2008-11-03 15:52:35 +01:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* @package sapphire
|
|
|
|
* @subpackage tests
|
|
|
|
*
|
|
|
|
* @todo Test canAddChildren()
|
|
|
|
* @todo Test canCreate()
|
|
|
|
*/
|
2008-11-25 23:36:23 +01:00
|
|
|
class SiteTreePermissionsTest extends FunctionalTest {
|
2008-11-03 15:52:35 +01:00
|
|
|
static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml";
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
function setUp() {
|
|
|
|
parent::setUp();
|
|
|
|
|
|
|
|
$this->useDraftSite();
|
|
|
|
|
|
|
|
// we're testing HTTP status codes before being redirected to login forms
|
|
|
|
$this->autoFollowRedirection = false;
|
|
|
|
}
|
|
|
|
|
2008-12-04 23:38:32 +01:00
|
|
|
function testAccessTabOnlyDisplaysWithGrantAccessPermissions() {
|
|
|
|
$page = $this->objFromFixture('Page', 'standardpage');
|
|
|
|
|
|
|
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
|
|
|
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
|
|
|
|
$fields = $page->getCMSFields();
|
|
|
|
$this->assertFalse(
|
|
|
|
$fields->dataFieldByName('CanViewType')->isReadonly(),
|
|
|
|
'Users with SITETREE_GRANT_ACCESS permission can change "view" permissions in cms fields'
|
|
|
|
);
|
|
|
|
$this->assertFalse(
|
|
|
|
$fields->dataFieldByName('CanEditType')->isReadonly(),
|
|
|
|
'Users with SITETREE_GRANT_ACCESS permission can change "edit" permissions in cms fields'
|
|
|
|
);
|
|
|
|
|
|
|
|
$editoruser = $this->objFromFixture('Member', 'editor');
|
|
|
|
$this->session()->inst_set('loggedInAs', $editoruser->ID);
|
|
|
|
$fields = $page->getCMSFields();
|
|
|
|
$this->assertTrue(
|
|
|
|
$fields->dataFieldByName('CanViewType')->isReadonly(),
|
|
|
|
'Users without SITETREE_GRANT_ACCESS permission cannot change "view" permissions in cms fields'
|
|
|
|
);
|
|
|
|
$this->assertTrue(
|
|
|
|
$fields->dataFieldByName('CanEditType')->isReadonly(),
|
|
|
|
'Users without SITETREE_GRANT_ACCESS permission cannot change "edit" permissions in cms fields'
|
|
|
|
);
|
|
|
|
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
}
|
|
|
|
|
2008-11-03 15:52:35 +01:00
|
|
|
function testRestrictedViewLoggedInUsers() {
|
|
|
|
$page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$page->canView(FALSE),
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
|
|
|
|
);
|
2008-11-25 23:36:23 +01:00
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
$response = $this->get($page->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
2008-12-04 23:38:32 +01:00
|
|
|
302,
|
2008-11-25 23:36:23 +01:00
|
|
|
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
|
|
|
|
);
|
|
|
|
|
|
|
|
// website users
|
2008-11-03 15:52:35 +01:00
|
|
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
|
|
|
$this->assertTrue(
|
|
|
|
$page->canView($websiteuser),
|
|
|
|
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
|
|
|
|
);
|
2008-11-25 23:36:23 +01:00
|
|
|
$this->session()->inst_set('loggedInAs', $websiteuser->ID);
|
|
|
|
$response = $this->get($page->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
|
|
|
200,
|
|
|
|
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
|
|
|
|
);
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2008-11-03 15:52:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
function testRestrictedViewOnlyTheseUsers() {
|
|
|
|
$page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticcated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$page->canView(FALSE),
|
|
|
|
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
|
|
|
|
);
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
$response = $this->get($page->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
2008-12-04 23:38:32 +01:00
|
|
|
302,
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
|
|
|
|
);
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// subadmin users
|
2008-11-03 15:52:35 +01:00
|
|
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
|
|
|
$this->assertFalse(
|
|
|
|
$page->canView($subadminuser),
|
|
|
|
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
|
|
|
|
);
|
2008-11-25 23:36:23 +01:00
|
|
|
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
|
|
|
|
$response = $this->get($page->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
2009-07-09 05:20:32 +02:00
|
|
|
403,
|
2008-11-25 23:36:23 +01:00
|
|
|
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
|
|
|
|
);
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2008-11-03 15:52:35 +01:00
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// website users
|
2008-11-03 15:52:35 +01:00
|
|
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
|
|
|
$this->assertTrue(
|
|
|
|
$page->canView($websiteuser),
|
|
|
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
|
|
|
|
);
|
2008-11-25 23:36:23 +01:00
|
|
|
$this->session()->inst_set('loggedInAs', $websiteuser->ID);
|
|
|
|
$response = $this->get($page->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
|
|
|
200,
|
|
|
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
|
|
|
|
);
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2008-11-03 15:52:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
function testRestrictedEditLoggedInUsers() {
|
|
|
|
$page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticcated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$page->canEdit(FALSE),
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant edit a page marked as "Editable by logged in users"'
|
|
|
|
);
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// website users
|
2008-11-03 15:52:35 +01:00
|
|
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
|
|
|
$websiteuser->logIn();
|
|
|
|
$this->assertFalse(
|
|
|
|
$page->canEdit($websiteuser),
|
|
|
|
'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions'
|
|
|
|
);
|
2008-11-25 23:36:23 +01:00
|
|
|
|
|
|
|
// subadmin users
|
2008-11-03 15:52:35 +01:00
|
|
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
|
|
|
$this->assertTrue(
|
|
|
|
$page->canEdit($subadminuser),
|
|
|
|
'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
function testRestrictedEditOnlySubadminGroup() {
|
|
|
|
$page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$page->canEdit(FALSE),
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant edit a page marked as "Editable by these groups"'
|
|
|
|
);
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// subadmin users
|
2008-11-03 15:52:35 +01:00
|
|
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
|
|
|
$this->assertTrue(
|
|
|
|
$page->canEdit($subadminuser),
|
|
|
|
'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups'
|
|
|
|
);
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// website users
|
2008-11-03 15:52:35 +01:00
|
|
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
|
|
|
$this->assertFalse(
|
|
|
|
$page->canEdit($websiteuser),
|
|
|
|
'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
function testRestrictedViewInheritance() {
|
|
|
|
$parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup');
|
|
|
|
$childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$childPage->canView(FALSE),
|
|
|
|
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
|
|
|
|
);
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
$response = $this->get($childPage->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
2008-12-04 23:38:32 +01:00
|
|
|
302,
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
|
|
|
|
);
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// subadmin users
|
2008-11-03 15:52:35 +01:00
|
|
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
|
|
|
$this->assertTrue(
|
|
|
|
$childPage->canView($subadminuser),
|
|
|
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
|
|
|
|
);
|
2008-11-25 23:36:23 +01:00
|
|
|
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
|
|
|
|
$response = $this->get($childPage->URLSegment);
|
|
|
|
$this->assertEquals(
|
|
|
|
$response->getStatusCode(),
|
|
|
|
200,
|
|
|
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
|
|
|
|
);
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2008-11-03 15:52:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
function testRestrictedEditInheritance() {
|
|
|
|
$parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup');
|
|
|
|
$childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$childPage->canEdit(FALSE),
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission'
|
|
|
|
);
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// subadmin users
|
2008-11-03 15:52:35 +01:00
|
|
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
|
|
|
$this->assertTrue(
|
|
|
|
$childPage->canEdit($subadminuser),
|
|
|
|
'Authenticated members can edit a page marked as "Editable by these groups" if theyre in the listed groups by inherited permission'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
function testDeleteRestrictedChild() {
|
|
|
|
$parentPage = $this->objFromFixture('Page', 'deleteTestParentPage');
|
|
|
|
$childPage = $this->objFromFixture('Page', 'deleteTestChildPage');
|
|
|
|
|
2008-11-25 23:36:23 +01:00
|
|
|
// unauthenticated users
|
2008-11-03 15:52:35 +01:00
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$parentPage->canDelete(FALSE),
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants'
|
|
|
|
);
|
|
|
|
$this->assertFalse(
|
2008-11-25 23:36:23 +01:00
|
|
|
$childPage->canDelete(FALSE),
|
2008-11-03 15:52:35 +01:00
|
|
|
'Unauthenticated members cant delete a child page marked as "Editable by these groups"'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
?>
|