silverstripe-framework/tests/security/PermissionRoleTest.php

<?php

use SilverStripe\ORM\DataObject;
use SilverStripe\Security\PermissionRoleCode;

/**
 * @package framework
 * @subpackage tests
 */
class PermissionRoleTest extends FunctionalTest {
	protected static $fixture_file = 'PermissionRoleTest.yml';

	public function testDelete() {
		$role = $this->objFromFixture('SilverStripe\\Security\\PermissionRole', 'role');

		$role->delete();

		$this->assertEquals(0, DataObject::get('SilverStripe\\Security\\PermissionRole', "\"ID\"={$role->ID}")->count(),
			'Role is removed');
		$this->assertEquals(0, DataObject::get('SilverStripe\\Security\\PermissionRoleCode',"\"RoleID\"={$role->ID}")->count(),
			'Permissions removed along with the role');
	}

	public function testValidatesPrivilegedPermissions() {
		$nonAdminCode = new PermissionRoleCode(array('Code' => 'CMS_ACCESS_CMSMain'));
		$nonAdminValidateMethod = new ReflectionMethod($nonAdminCode, 'validate');
		$nonAdminValidateMethod->setAccessible(true);

		$adminCode = new PermissionRoleCode(array('Code' => 'ADMIN'));
		$adminValidateMethod = new ReflectionMethod($adminCode, 'validate');
		$adminValidateMethod->setAccessible(true);

		$this->logInWithPermission('APPLY_ROLES');
		$result = $nonAdminValidateMethod->invoke($nonAdminCode);
		$this->assertTrue(
			$result->valid(),
			'Members with only APPLY_ROLES can create non-privileged permission role codes'
		);

		$this->logInWithPermission('APPLY_ROLES');
		$result = $adminValidateMethod->invoke($adminCode);
		$this->assertFalse(
			$result->valid(),
			'Members with only APPLY_ROLES can\'t create privileged permission role codes'
		);

		$this->logInWithPermission('ADMIN');
		$result = $adminValidateMethod->invoke($adminCode);
		$this->assertTrue(
			$result->valid(),
			'Members with ADMIN can create privileged permission role codes'
		);
	}
}
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 06:43:59 +01:00			`<?php`
API Apply Framework\ORM Namespace to model 2016-06-15 06:03:16 +02:00
			`use SilverStripe\ORM\DataObject;`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`use SilverStripe\Security\PermissionRoleCode;`

FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 06:43:59 +01:00			`/**`
MINOR Update @package values to match renaming sapphire 2012-04-12 08:02:46 +02:00			`* @package framework`
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 06:43:59 +01:00			`* @subpackage tests`
			`*/`
			`class PermissionRoleTest extends FunctionalTest {`
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`protected static $fixture_file = 'PermissionRoleTest.yml';`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
Method visibility according to coding conventions 2012-09-19 12:07:39 +02:00			`public function testDelete() {`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`$role = $this->objFromFixture('SilverStripe\\Security\\PermissionRole', 'role');`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 06:43:59 +01:00			`$role->delete();`
Remove all redundant whitespace 2014-08-15 08:53:05 +02:00
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`$this->assertEquals(0, DataObject::get('SilverStripe\\Security\\PermissionRole', "\"ID\"={$role->ID}")->count(),`
FIX Remove instances of lines longer than 120c The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer. 2012-09-26 23:34:00 +02:00			`'Role is removed');`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`$this->assertEquals(0, DataObject::get('SilverStripe\\Security\\PermissionRoleCode',"\"RoleID\"={$role->ID}")->count(),`
FIX Remove instances of lines longer than 120c The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer. 2012-09-26 23:34:00 +02:00			`'Permissions removed along with the role');`
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 06:43:59 +01:00			`}`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
			`public function testValidatesPrivilegedPermissions() {`
			`$nonAdminCode = new PermissionRoleCode(array('Code' => 'CMS_ACCESS_CMSMain'));`
			`$nonAdminValidateMethod = new ReflectionMethod($nonAdminCode, 'validate');`
			`$nonAdminValidateMethod->setAccessible(true);`

			`$adminCode = new PermissionRoleCode(array('Code' => 'ADMIN'));`
			`$adminValidateMethod = new ReflectionMethod($adminCode, 'validate');`
			`$adminValidateMethod->setAccessible(true);`

			`$this->logInWithPermission('APPLY_ROLES');`
			`$result = $nonAdminValidateMethod->invoke($nonAdminCode);`
			`$this->assertTrue(`
			`$result->valid(),`
			`'Members with only APPLY_ROLES can create non-privileged permission role codes'`
			`);`

			`$this->logInWithPermission('APPLY_ROLES');`
			`$result = $adminValidateMethod->invoke($adminCode);`
			`$this->assertFalse(`
			`$result->valid(),`
			`'Members with only APPLY_ROLES can\'t create privileged permission role codes'`
			`);`

			`$this->logInWithPermission('ADMIN');`
			`$result = $adminValidateMethod->invoke($adminCode);`
			`$this->assertTrue(`
			`$result->valid(),`
			`'Members with ADMIN can create privileged permission role codes'`
			`);`
			`}`
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 06:43:59 +01:00			`}`