@ class RestfulServerTest_Comment extends DataObject implements PermissionProvider
|
|||||||
"Comment" => "Text"
|
"Comment" => "Text"
|
||||||
);
|
);
|
||||||
|
|
||||||
static $has_many = array();
|
static $has_one = array(
|
||||||
|
'Page' => 'RestfulServerTest_Page',
|
||||||
|
'Author' => 'RestfulServerTest_Author',
|
||||||
|
);
|
||||||
|
|
||||||
public function providePermissions(){
|
public function providePermissions(){
|
||||||
return array(
|
return array(
|
||||||
@ -209,6 +277,24 @@ class RestfulServerTest_Comment extends DataObject implements PermissionProvider
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class RestfulServerTest_SecretThing extends DataObject implements TestOnly,PermissionProvider{
|
||||||
|
static $api_access = true;
|
||||||
|
|
||||||
|
static $db = array(
|
||||||
|
"Name" => "Varchar(255)",
|
||||||
|
);
|
||||||
|
|
||||||
|
public function canView($member = null) {
|
||||||
|
return Permission::checkMember($member, 'VIEW_SecretThing');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function providePermissions(){
|
||||||
|
return array(
|
||||||
|
'VIEW_SecretThing' => 'View Secret Things',
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
class RestfulServerTest_Page extends DataObject implements TestOnly {
|
class RestfulServerTest_Page extends DataObject implements TestOnly {
|
||||||
|
|
||||||
static $api_access = false;
|
static $api_access = false;
|
||||||
@ -217,5 +303,55 @@ class RestfulServerTest_Page extends DataObject implements TestOnly {
|
|||||||
'Title' => 'Text',
|
'Title' => 'Text',
|
||||||
'Content' => 'HTMLText',
|
'Content' => 'HTMLText',
|
||||||
);
|
);
|
||||||
|
|
||||||
}
|
}
|
||||||
?>
|
|
||||||
|
class RestfulServerTest_Author extends DataObject implements TestOnly {
|
||||||
|
|
||||||
|
static $api_access = true;
|
||||||
|
|
||||||
|
static $db = array(
|
||||||
|
'Name' => 'Text',
|
||||||
|
);
|
||||||
|
|
||||||
|
static $has_many = array(
|
||||||
|
'Ratings' => 'RestfulServerTest_AuthorRating',
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
class RestfulServerTest_AuthorRating extends DataObject implements TestOnly {
|
||||||
|
static $api_access = array(
|
||||||
|
'view' => array(
|
||||||
|
'Rating',
|
||||||
|
'WriteProtectedField',
|
||||||
|
'Author'
|
||||||
|
),
|
||||||
|
'edit' => array(
|
||||||
|
'Rating'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
static $db = array(
|
||||||
|
'Rating' => 'Int',
|
||||||
|
'SecretField' => 'Text',
|
||||||
|
'WriteProtectedField' => 'Text'
|
||||||
|
);
|
||||||
|
|
||||||
|
static $has_one = array(
|
||||||
|
'Author' => 'RestfulServerTest_Author',
|
||||||
|
'SecretRelation' => 'RestfulServerTest_Author',
|
||||||
|
);
|
||||||
|
|
||||||
|
public function canView($member = null) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function canEdit($member = null) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function canCreate($member = null) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
?>
|
@ -33,6 +33,21 @@ Permission:
|
|||||||
perm5:
|
perm5:
|
||||||
Code: CREATE_Comment
|
Code: CREATE_Comment
|
||||||
Group: =>Group.editorgroup
|
Group: =>Group.editorgroup
|
||||||
|
perm6:
|
||||||
|
Code: VIEW_SecretThing
|
||||||
|
Group: =>Group.editorgroup
|
||||||
RestfulServerTest_Page:
|
RestfulServerTest_Page:
|
||||||
page1:
|
page1:
|
||||||
Title: Testpage without API Access
|
Title: Testpage without API Access
|
||||||
|
RestfulServerTest_Author:
|
||||||
|
author1:
|
||||||
|
FirstName: Author 1
|
||||||
|
RestfulServerTest_AuthorRating:
|
||||||
|
rating1:
|
||||||
|
Rating: 3
|
||||||
|
WriteProtectedField: Dont overwrite me
|
||||||
|
SecretField: Dont look at me!
|
||||||
|
Author: =>RestfulServerTest_Author.author1
|
||||||
|
RestfulServerTest_SecretThing:
|
||||||
|
thing1:
|
||||||
|
Name: Unspeakable
|
Loading…
Reference in New Issue
Block a user