From 5404cd30167661a9e612e491e2e12f2bb1e47ad6 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Tue, 25 Nov 2008 22:36:23 +0000 Subject: [PATCH] BUGFIX Fixed SiteTreePermissionsTest checking for logged-in users (was using Member->logIn() instead of setting "loggedInAs" on test session) ENHANCEMENT Added FunctionalTest HTTP GET checks for SiteTreePermissionsTest to check that canView() permissions are actually enforced over HTTP git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66681 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- tests/SiteTreePermissionsTest.php | 127 +++++++++++++++++++++--------- tests/SiteTreePermissionsTest.yml | 13 ++- 2 files changed, 101 insertions(+), 39 deletions(-) diff --git a/tests/SiteTreePermissionsTest.php b/tests/SiteTreePermissionsTest.php index 578040d35..9414eb03a 100644 --- a/tests/SiteTreePermissionsTest.php +++ b/tests/SiteTreePermissionsTest.php @@ -6,138 +6,190 @@ * @todo Test canAddChildren() * @todo Test canCreate() */ -class SiteTreePermissionsTest extends SapphireTest { +class SiteTreePermissionsTest extends FunctionalTest { static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml"; + function setUp() { + parent::setUp(); + + $this->useDraftSite(); + + // we're testing HTTP status codes before being redirected to login forms + $this->autoFollowRedirection = false; + } + function testRestrictedViewLoggedInUsers() { $page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers'); - /* - NOTE: This isn't correct. An "unauthed member" test needs to be done by setting the loggedInAs data in the session - to zero and then confirming that a 403 response is returned. Alternatively, the canView() method needs a well-defined - way of asking "can a person who isn't logged in view this?" perhaps by passing the integer value 0 to the canView() method - as opposed to leaving it omitted, which uses Member::currentUser() as the default. - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticated users $this->assertFalse( - $page->canView($randomUnauthedMember), + $page->canView(FALSE), 'Unauthenticated members cant view a page marked as "Viewable for any logged in users"' ); - */ - + $this->session()->inst_set('loggedInAs', null); + $response = $this->get($page->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 403, + 'Unauthenticated members cant view a page marked as "Viewable for any logged in users"' + ); + + // website users $websiteuser = $this->objFromFixture('Member', 'websiteuser'); - $websiteuser->logIn(); $this->assertTrue( $page->canView($websiteuser), 'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS' ); - - $websiteuser->logOut(); + $this->session()->inst_set('loggedInAs', $websiteuser->ID); + $response = $this->get($page->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 200, + 'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS' + ); + $this->session()->inst_set('loggedInAs', null); } function testRestrictedViewOnlyTheseUsers() { $page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers'); - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticcated users $this->assertFalse( - $page->canView($randomUnauthedMember), + $page->canView(FALSE), + 'Unauthenticated members cant view a page marked as "Viewable by these groups"' + ); + $this->session()->inst_set('loggedInAs', null); + $response = $this->get($page->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 403, 'Unauthenticated members cant view a page marked as "Viewable by these groups"' ); + // subadmin users $subadminuser = $this->objFromFixture('Member', 'subadmin'); $this->assertFalse( $page->canView($subadminuser), 'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups' ); + $this->session()->inst_set('loggedInAs', $subadminuser->ID); + $response = $this->get($page->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 403, + 'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups' + ); + $this->session()->inst_set('loggedInAs', null); + // website users $websiteuser = $this->objFromFixture('Member', 'websiteuser'); $this->assertTrue( $page->canView($websiteuser), 'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups' ); + $this->session()->inst_set('loggedInAs', $websiteuser->ID); + $response = $this->get($page->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 200, + 'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups' + ); + $this->session()->inst_set('loggedInAs', null); } function testRestrictedEditLoggedInUsers() { $page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers'); - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticcated users $this->assertFalse( - $page->canEdit($randomUnauthedMember), + $page->canEdit(FALSE), 'Unauthenticated members cant edit a page marked as "Editable by logged in users"' ); + // website users $websiteuser = $this->objFromFixture('Member', 'websiteuser'); $websiteuser->logIn(); $this->assertFalse( $page->canEdit($websiteuser), 'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions' ); + + // subadmin users $subadminuser = $this->objFromFixture('Member', 'subadmin'); $this->assertTrue( $page->canEdit($subadminuser), 'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups' ); - - $websiteuser->logOut(); } function testRestrictedEditOnlySubadminGroup() { $page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup'); - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticated users $this->assertFalse( - $page->canEdit($randomUnauthedMember), + $page->canEdit(FALSE), 'Unauthenticated members cant edit a page marked as "Editable by these groups"' ); + // subadmin users $subadminuser = $this->objFromFixture('Member', 'subadmin'); $this->assertTrue( $page->canEdit($subadminuser), 'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups' ); + // website users $websiteuser = $this->objFromFixture('Member', 'websiteuser'); - $websiteuser->logIn(); $this->assertFalse( $page->canEdit($websiteuser), 'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups' ); - - $websiteuser->logOut(); } function testRestrictedViewInheritance() { $parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup'); $childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup'); - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticated users $this->assertFalse( - $childPage->canView($randomUnauthedMember), + $childPage->canView(FALSE), + 'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission' + ); + $this->session()->inst_set('loggedInAs', null); + $response = $this->get($childPage->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 403, 'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission' ); + // subadmin users $subadminuser = $this->objFromFixture('Member', 'subadmin'); $this->assertTrue( $childPage->canView($subadminuser), 'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission' ); + $this->session()->inst_set('loggedInAs', $subadminuser->ID); + $response = $this->get($childPage->URLSegment); + $this->assertEquals( + $response->getStatusCode(), + 200, + 'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission' + ); + $this->session()->inst_set('loggedInAs', null); } function testRestrictedEditInheritance() { $parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup'); $childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup'); - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticated users $this->assertFalse( - $childPage->canEdit($randomUnauthedMember), + $childPage->canEdit(FALSE), 'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission' ); + // subadmin users $subadminuser = $this->objFromFixture('Member', 'subadmin'); $this->assertTrue( $childPage->canEdit($subadminuser), @@ -149,14 +201,13 @@ class SiteTreePermissionsTest extends SapphireTest { $parentPage = $this->objFromFixture('Page', 'deleteTestParentPage'); $childPage = $this->objFromFixture('Page', 'deleteTestChildPage'); - $randomUnauthedMember = new Member(); - $randomUnauthedMember->ID = 99; + // unauthenticated users $this->assertFalse( - $parentPage->canDelete($randomUnauthedMember), + $parentPage->canDelete(FALSE), 'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants' ); $this->assertFalse( - $childPage->canDelete($randomUnauthedMember), + $childPage->canDelete(FALSE), 'Unauthenticated members cant delete a child page marked as "Editable by these groups"' ); } diff --git a/tests/SiteTreePermissionsTest.yml b/tests/SiteTreePermissionsTest.yml index 7347823cc..a9652b8c6 100644 --- a/tests/SiteTreePermissionsTest.yml +++ b/tests/SiteTreePermissionsTest.yml @@ -30,31 +30,42 @@ Member: Page: restrictedViewLoggedInUsers: CanViewType: LoggedInUsers + URLSegment: restrictedViewLoggedInUsers restrictedViewOnlyWebsiteUsers: CanViewType: OnlyTheseUsers ViewerGroups: =>Group.websiteusers + URLSegment: restrictedViewOnlyWebsiteUsers restrictedViewOnlySubadminGroup: CanViewType: OnlyTheseUsers ViewerGroups: =>Group.subadmingroup + URLSegment: restrictedViewOnlySubadminGroup restrictedEditLoggedInUsers: CanEditType: LoggedInUsers + URLSegment: restrictedEditLoggedInUsers restrictedEditOnlySubadminGroup: CanEditType: OnlyTheseUsers EditorGroups: =>Group.subadmingroup + URLSegment: restrictedEditOnlySubadminGroup parent_restrictedViewOnlySubadminGroup: CanViewType: OnlyTheseUsers ViewerGroups: =>Group.subadmingroup + URLSegment: parent-restrictedViewOnlySubadminGroup child_restrictedViewOnlySubadminGroup: CanViewType: Inherit Parent: =>Page.parent_restrictedViewOnlySubadminGroup + URLSegment: child-restrictedViewOnlySubadminGroup parent_restrictedEditOnlySubadminGroup: CanEditType: OnlyTheseUsers EditorGroups: =>Group.subadmingroup + URLSegment: parent-restrictedEditOnlySubadminGroup child_restrictedEditOnlySubadminGroup: CanEditType: Inherit Parent: =>Page.parent_restrictedEditOnlySubadminGroup + URLSegment: child-restrictedEditOnlySubadminGroup deleteTestParentPage: CanEditType: Inherit + URLSegment: deleteTestParentPage deleteTestChildPage: CanEditType: OnlyTheseUsers - EditorGroups: =>Group.subadmingroup \ No newline at end of file + EditorGroups: =>Group.subadmingroup + URLSegment: deleteTestChildPage \ No newline at end of file