mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUGFIX #4686 Fixed $member non-object error, and decorated checks from not working in Member::canView(), Member::canEdit() and Member::canDelete()
MINOR Added additional tests to MemberTest (from r94358) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@95601 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
eb25344862
commit
35628832d6
@ -972,10 +972,13 @@ class Member extends DataObject {
|
||||
|
||||
// decorated access checks
|
||||
$results = $this->extend('canView', $member);
|
||||
if($results && is_array($results)) if(!min($results)) return false;
|
||||
if($results && is_array($results)) {
|
||||
if(!min($results)) return false;
|
||||
else return true;
|
||||
}
|
||||
|
||||
// members can usually edit their own record
|
||||
if($this->ID == $member->ID) return true;
|
||||
if($member && $this->ID == $member->ID) return true;
|
||||
|
||||
if(
|
||||
Permission::checkMember($member, 'ADMIN')
|
||||
@ -996,7 +999,10 @@ class Member extends DataObject {
|
||||
|
||||
// decorated access checks
|
||||
$results = $this->extend('canEdit', $member);
|
||||
if($results && is_array($results)) if(!min($results)) return false;
|
||||
if($results && is_array($results)) {
|
||||
if(!min($results)) return false;
|
||||
else return true;
|
||||
}
|
||||
|
||||
// No member found
|
||||
if(!($member && $member->exists())) return false;
|
||||
@ -1013,7 +1019,10 @@ class Member extends DataObject {
|
||||
|
||||
// decorated access checks
|
||||
$results = $this->extend('canDelete', $member);
|
||||
if($results && is_array($results)) if(!min($results)) return false;
|
||||
if($results && is_array($results)) {
|
||||
if(!min($results)) return false;
|
||||
else return true;
|
||||
}
|
||||
|
||||
// No member found
|
||||
if(!($member && $member->exists())) return false;
|
||||
|
@ -3,7 +3,7 @@
|
||||
* @package sapphire
|
||||
* @subpackage tests
|
||||
*/
|
||||
class MemberTest extends SapphireTest {
|
||||
class MemberTest extends FunctionalTest {
|
||||
static $fixture_file = 'sapphire/tests/security/MemberTest.yml';
|
||||
|
||||
function setUp() {
|
||||
@ -300,4 +300,83 @@ class MemberTest extends SapphireTest {
|
||||
'Non-existant group returns false'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests that the user is able to view their own record, and in turn, they can
|
||||
* edit and delete their own record too.
|
||||
*/
|
||||
public function testCanManipulateOwnRecord() {
|
||||
$extensions = $this->removeExtensions(Object::get_extensions('Member'));
|
||||
$member = $this->objFromFixture('Member', 'test');
|
||||
$member2 = $this->objFromFixture('Member', 'staffmember');
|
||||
|
||||
$this->session()->inst_set('loggedInAs', null);
|
||||
|
||||
/* Not logged in, you can't view, delete or edit the record */
|
||||
$this->assertFalse($member->canView());
|
||||
$this->assertFalse($member->canDelete());
|
||||
$this->assertFalse($member->canEdit());
|
||||
|
||||
/* Logged in users can edit their own record */
|
||||
$this->session()->inst_set('loggedInAs', $member->ID);
|
||||
$this->assertTrue($member->canView());
|
||||
$this->assertTrue($member->canDelete());
|
||||
$this->assertTrue($member->canEdit());
|
||||
|
||||
/* Other uses cannot view, delete or edit others records */
|
||||
$this->session()->inst_set('loggedInAs', $member2->ID);
|
||||
$this->assertFalse($member->canView());
|
||||
$this->assertFalse($member->canDelete());
|
||||
$this->assertFalse($member->canEdit());
|
||||
|
||||
$this->addExtensions($extensions);
|
||||
$this->session()->inst_set('loggedInAs', null);
|
||||
}
|
||||
|
||||
public function testAuthorisedMembersCanManipulateOthersRecords() {
|
||||
$extensions = $this->removeExtensions(Object::get_extensions('Member'));
|
||||
$member = $this->objFromFixture('Member', 'test');
|
||||
$member2 = $this->objFromFixture('Member', 'staffmember');
|
||||
|
||||
/* Group members with SecurityAdmin permissions can manipulate other records */
|
||||
$this->session()->inst_set('loggedInAs', $member->ID);
|
||||
$this->assertTrue($member2->canView());
|
||||
$this->assertTrue($member2->canDelete());
|
||||
$this->assertTrue($member2->canEdit());
|
||||
|
||||
$this->addExtensions($extensions);
|
||||
$this->session()->inst_set('loggedInAs', null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Add the given array of member extensions as class names.
|
||||
* This is useful for re-adding extensions after being removed
|
||||
* in a test case to produce an unbiased test.
|
||||
*
|
||||
* @param array $extensions
|
||||
* @return array The added extensions
|
||||
*/
|
||||
protected function addExtensions($extensions) {
|
||||
if($extensions) foreach($extensions as $extension) {
|
||||
Object::add_extension('Member', $extension);
|
||||
}
|
||||
return $extensions;
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove given extensions from Member. This is useful for
|
||||
* removing extensions that could produce a biased
|
||||
* test result, as some extensions applied by project
|
||||
* code or modules can do this.
|
||||
*
|
||||
* @param array $extensions
|
||||
* @return array The removed extensions
|
||||
*/
|
||||
protected function removeExtensions($extensions) {
|
||||
if($extensions) foreach($extensions as $extension) {
|
||||
Object::remove_extension('Member', $extension);
|
||||
}
|
||||
return $extensions;
|
||||
}
|
||||
|
||||
}
|
@ -1,4 +1,11 @@
|
||||
Permission:
|
||||
security-admin:
|
||||
Code: CMS_ACCESS_SecurityAdmin
|
||||
Group:
|
||||
securityadminsgroup:
|
||||
Title: securityadminsgroup
|
||||
Code: securityadminsgroup
|
||||
Permissions: =>Permission.security-admin
|
||||
staffgroup:
|
||||
Title: staffgroup
|
||||
Code: staffgroup
|
||||
@ -21,6 +28,7 @@ Member:
|
||||
Email: sam@silverstripe.com
|
||||
Password: 1nitialPassword
|
||||
PasswordExpiry: 2030-01-01
|
||||
Groups: =>Group.securityadminsgroup
|
||||
expiredpassword:
|
||||
FirstName: Test
|
||||
Surname: User
|
||||
|
Loading…
Reference in New Issue
Block a user