2008-11-03 15:52:35 +01:00
< ? php
/**
* @ package sapphire
* @ subpackage tests
*
* @ todo Test canAddChildren ()
* @ todo Test canCreate ()
*/
2008-11-25 23:36:23 +01:00
class SiteTreePermissionsTest extends FunctionalTest {
2008-11-03 15:52:35 +01:00
static $fixture_file = " sapphire/tests/SiteTreePermissionsTest.yml " ;
2009-10-05 23:00:49 +02:00
static function set_up_once () {
SiteTreeTest :: set_up_once ();
parent :: set_up_once ();
}
static function tear_down_once () {
SiteTreeTest :: tear_down_once ();
parent :: tear_down_once ();
}
2008-11-25 23:36:23 +01:00
function setUp () {
parent :: setUp ();
$this -> useDraftSite ();
// we're testing HTTP status codes before being redirected to login forms
$this -> autoFollowRedirection = false ;
}
2010-01-13 00:35:33 +01:00
function testPermissionCheckingWorksOnDeletedPages () {
// Set up fixture - a published page deleted from draft
2010-02-21 22:35:06 +01:00
$this -> logInWithPermission ( " ADMIN " );
2010-01-13 00:35:33 +01:00
$page = $this -> objFromFixture ( 'Page' , 'restrictedEditOnlySubadminGroup' );
$pageID = $page -> ID ;
$this -> assertTrue ( $page -> doPublish ());
$page -> delete ();
// Re-fetch the page from the live site
$page = Versioned :: get_one_by_stage ( 'SiteTree' , 'Live' , " \" SiteTree \" . \" ID \" = $pageID " );
// subadmin has edit rights on that page
$member = $this -> objFromFixture ( 'Member' , 'subadmin' );
$member -> logIn ();
// Test can_edit_multiple
$this -> assertEquals (
array ( $pageID => true ),
SiteTree :: can_edit_multiple ( array ( $pageID ), $member -> ID )
);
// Test canEdit
$member -> logIn ();
$this -> assertTrue ( $page -> canEdit ());
}
2008-11-25 23:36:23 +01:00
2010-01-13 00:35:33 +01:00
function testPermissionCheckingWorksOnUnpublishedPages () {
// Set up fixture - an unpublished page
2010-02-21 22:35:06 +01:00
$this -> logInWithPermission ( " ADMIN " );
2010-01-13 00:35:33 +01:00
$page = $this -> objFromFixture ( 'Page' , 'restrictedEditOnlySubadminGroup' );
$pageID = $page -> ID ;
$page -> doUnpublish ();
// subadmin has edit rights on that page
$member = $this -> objFromFixture ( 'Member' , 'subadmin' );
$member -> logIn ();
// Test can_edit_multiple
$this -> assertEquals (
array ( $pageID => true ),
SiteTree :: can_edit_multiple ( array ( $pageID ), $member -> ID )
);
// Test canEdit
$member -> logIn ();
$this -> assertTrue ( $page -> canEdit ());
}
function testCanEditOnPageDeletedFromStageAndLiveReturnsFalse () {
// Find a page that exists and delete it from both stage and published
2010-02-21 22:35:06 +01:00
$this -> logInWithPermission ( " ADMIN " );
2010-01-13 00:35:33 +01:00
$page = $this -> objFromFixture ( 'Page' , 'restrictedEditOnlySubadminGroup' );
$pageID = $page -> ID ;
$page -> doUnpublish ();
$page -> delete ();
// We'll need to resurrect the page from the version cache to test this case
$page = Versioned :: get_latest_version ( 'SiteTree' , $pageID );
// subadmin had edit rights on that page, but now it's gone
$member = $this -> objFromFixture ( 'Member' , 'subadmin' );
$member -> logIn ();
$this -> assertFalse ( $page -> canEdit ());
}
2008-12-04 23:38:32 +01:00
function testAccessTabOnlyDisplaysWithGrantAccessPermissions () {
$page = $this -> objFromFixture ( 'Page' , 'standardpage' );
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> session () -> inst_set ( 'loggedInAs' , $subadminuser -> ID );
$fields = $page -> getCMSFields ();
$this -> assertFalse (
$fields -> dataFieldByName ( 'CanViewType' ) -> isReadonly (),
'Users with SITETREE_GRANT_ACCESS permission can change "view" permissions in cms fields'
);
$this -> assertFalse (
$fields -> dataFieldByName ( 'CanEditType' ) -> isReadonly (),
'Users with SITETREE_GRANT_ACCESS permission can change "edit" permissions in cms fields'
);
$editoruser = $this -> objFromFixture ( 'Member' , 'editor' );
$this -> session () -> inst_set ( 'loggedInAs' , $editoruser -> ID );
$fields = $page -> getCMSFields ();
$this -> assertTrue (
$fields -> dataFieldByName ( 'CanViewType' ) -> isReadonly (),
'Users without SITETREE_GRANT_ACCESS permission cannot change "view" permissions in cms fields'
);
$this -> assertTrue (
$fields -> dataFieldByName ( 'CanEditType' ) -> isReadonly (),
'Users without SITETREE_GRANT_ACCESS permission cannot change "edit" permissions in cms fields'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
}
2008-11-03 15:52:35 +01:00
function testRestrictedViewLoggedInUsers () {
$page = $this -> objFromFixture ( 'Page' , 'restrictedViewLoggedInUsers' );
2008-11-25 23:36:23 +01:00
// unauthenticated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$page -> canView ( FALSE ),
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
);
2008-11-25 23:36:23 +01:00
$this -> session () -> inst_set ( 'loggedInAs' , null );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $page -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
2008-12-04 23:38:32 +01:00
302 ,
2008-11-25 23:36:23 +01:00
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
);
2009-08-27 08:56:13 +02:00
2008-11-25 23:36:23 +01:00
// website users
2008-11-03 15:52:35 +01:00
$websiteuser = $this -> objFromFixture ( 'Member' , 'websiteuser' );
$this -> assertTrue (
$page -> canView ( $websiteuser ),
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
);
2008-11-25 23:36:23 +01:00
$this -> session () -> inst_set ( 'loggedInAs' , $websiteuser -> ID );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $page -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
200 ,
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
2008-11-03 15:52:35 +01:00
}
function testRestrictedViewOnlyTheseUsers () {
$page = $this -> objFromFixture ( 'Page' , 'restrictedViewOnlyWebsiteUsers' );
2008-11-25 23:36:23 +01:00
// unauthenticcated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$page -> canView ( FALSE ),
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $page -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
2008-12-04 23:38:32 +01:00
302 ,
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
);
2008-11-25 23:36:23 +01:00
// subadmin users
2008-11-03 15:52:35 +01:00
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> assertFalse (
$page -> canView ( $subadminuser ),
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
);
2008-11-25 23:36:23 +01:00
$this -> session () -> inst_set ( 'loggedInAs' , $subadminuser -> ID );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $page -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
2009-07-09 05:20:32 +02:00
403 ,
2008-11-25 23:36:23 +01:00
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
2008-11-03 15:52:35 +01:00
2008-11-25 23:36:23 +01:00
// website users
2008-11-03 15:52:35 +01:00
$websiteuser = $this -> objFromFixture ( 'Member' , 'websiteuser' );
$this -> assertTrue (
$page -> canView ( $websiteuser ),
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
);
2008-11-25 23:36:23 +01:00
$this -> session () -> inst_set ( 'loggedInAs' , $websiteuser -> ID );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $page -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
200 ,
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
2008-11-03 15:52:35 +01:00
}
function testRestrictedEditLoggedInUsers () {
$page = $this -> objFromFixture ( 'Page' , 'restrictedEditLoggedInUsers' );
2008-11-25 23:36:23 +01:00
// unauthenticcated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$page -> canEdit ( FALSE ),
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant edit a page marked as "Editable by logged in users"'
);
2008-11-25 23:36:23 +01:00
// website users
2008-11-03 15:52:35 +01:00
$websiteuser = $this -> objFromFixture ( 'Member' , 'websiteuser' );
$websiteuser -> logIn ();
$this -> assertFalse (
$page -> canEdit ( $websiteuser ),
'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions'
);
2008-11-25 23:36:23 +01:00
// subadmin users
2008-11-03 15:52:35 +01:00
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> assertTrue (
$page -> canEdit ( $subadminuser ),
'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
);
}
function testRestrictedEditOnlySubadminGroup () {
$page = $this -> objFromFixture ( 'Page' , 'restrictedEditOnlySubadminGroup' );
2008-11-25 23:36:23 +01:00
// unauthenticated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$page -> canEdit ( FALSE ),
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant edit a page marked as "Editable by these groups"'
);
2008-11-25 23:36:23 +01:00
// subadmin users
2008-11-03 15:52:35 +01:00
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> assertTrue (
$page -> canEdit ( $subadminuser ),
'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups'
);
2008-11-25 23:36:23 +01:00
// website users
2008-11-03 15:52:35 +01:00
$websiteuser = $this -> objFromFixture ( 'Member' , 'websiteuser' );
$this -> assertFalse (
$page -> canEdit ( $websiteuser ),
'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups'
);
}
function testRestrictedViewInheritance () {
$parentPage = $this -> objFromFixture ( 'Page' , 'parent_restrictedViewOnlySubadminGroup' );
$childPage = $this -> objFromFixture ( 'Page' , 'child_restrictedViewOnlySubadminGroup' );
2009-08-27 08:56:13 +02:00
2008-11-25 23:36:23 +01:00
// unauthenticated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$childPage -> canView ( FALSE ),
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $childPage -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
2008-12-04 23:38:32 +01:00
302 ,
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
);
2009-08-27 08:56:13 +02:00
2008-11-25 23:36:23 +01:00
// subadmin users
2008-11-03 15:52:35 +01:00
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> assertTrue (
$childPage -> canView ( $subadminuser ),
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
);
2008-11-25 23:36:23 +01:00
$this -> session () -> inst_set ( 'loggedInAs' , $subadminuser -> ID );
2009-10-11 02:07:20 +02:00
$response = $this -> get ( $childPage -> RelativeLink ());
2008-11-25 23:36:23 +01:00
$this -> assertEquals (
$response -> getStatusCode (),
200 ,
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
);
$this -> session () -> inst_set ( 'loggedInAs' , null );
2008-11-03 15:52:35 +01:00
}
function testRestrictedEditInheritance () {
$parentPage = $this -> objFromFixture ( 'Page' , 'parent_restrictedEditOnlySubadminGroup' );
$childPage = $this -> objFromFixture ( 'Page' , 'child_restrictedEditOnlySubadminGroup' );
2009-08-27 08:56:13 +02:00
2008-11-25 23:36:23 +01:00
// unauthenticated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$childPage -> canEdit ( FALSE ),
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission'
);
2009-08-27 08:56:13 +02:00
2008-11-25 23:36:23 +01:00
// subadmin users
2008-11-03 15:52:35 +01:00
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> assertTrue (
$childPage -> canEdit ( $subadminuser ),
'Authenticated members can edit a page marked as "Editable by these groups" if theyre in the listed groups by inherited permission'
);
}
function testDeleteRestrictedChild () {
$parentPage = $this -> objFromFixture ( 'Page' , 'deleteTestParentPage' );
$childPage = $this -> objFromFixture ( 'Page' , 'deleteTestChildPage' );
2009-08-27 08:56:13 +02:00
2008-11-25 23:36:23 +01:00
// unauthenticated users
2008-11-03 15:52:35 +01:00
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$parentPage -> canDelete ( FALSE ),
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants'
);
$this -> assertFalse (
2008-11-25 23:36:23 +01:00
$childPage -> canDelete ( FALSE ),
2008-11-03 15:52:35 +01:00
'Unauthenticated members cant delete a child page marked as "Editable by these groups"'
);
}
2009-08-27 08:56:13 +02:00
function testRestrictedEditLoggedInUsersDeletedFromStage () {
$page = $this -> objFromFixture ( 'Page' , 'restrictedEditLoggedInUsers' );
$pageID = $page -> ID ;
2010-02-21 22:35:06 +01:00
$this -> logInWithPermission ( " ADMIN " );
2009-10-19 07:28:59 +02:00
2009-08-27 08:56:13 +02:00
$page -> doPublish ();
$page -> deleteFromStage ( 'Stage' );
2008-11-03 15:52:35 +01:00
2009-08-27 08:56:13 +02:00
// Get the live version of the page
2009-09-17 02:17:27 +02:00
$page = Versioned :: get_one_by_stage ( " SiteTree " , " Live " , " \" SiteTree \" . \" ID \" = $pageID " );
2009-10-15 23:53:15 +02:00
2009-08-27 08:56:13 +02:00
// subadmin users
$subadminuser = $this -> objFromFixture ( 'Member' , 'subadmin' );
$this -> assertTrue (
$page -> canEdit ( $subadminuser ),
'Authenticated members can edit a page that was deleted from stage and marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
);
}
2010-01-26 10:11:28 +01:00
2009-10-15 23:53:15 +02:00
function testInheritCanViewFromSiteConfig () {
$page = $this -> objFromFixture ( 'Page' , 'inheritWithNoParent' );
$siteconfig = $this -> objFromFixture ( 'SiteConfig' , 'default' );
$editor = $this -> objFromFixture ( 'Member' , 'editor' );
$editorGroup = $this -> objFromFixture ( 'Group' , 'editorgroup' );
$siteconfig -> CanViewType = 'Anyone' ;
$siteconfig -> write ();
$this -> assertTrue ( $page -> canView ( FALSE ), 'Anyone can view a page when set to inherit from the SiteConfig, and SiteConfig has canView set to LoggedInUsers' );
$siteconfig -> CanViewType = 'LoggedInUsers' ;
$siteconfig -> write ();
$this -> assertFalse ( $page -> canView ( FALSE ), 'Anonymous can\'t view a page when set to inherit from the SiteConfig, and SiteConfig has canView set to LoggedInUsers' );
$siteconfig -> CanViewType = 'LoggedInUsers' ;
$siteconfig -> write ();
$this -> assertTrue ( $page -> canView ( $editor ), 'Users can view a page when set to inherit from the SiteConfig, and SiteConfig has canView set to LoggedInUsers' );
$siteconfig -> CanViewType = 'OnlyTheseUsers' ;
$siteconfig -> ViewerGroups () -> add ( $editorGroup );
$siteconfig -> ViewerGroups () -> write ();
$siteconfig -> write ();
$this -> assertTrue ( $page -> canView ( $editor ), 'Editors can view a page when set to inherit from the SiteConfig, and SiteConfig has canView set to OnlyTheseUsers' );
$this -> assertFalse ( $page -> canView ( FALSE ), 'Anonymous can\'t view a page when set to inherit from the SiteConfig, and SiteConfig has canView set to OnlyTheseUsers' );
}
function testInheritCanEditFromSiteConfig () {
$page = $this -> objFromFixture ( 'Page' , 'inheritWithNoParent' );
$siteconfig = $this -> objFromFixture ( 'SiteConfig' , 'default' );
$editor = $this -> objFromFixture ( 'Member' , 'editor' );
$user = $this -> objFromFixture ( 'Member' , 'websiteuser' );
$editorGroup = $this -> objFromFixture ( 'Group' , 'editorgroup' );
$siteconfig -> CanEditType = 'LoggedInUsers' ;
$siteconfig -> write ();
$this -> assertFalse ( $page -> canEdit ( FALSE ), 'Anonymous can\'t edit a page when set to inherit from the SiteConfig, and SiteConfig has canEdit set to LoggedInUsers' );
$this -> session () -> inst_set ( 'loggedInAs' , $editor -> ID );
$this -> assertTrue ( $page -> canEdit (), 'Users can edit a page when set to inherit from the SiteConfig, and SiteConfig has canEdit set to LoggedInUsers' );
$siteconfig -> CanEditType = 'OnlyTheseUsers' ;
$siteconfig -> EditorGroups () -> add ( $editorGroup );
$siteconfig -> EditorGroups () -> write ();
$siteconfig -> write ();
$this -> assertTrue ( $page -> canEdit ( $editor ), 'Editors can edit a page when set to inherit from the SiteConfig, and SiteConfig has canEdit set to OnlyTheseUsers' );
$this -> session () -> inst_set ( 'loggedInAs' , null );
$this -> assertFalse ( $page -> canEdit ( FALSE ), 'Anonymous can\'t edit a page when set to inherit from the SiteConfig, and SiteConfig has canEdit set to OnlyTheseUsers' );
$this -> session () -> inst_set ( 'loggedInAs' , $user -> ID );
$this -> assertFalse ( $page -> canEdit ( $user ), 'Website user can\'t edit a page when set to inherit from the SiteConfig, and SiteConfig has canEdit set to OnlyTheseUsers' );
}
2009-08-27 08:56:13 +02:00
2008-11-03 15:52:35 +01:00
}
?>
