tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

BUGFIX Fixed SiteTreePermissionsTest checking for logged-in users (was using Member->logIn() instead of setting "loggedInAs" on test session)

Browse Source 
ENHANCEMENT Added FunctionalTest HTTP GET checks for SiteTreePermissionsTest to check that canView() permissions are actually enforced over HTTP

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66681 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2008-11-25 22:36:23 +00:00
parent b65f74a37f
commit 5404cd3016
2 changed files with 101 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
tests/SiteTreePermissionsTest.php
View File

@ -6,138 +6,190 @@
* @todo Test canAddChildren() * @todo Test canAddChildren()
* @todo Test canCreate() * @todo Test canCreate()
*/ */
class SiteTreePermissionsTest extends SapphireTest { class SiteTreePermissionsTest extends FunctionalTest {
static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml"; static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml";
function setUp() {
parent::setUp();
$this->useDraftSite();
// we're testing HTTP status codes before being redirected to login forms
$this->autoFollowRedirection = false;
}
function testRestrictedViewLoggedInUsers() { function testRestrictedViewLoggedInUsers() {
$page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers'); $page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers');
/* // unauthenticated users
NOTE: This isn't correct. An "unauthed member" test needs to be done by setting the loggedInAs data in the session
to zero and then confirming that a 403 response is returned. Alternatively, the canView() method needs a well-defined
way of asking "can a person who isn't logged in view this?" perhaps by passing the integer value 0 to the canView() method
as opposed to leaving it omitted, which uses Member::currentUser() as the default.
$randomUnauthedMember = new Member();
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$page->canView($randomUnauthedMember), $page->canView(FALSE),
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
);
$this->session()->inst_set('loggedInAs', null);
$response = $this->get($page->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
403,
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"' 'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
); );
*/
// website users
$websiteuser = $this->objFromFixture('Member', 'websiteuser'); $websiteuser = $this->objFromFixture('Member', 'websiteuser');
$websiteuser->logIn();
$this->assertTrue( $this->assertTrue(
$page->canView($websiteuser), $page->canView($websiteuser),
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS' 'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
); );
$this->session()->inst_set('loggedInAs', $websiteuser->ID);
$websiteuser->logOut(); $response = $this->get($page->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
200,
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
);
$this->session()->inst_set('loggedInAs', null);
} }
function testRestrictedViewOnlyTheseUsers() { function testRestrictedViewOnlyTheseUsers() {
$page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers'); $page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers');
$randomUnauthedMember = new Member(); // unauthenticcated users
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$page->canView($randomUnauthedMember), $page->canView(FALSE),
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
);
$this->session()->inst_set('loggedInAs', null);
$response = $this->get($page->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
403,
'Unauthenticated members cant view a page marked as "Viewable by these groups"' 'Unauthenticated members cant view a page marked as "Viewable by these groups"'
); );
// subadmin users
$subadminuser = $this->objFromFixture('Member', 'subadmin'); $subadminuser = $this->objFromFixture('Member', 'subadmin');
$this->assertFalse( $this->assertFalse(
$page->canView($subadminuser), $page->canView($subadminuser),
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups' 'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
); );
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
$response = $this->get($page->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
403,
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
);
$this->session()->inst_set('loggedInAs', null);
// website users
$websiteuser = $this->objFromFixture('Member', 'websiteuser'); $websiteuser = $this->objFromFixture('Member', 'websiteuser');
$this->assertTrue( $this->assertTrue(
$page->canView($websiteuser), $page->canView($websiteuser),
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups' 'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
); );
$this->session()->inst_set('loggedInAs', $websiteuser->ID);
$response = $this->get($page->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
200,
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
);
$this->session()->inst_set('loggedInAs', null);
} }
function testRestrictedEditLoggedInUsers() { function testRestrictedEditLoggedInUsers() {
$page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers'); $page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers');
$randomUnauthedMember = new Member(); // unauthenticcated users
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$page->canEdit($randomUnauthedMember), $page->canEdit(FALSE),
'Unauthenticated members cant edit a page marked as "Editable by logged in users"' 'Unauthenticated members cant edit a page marked as "Editable by logged in users"'
); );
// website users
$websiteuser = $this->objFromFixture('Member', 'websiteuser'); $websiteuser = $this->objFromFixture('Member', 'websiteuser');
$websiteuser->logIn(); $websiteuser->logIn();
$this->assertFalse( $this->assertFalse(
$page->canEdit($websiteuser), $page->canEdit($websiteuser),
'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions' 'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions'
); );
// subadmin users
$subadminuser = $this->objFromFixture('Member', 'subadmin'); $subadminuser = $this->objFromFixture('Member', 'subadmin');
$this->assertTrue( $this->assertTrue(
$page->canEdit($subadminuser), $page->canEdit($subadminuser),
'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups' 'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
); );
$websiteuser->logOut();
} }
function testRestrictedEditOnlySubadminGroup() { function testRestrictedEditOnlySubadminGroup() {
$page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup'); $page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup');
$randomUnauthedMember = new Member(); // unauthenticated users
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$page->canEdit($randomUnauthedMember), $page->canEdit(FALSE),
'Unauthenticated members cant edit a page marked as "Editable by these groups"' 'Unauthenticated members cant edit a page marked as "Editable by these groups"'
); );
// subadmin users
$subadminuser = $this->objFromFixture('Member', 'subadmin'); $subadminuser = $this->objFromFixture('Member', 'subadmin');
$this->assertTrue( $this->assertTrue(
$page->canEdit($subadminuser), $page->canEdit($subadminuser),
'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups' 'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups'
); );
// website users
$websiteuser = $this->objFromFixture('Member', 'websiteuser'); $websiteuser = $this->objFromFixture('Member', 'websiteuser');
$websiteuser->logIn();
$this->assertFalse( $this->assertFalse(
$page->canEdit($websiteuser), $page->canEdit($websiteuser),
'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups' 'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups'
); );
$websiteuser->logOut();
} }
function testRestrictedViewInheritance() { function testRestrictedViewInheritance() {
$parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup'); $parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup');
$childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup'); $childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup');
$randomUnauthedMember = new Member(); // unauthenticated users
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$childPage->canView($randomUnauthedMember), $childPage->canView(FALSE),
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
);
$this->session()->inst_set('loggedInAs', null);
$response = $this->get($childPage->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
403,
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission' 'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
); );
// subadmin users
$subadminuser = $this->objFromFixture('Member', 'subadmin'); $subadminuser = $this->objFromFixture('Member', 'subadmin');
$this->assertTrue( $this->assertTrue(
$childPage->canView($subadminuser), $childPage->canView($subadminuser),
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission' 'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
); );
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
$response = $this->get($childPage->URLSegment);
$this->assertEquals(
$response->getStatusCode(),
200,
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
);
$this->session()->inst_set('loggedInAs', null);
} }
function testRestrictedEditInheritance() { function testRestrictedEditInheritance() {
$parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup'); $parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup');
$childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup'); $childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup');
$randomUnauthedMember = new Member(); // unauthenticated users
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$childPage->canEdit($randomUnauthedMember), $childPage->canEdit(FALSE),
'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission' 'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission'
); );
// subadmin users
$subadminuser = $this->objFromFixture('Member', 'subadmin'); $subadminuser = $this->objFromFixture('Member', 'subadmin');
$this->assertTrue( $this->assertTrue(
$childPage->canEdit($subadminuser), $childPage->canEdit($subadminuser),
@ -149,14 +201,13 @@ class SiteTreePermissionsTest extends SapphireTest {
$parentPage = $this->objFromFixture('Page', 'deleteTestParentPage'); $parentPage = $this->objFromFixture('Page', 'deleteTestParentPage');
$childPage = $this->objFromFixture('Page', 'deleteTestChildPage'); $childPage = $this->objFromFixture('Page', 'deleteTestChildPage');
$randomUnauthedMember = new Member(); // unauthenticated users
$randomUnauthedMember->ID = 99;
$this->assertFalse( $this->assertFalse(
$parentPage->canDelete($randomUnauthedMember), $parentPage->canDelete(FALSE),
'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants' 'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants'
); );
$this->assertFalse( $this->assertFalse(
$childPage->canDelete($randomUnauthedMember), $childPage->canDelete(FALSE),
'Unauthenticated members cant delete a child page marked as "Editable by these groups"' 'Unauthenticated members cant delete a child page marked as "Editable by these groups"'
); );
} }

11
tests/SiteTreePermissionsTest.yml
View File

@ -30,31 +30,42 @@ Member:
Page: Page:
restrictedViewLoggedInUsers: restrictedViewLoggedInUsers:
CanViewType: LoggedInUsers CanViewType: LoggedInUsers
URLSegment: restrictedViewLoggedInUsers
restrictedViewOnlyWebsiteUsers: restrictedViewOnlyWebsiteUsers:
CanViewType: OnlyTheseUsers CanViewType: OnlyTheseUsers
ViewerGroups: =>Group.websiteusers ViewerGroups: =>Group.websiteusers
URLSegment: restrictedViewOnlyWebsiteUsers
restrictedViewOnlySubadminGroup: restrictedViewOnlySubadminGroup:
CanViewType: OnlyTheseUsers CanViewType: OnlyTheseUsers
ViewerGroups: =>Group.subadmingroup ViewerGroups: =>Group.subadmingroup
URLSegment: restrictedViewOnlySubadminGroup
restrictedEditLoggedInUsers: restrictedEditLoggedInUsers:
CanEditType: LoggedInUsers CanEditType: LoggedInUsers
URLSegment: restrictedEditLoggedInUsers
restrictedEditOnlySubadminGroup: restrictedEditOnlySubadminGroup:
CanEditType: OnlyTheseUsers CanEditType: OnlyTheseUsers
EditorGroups: =>Group.subadmingroup EditorGroups: =>Group.subadmingroup
URLSegment: restrictedEditOnlySubadminGroup
parent_restrictedViewOnlySubadminGroup: parent_restrictedViewOnlySubadminGroup:
CanViewType: OnlyTheseUsers CanViewType: OnlyTheseUsers
ViewerGroups: =>Group.subadmingroup ViewerGroups: =>Group.subadmingroup
URLSegment: parent-restrictedViewOnlySubadminGroup
child_restrictedViewOnlySubadminGroup: child_restrictedViewOnlySubadminGroup:
CanViewType: Inherit CanViewType: Inherit
Parent: =>Page.parent_restrictedViewOnlySubadminGroup Parent: =>Page.parent_restrictedViewOnlySubadminGroup
URLSegment: child-restrictedViewOnlySubadminGroup
parent_restrictedEditOnlySubadminGroup: parent_restrictedEditOnlySubadminGroup:
CanEditType: OnlyTheseUsers CanEditType: OnlyTheseUsers
EditorGroups: =>Group.subadmingroup EditorGroups: =>Group.subadmingroup
URLSegment: parent-restrictedEditOnlySubadminGroup
child_restrictedEditOnlySubadminGroup: child_restrictedEditOnlySubadminGroup:
CanEditType: Inherit CanEditType: Inherit
Parent: =>Page.parent_restrictedEditOnlySubadminGroup Parent: =>Page.parent_restrictedEditOnlySubadminGroup
URLSegment: child-restrictedEditOnlySubadminGroup
deleteTestParentPage: deleteTestParentPage:
CanEditType: Inherit CanEditType: Inherit
URLSegment: deleteTestParentPage
deleteTestChildPage: deleteTestChildPage:
CanEditType: OnlyTheseUsers CanEditType: OnlyTheseUsers
EditorGroups: =>Group.subadmingroup EditorGroups: =>Group.subadmingroup
URLSegment: deleteTestChildPage