silverstripe-framework/tests/php/Security/PermissionRoleTest.php

<?php

namespace SilverStripe\Security\Tests;

use SilverStripe\ORM\DataObject;
use SilverStripe\Security\PermissionRole;
use SilverStripe\Security\PermissionRoleCode;
use SilverStripe\Dev\FunctionalTest;
use ReflectionMethod;

class PermissionRoleTest extends FunctionalTest {
	protected static $fixture_file = 'PermissionRoleTest.yml';

	public function testDelete() {
		$role = $this->objFromFixture(PermissionRole::class, 'role');

		$role->delete();

		$this->assertEquals(0, DataObject::get(PermissionRole::class, "\"ID\"={$role->ID}")->count(),
			'Role is removed');
		$this->assertEquals(0, DataObject::get(PermissionRoleCode::class,"\"RoleID\"={$role->ID}")->count(),
			'Permissions removed along with the role');
	}

	public function testValidatesPrivilegedPermissions() {
		$nonAdminCode = new PermissionRoleCode(array('Code' => 'CMS_ACCESS_CMSMain'));
		$nonAdminValidateMethod = new ReflectionMethod($nonAdminCode, 'validate');
		$nonAdminValidateMethod->setAccessible(true);

		$adminCode = new PermissionRoleCode(array('Code' => 'ADMIN'));
		$adminValidateMethod = new ReflectionMethod($adminCode, 'validate');
		$adminValidateMethod->setAccessible(true);

		$this->logInWithPermission('APPLY_ROLES');
		$result = $nonAdminValidateMethod->invoke($nonAdminCode);
		$this->assertTrue(
			$result->valid(),
			'Members with only APPLY_ROLES can create non-privileged permission role codes'
		);

		$this->logInWithPermission('APPLY_ROLES');
		$result = $adminValidateMethod->invoke($adminCode);
		$this->assertFalse(
			$result->valid(),
			'Members with only APPLY_ROLES can\'t create privileged permission role codes'
		);

		$this->logInWithPermission('ADMIN');
		$result = $adminValidateMethod->invoke($adminCode);
		$this->assertTrue(
			$result->valid(),
			'Members with ADMIN can create privileged permission role codes'
		);
	}
}
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 05:43:59 +00:00			`<?php`
API Apply Framework\ORM Namespace to model 2016-06-15 16:03:16 +12:00
API Namespace framework tests 2016-10-14 14:30:05 +13:00			`namespace SilverStripe\Security\Tests;`

API Apply Framework\ORM Namespace to model 2016-06-15 16:03:16 +12:00			`use SilverStripe\ORM\DataObject;`
API Namespace framework tests 2016-10-14 14:30:05 +13:00			`use SilverStripe\Security\PermissionRole;`
API Apply Framework\Security namespace 2016-06-23 11:37:22 +12:00			`use SilverStripe\Security\PermissionRoleCode;`
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0 2016-08-19 10:51:35 +12:00			`use SilverStripe\Dev\FunctionalTest;`
API Namespace framework tests 2016-10-14 14:30:05 +13:00			`use ReflectionMethod;`
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0 2016-08-19 10:51:35 +12:00
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 05:43:59 +00:00			`class PermissionRoleTest extends FunctionalTest {`
API Marked statics private, use Config API instead (#8317) See "Static configuration properties are now immutable, you must use Config API." in the 3.1 change log for details. 2013-03-21 19:48:54 +01:00			`protected static $fixture_file = 'PermissionRoleTest.yml';`
Remove all redundant whitespace 2014-08-15 18:53:05 +12:00
Method visibility according to coding conventions 2012-09-19 12:07:39 +02:00			`public function testDelete() {`
API Namespace framework tests 2016-10-14 14:30:05 +13:00			`$role = $this->objFromFixture(PermissionRole::class, 'role');`
Remove all redundant whitespace 2014-08-15 18:53:05 +12:00
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 05:43:59 +00:00			`$role->delete();`
Remove all redundant whitespace 2014-08-15 18:53:05 +12:00
API Namespace framework tests 2016-10-14 14:30:05 +13:00			`$this->assertEquals(0, DataObject::get(PermissionRole::class, "\"ID\"={$role->ID}")->count(),`
FIX Remove instances of lines longer than 120c The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer. 2012-09-27 09:34:00 +12:00			`'Role is removed');`
API Namespace framework tests 2016-10-14 14:30:05 +13:00			`$this->assertEquals(0, DataObject::get(PermissionRoleCode::class,"\"RoleID\"={$role->ID}")->count(),`
FIX Remove instances of lines longer than 120c The entire framework repo (with the exception of system-generated files) has been amended to respect the 120c line-length limit. This is in preparation for the enforcement of this rule with PHP_CodeSniffer. 2012-09-27 09:34:00 +12:00			`'Permissions removed along with the role');`
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 05:43:59 +00:00			`}`
FIX Privilege escalation through APPLY_ROLES assignment (SS-2013-005) See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/ 2013-08-30 13:59:38 +02:00
			`public function testValidatesPrivilegedPermissions() {`
			`$nonAdminCode = new PermissionRoleCode(array('Code' => 'CMS_ACCESS_CMSMain'));`
			`$nonAdminValidateMethod = new ReflectionMethod($nonAdminCode, 'validate');`
			`$nonAdminValidateMethod->setAccessible(true);`

			`$adminCode = new PermissionRoleCode(array('Code' => 'ADMIN'));`
			`$adminValidateMethod = new ReflectionMethod($adminCode, 'validate');`
			`$adminValidateMethod->setAccessible(true);`

			`$this->logInWithPermission('APPLY_ROLES');`
			`$result = $nonAdminValidateMethod->invoke($nonAdminCode);`
			`$this->assertTrue(`
			`$result->valid(),`
			`'Members with only APPLY_ROLES can create non-privileged permission role codes'`
			`);`

			`$this->logInWithPermission('APPLY_ROLES');`
			`$result = $adminValidateMethod->invoke($adminCode);`
			`$this->assertFalse(`
			`$result->valid(),`
			`'Members with only APPLY_ROLES can\'t create privileged permission role codes'`
			`);`

			`$this->logInWithPermission('ADMIN');`
			`$result = $adminValidateMethod->invoke($adminCode);`
			`$this->assertTrue(`
			`$result->valid(),`
			`'Members with ADMIN can create privileged permission role codes'`
			`);`
			`}`
FEATURE: added several tests for PermissionCheckboxSetField, PermissionRole and Group (from r94887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95629 467b73ca-7a2a-4603-9d3b-597d59a354a9 2009-12-16 05:43:59 +00:00			`}`