BUGFIX Fixed SiteTreePermissionsTest checking for logged-in users (was using Member->logIn() instead of setting "loggedInAs" on test session)

ENHANCEMENT Added FunctionalTest HTTP GET checks for SiteTreePermissionsTest to check that canView() permissions are actually enforced over HTTP git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66681 467b73ca-7a2a-4603-9d3b-597d59a354a9
2024-06-26 06:29:24 +02:00 · 2008-11-25 22:36:23 +00:00 · 2008-11-25 22:36:23 +00:00 · 5404cd3016
commit 5404cd3016
parent b65f74a37f
2 changed files with 101 additions and 39 deletions
--- a/tests/SiteTreePermissionsTest.php
+++ b/tests/SiteTreePermissionsTest.php
@ -6,138 +6,190 @@
 * @todo Test canAddChildren()
 * @todo Test canCreate()
 */
-class SiteTreePermissionsTest extends SapphireTest {
+class SiteTreePermissionsTest extends FunctionalTest {
 	static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml";
 	
+	function setUp() {
+		parent::setUp();
+		
+		$this->useDraftSite();
+		
+		// we're testing HTTP status codes before being redirected to login forms
+		$this->autoFollowRedirection = false;
+	}
+	
 	function testRestrictedViewLoggedInUsers() {
 		$page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers');
 		
-		/*
-		 NOTE: This isn't correct.  An "unauthed member" test needs to be done by setting the loggedInAs data in the session
-		 to zero and then confirming that a 403 response is returned.  Alternatively, the canView() method needs a well-defined
-		 way of asking "can a person who isn't logged in view this?" perhaps by passing the integer value 0 to the canView() method
-		 as opposed to leaving it omitted, which uses Member::currentUser() as the default.
-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticated users
 		$this->assertFalse(
-			$page->canView($randomUnauthedMember),
+			$page->canView(FALSE),
 			'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
 		);
-		 */
-		
+		$this->session()->inst_set('loggedInAs', null);
+		$response = $this->get($page->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			403,
+			'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
+		);
+
+		// website users
 		$websiteuser = $this->objFromFixture('Member', 'websiteuser');
-		$websiteuser->logIn();
 		$this->assertTrue(
 			$page->canView($websiteuser),
 			'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
 		);
-		
-		$websiteuser->logOut();
+		$this->session()->inst_set('loggedInAs', $websiteuser->ID);
+		$response = $this->get($page->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			200,
+			'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
+		);
+		$this->session()->inst_set('loggedInAs', null);
 	}
 	
 	function testRestrictedViewOnlyTheseUsers() {
 		$page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers');
 		
-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticcated users
 		$this->assertFalse(
-			$page->canView($randomUnauthedMember),
+			$page->canView(FALSE),
+			'Unauthenticated members cant view a page marked as "Viewable by these groups"'
+		);
+		$this->session()->inst_set('loggedInAs', null);
+		$response = $this->get($page->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			403,
 			'Unauthenticated members cant view a page marked as "Viewable by these groups"'
 		);
 		
+		// subadmin users
 		$subadminuser = $this->objFromFixture('Member', 'subadmin');
 		$this->assertFalse(
 			$page->canView($subadminuser),
 			'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
 		);
+		$this->session()->inst_set('loggedInAs', $subadminuser->ID);
+		$response = $this->get($page->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			403,
+			'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
+		);
+		$this->session()->inst_set('loggedInAs', null);
 		
+		// website users
 		$websiteuser = $this->objFromFixture('Member', 'websiteuser');
 		$this->assertTrue(
 			$page->canView($websiteuser),
 			'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
 		);
+		$this->session()->inst_set('loggedInAs', $websiteuser->ID);
+		$response = $this->get($page->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			200,
+			'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
+		);
+		$this->session()->inst_set('loggedInAs', null);
 	}
 	
 	function testRestrictedEditLoggedInUsers() {
 		$page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers');
 		
-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticcated users
 		$this->assertFalse(
-			$page->canEdit($randomUnauthedMember),
+			$page->canEdit(FALSE),
 			'Unauthenticated members cant edit a page marked as "Editable by logged in users"'
 		);
 		
+		// website users
 		$websiteuser = $this->objFromFixture('Member', 'websiteuser');
 		$websiteuser->logIn();
 		$this->assertFalse(
 			$page->canEdit($websiteuser),
 			'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions'
 		);
+		
+		// subadmin users
 		$subadminuser = $this->objFromFixture('Member', 'subadmin');
 		$this->assertTrue(
 			$page->canEdit($subadminuser),
 			'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
 		);
-		
-		$websiteuser->logOut();
 	}
 	
 	function testRestrictedEditOnlySubadminGroup() {
 		$page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup');
 		
-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticated users
 		$this->assertFalse(
-			$page->canEdit($randomUnauthedMember),
+			$page->canEdit(FALSE),
 			'Unauthenticated members cant edit a page marked as "Editable by these groups"'
 		);
 		
+		// subadmin users
 		$subadminuser = $this->objFromFixture('Member', 'subadmin');
 		$this->assertTrue(
 			$page->canEdit($subadminuser),
 			'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups'
 		);
 		
+		// website users
 		$websiteuser = $this->objFromFixture('Member', 'websiteuser');
-		$websiteuser->logIn();
 		$this->assertFalse(
 			$page->canEdit($websiteuser),
 			'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups'
 		);
-		
-		$websiteuser->logOut();
 	}
 	
 	function testRestrictedViewInheritance() {
 		$parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup');
 		$childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup');

-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticated users
 		$this->assertFalse(
-			$childPage->canView($randomUnauthedMember),
+			$childPage->canView(FALSE),
+			'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
+		);
+		$this->session()->inst_set('loggedInAs', null);
+		$response = $this->get($childPage->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			403,
 			'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
 		);

+		// subadmin users
 		$subadminuser = $this->objFromFixture('Member', 'subadmin');
 		$this->assertTrue(
 			$childPage->canView($subadminuser),
 			'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
 		);
+		$this->session()->inst_set('loggedInAs', $subadminuser->ID);
+		$response = $this->get($childPage->URLSegment);
+		$this->assertEquals(
+			$response->getStatusCode(),
+			200,
+			'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
+		);
+		$this->session()->inst_set('loggedInAs', null);
 	}
 	
 	function testRestrictedEditInheritance() {
 		$parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup');
 		$childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup');

-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticated users
 		$this->assertFalse(
-			$childPage->canEdit($randomUnauthedMember),
+			$childPage->canEdit(FALSE),
 			'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission'
 		);

+		// subadmin users
 		$subadminuser = $this->objFromFixture('Member', 'subadmin');
 		$this->assertTrue(
 			$childPage->canEdit($subadminuser),
@ -149,14 +201,13 @@ class SiteTreePermissionsTest extends SapphireTest {
 		$parentPage = $this->objFromFixture('Page', 'deleteTestParentPage');
 		$childPage = $this->objFromFixture('Page', 'deleteTestChildPage');

-		$randomUnauthedMember = new Member();
-		$randomUnauthedMember->ID = 99;
+		// unauthenticated users
 		$this->assertFalse(
-			$parentPage->canDelete($randomUnauthedMember),
+			$parentPage->canDelete(FALSE),
 			'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants'
 		);
 		$this->assertFalse(
-			$childPage->canDelete($randomUnauthedMember),
+			$childPage->canDelete(FALSE),
 			'Unauthenticated members cant delete a child page marked as "Editable by these groups"'
 		);
 	}
--- a/tests/SiteTreePermissionsTest.yml
+++ b/tests/SiteTreePermissionsTest.yml
@ -30,31 +30,42 @@ Member:
 Page:
   restrictedViewLoggedInUsers:
      CanViewType: LoggedInUsers
+      URLSegment: restrictedViewLoggedInUsers
   restrictedViewOnlyWebsiteUsers:
      CanViewType: OnlyTheseUsers
      ViewerGroups: =>Group.websiteusers
+      URLSegment: restrictedViewOnlyWebsiteUsers
   restrictedViewOnlySubadminGroup:
      CanViewType: OnlyTheseUsers
      ViewerGroups: =>Group.subadmingroup
+      URLSegment: restrictedViewOnlySubadminGroup
   restrictedEditLoggedInUsers:
      CanEditType: LoggedInUsers
+      URLSegment: restrictedEditLoggedInUsers
   restrictedEditOnlySubadminGroup:
      CanEditType: OnlyTheseUsers
      EditorGroups: =>Group.subadmingroup
+      URLSegment: restrictedEditOnlySubadminGroup
   parent_restrictedViewOnlySubadminGroup:
      CanViewType: OnlyTheseUsers
      ViewerGroups: =>Group.subadmingroup
+      URLSegment: parent-restrictedViewOnlySubadminGroup
   child_restrictedViewOnlySubadminGroup:
      CanViewType: Inherit
      Parent: =>Page.parent_restrictedViewOnlySubadminGroup
+      URLSegment: child-restrictedViewOnlySubadminGroup
   parent_restrictedEditOnlySubadminGroup:
      CanEditType: OnlyTheseUsers
      EditorGroups: =>Group.subadmingroup
+      URLSegment: parent-restrictedEditOnlySubadminGroup
   child_restrictedEditOnlySubadminGroup:
      CanEditType: Inherit
      Parent: =>Page.parent_restrictedEditOnlySubadminGroup
+      URLSegment: child-restrictedEditOnlySubadminGroup
   deleteTestParentPage:
      CanEditType: Inherit
+      URLSegment: deleteTestParentPage
   deleteTestChildPage:
      CanEditType: OnlyTheseUsers
-      EditorGroups: =>Group.subadmingroup
+      EditorGroups: =>Group.subadmingroup
+      URLSegment: deleteTestChildPage