mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUGFIX Fixed SiteTreePermissionsTest checking for logged-in users (was using Member->logIn() instead of setting "loggedInAs" on test session)
ENHANCEMENT Added FunctionalTest HTTP GET checks for SiteTreePermissionsTest to check that canView() permissions are actually enforced over HTTP git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@66681 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
b65f74a37f
commit
5404cd3016
@ -6,138 +6,190 @@
|
|||||||
* @todo Test canAddChildren()
|
* @todo Test canAddChildren()
|
||||||
* @todo Test canCreate()
|
* @todo Test canCreate()
|
||||||
*/
|
*/
|
||||||
class SiteTreePermissionsTest extends SapphireTest {
|
class SiteTreePermissionsTest extends FunctionalTest {
|
||||||
static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml";
|
static $fixture_file = "sapphire/tests/SiteTreePermissionsTest.yml";
|
||||||
|
|
||||||
|
function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
$this->useDraftSite();
|
||||||
|
|
||||||
|
// we're testing HTTP status codes before being redirected to login forms
|
||||||
|
$this->autoFollowRedirection = false;
|
||||||
|
}
|
||||||
|
|
||||||
function testRestrictedViewLoggedInUsers() {
|
function testRestrictedViewLoggedInUsers() {
|
||||||
$page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers');
|
$page = $this->objFromFixture('Page', 'restrictedViewLoggedInUsers');
|
||||||
|
|
||||||
/*
|
// unauthenticated users
|
||||||
NOTE: This isn't correct. An "unauthed member" test needs to be done by setting the loggedInAs data in the session
|
|
||||||
to zero and then confirming that a 403 response is returned. Alternatively, the canView() method needs a well-defined
|
|
||||||
way of asking "can a person who isn't logged in view this?" perhaps by passing the integer value 0 to the canView() method
|
|
||||||
as opposed to leaving it omitted, which uses Member::currentUser() as the default.
|
|
||||||
$randomUnauthedMember = new Member();
|
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canView($randomUnauthedMember),
|
$page->canView(FALSE),
|
||||||
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
|
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
|
||||||
);
|
);
|
||||||
*/
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
|
$response = $this->get($page->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
403,
|
||||||
|
'Unauthenticated members cant view a page marked as "Viewable for any logged in users"'
|
||||||
|
);
|
||||||
|
|
||||||
|
// website users
|
||||||
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
||||||
$websiteuser->logIn();
|
|
||||||
$this->assertTrue(
|
$this->assertTrue(
|
||||||
$page->canView($websiteuser),
|
$page->canView($websiteuser),
|
||||||
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
|
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
|
||||||
);
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', $websiteuser->ID);
|
||||||
$websiteuser->logOut();
|
$response = $this->get($page->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
200,
|
||||||
|
'Authenticated members can view a page marked as "Viewable for any logged in users" even if they dont have access to the CMS'
|
||||||
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
}
|
}
|
||||||
|
|
||||||
function testRestrictedViewOnlyTheseUsers() {
|
function testRestrictedViewOnlyTheseUsers() {
|
||||||
$page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers');
|
$page = $this->objFromFixture('Page', 'restrictedViewOnlyWebsiteUsers');
|
||||||
|
|
||||||
$randomUnauthedMember = new Member();
|
// unauthenticcated users
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canView($randomUnauthedMember),
|
$page->canView(FALSE),
|
||||||
|
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
|
||||||
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
|
$response = $this->get($page->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
403,
|
||||||
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
|
'Unauthenticated members cant view a page marked as "Viewable by these groups"'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// subadmin users
|
||||||
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canView($subadminuser),
|
$page->canView($subadminuser),
|
||||||
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
|
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
|
||||||
);
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
|
||||||
|
$response = $this->get($page->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
403,
|
||||||
|
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
|
||||||
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
|
|
||||||
|
// website users
|
||||||
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
||||||
$this->assertTrue(
|
$this->assertTrue(
|
||||||
$page->canView($websiteuser),
|
$page->canView($websiteuser),
|
||||||
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
|
||||||
);
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', $websiteuser->ID);
|
||||||
|
$response = $this->get($page->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
200,
|
||||||
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups'
|
||||||
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
}
|
}
|
||||||
|
|
||||||
function testRestrictedEditLoggedInUsers() {
|
function testRestrictedEditLoggedInUsers() {
|
||||||
$page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers');
|
$page = $this->objFromFixture('Page', 'restrictedEditLoggedInUsers');
|
||||||
|
|
||||||
$randomUnauthedMember = new Member();
|
// unauthenticcated users
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canEdit($randomUnauthedMember),
|
$page->canEdit(FALSE),
|
||||||
'Unauthenticated members cant edit a page marked as "Editable by logged in users"'
|
'Unauthenticated members cant edit a page marked as "Editable by logged in users"'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// website users
|
||||||
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
||||||
$websiteuser->logIn();
|
$websiteuser->logIn();
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canEdit($websiteuser),
|
$page->canEdit($websiteuser),
|
||||||
'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions'
|
'Authenticated members cant edit a page marked as "Editable by logged in users" if they dont have cms permissions'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// subadmin users
|
||||||
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
||||||
$this->assertTrue(
|
$this->assertTrue(
|
||||||
$page->canEdit($subadminuser),
|
$page->canEdit($subadminuser),
|
||||||
'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
|
'Authenticated members can edit a page marked as "Editable by logged in users" if they have cms permissions and belong to any of these groups'
|
||||||
);
|
);
|
||||||
|
|
||||||
$websiteuser->logOut();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function testRestrictedEditOnlySubadminGroup() {
|
function testRestrictedEditOnlySubadminGroup() {
|
||||||
$page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup');
|
$page = $this->objFromFixture('Page', 'restrictedEditOnlySubadminGroup');
|
||||||
|
|
||||||
$randomUnauthedMember = new Member();
|
// unauthenticated users
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canEdit($randomUnauthedMember),
|
$page->canEdit(FALSE),
|
||||||
'Unauthenticated members cant edit a page marked as "Editable by these groups"'
|
'Unauthenticated members cant edit a page marked as "Editable by these groups"'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// subadmin users
|
||||||
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
||||||
$this->assertTrue(
|
$this->assertTrue(
|
||||||
$page->canEdit($subadminuser),
|
$page->canEdit($subadminuser),
|
||||||
'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups'
|
'Authenticated members can view a page marked as "Editable by these groups" if theyre in the listed groups'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// website users
|
||||||
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
$websiteuser = $this->objFromFixture('Member', 'websiteuser');
|
||||||
$websiteuser->logIn();
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$page->canEdit($websiteuser),
|
$page->canEdit($websiteuser),
|
||||||
'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups'
|
'Authenticated members cant edit a page marked as "Editable by these groups" if theyre not in the listed groups'
|
||||||
);
|
);
|
||||||
|
|
||||||
$websiteuser->logOut();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function testRestrictedViewInheritance() {
|
function testRestrictedViewInheritance() {
|
||||||
$parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup');
|
$parentPage = $this->objFromFixture('Page', 'parent_restrictedViewOnlySubadminGroup');
|
||||||
$childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup');
|
$childPage = $this->objFromFixture('Page', 'child_restrictedViewOnlySubadminGroup');
|
||||||
|
|
||||||
$randomUnauthedMember = new Member();
|
// unauthenticated users
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$childPage->canView($randomUnauthedMember),
|
$childPage->canView(FALSE),
|
||||||
|
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
|
||||||
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
|
$response = $this->get($childPage->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
403,
|
||||||
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
|
'Unauthenticated members cant view a page marked as "Viewable by these groups" by inherited permission'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// subadmin users
|
||||||
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
||||||
$this->assertTrue(
|
$this->assertTrue(
|
||||||
$childPage->canView($subadminuser),
|
$childPage->canView($subadminuser),
|
||||||
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
|
||||||
);
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', $subadminuser->ID);
|
||||||
|
$response = $this->get($childPage->URLSegment);
|
||||||
|
$this->assertEquals(
|
||||||
|
$response->getStatusCode(),
|
||||||
|
200,
|
||||||
|
'Authenticated members can view a page marked as "Viewable by these groups" if theyre in the listed groups by inherited permission'
|
||||||
|
);
|
||||||
|
$this->session()->inst_set('loggedInAs', null);
|
||||||
}
|
}
|
||||||
|
|
||||||
function testRestrictedEditInheritance() {
|
function testRestrictedEditInheritance() {
|
||||||
$parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup');
|
$parentPage = $this->objFromFixture('Page', 'parent_restrictedEditOnlySubadminGroup');
|
||||||
$childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup');
|
$childPage = $this->objFromFixture('Page', 'child_restrictedEditOnlySubadminGroup');
|
||||||
|
|
||||||
$randomUnauthedMember = new Member();
|
// unauthenticated users
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$childPage->canEdit($randomUnauthedMember),
|
$childPage->canEdit(FALSE),
|
||||||
'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission'
|
'Unauthenticated members cant edit a page marked as "Editable by these groups" by inherited permission'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// subadmin users
|
||||||
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
$subadminuser = $this->objFromFixture('Member', 'subadmin');
|
||||||
$this->assertTrue(
|
$this->assertTrue(
|
||||||
$childPage->canEdit($subadminuser),
|
$childPage->canEdit($subadminuser),
|
||||||
@ -149,14 +201,13 @@ class SiteTreePermissionsTest extends SapphireTest {
|
|||||||
$parentPage = $this->objFromFixture('Page', 'deleteTestParentPage');
|
$parentPage = $this->objFromFixture('Page', 'deleteTestParentPage');
|
||||||
$childPage = $this->objFromFixture('Page', 'deleteTestChildPage');
|
$childPage = $this->objFromFixture('Page', 'deleteTestChildPage');
|
||||||
|
|
||||||
$randomUnauthedMember = new Member();
|
// unauthenticated users
|
||||||
$randomUnauthedMember->ID = 99;
|
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$parentPage->canDelete($randomUnauthedMember),
|
$parentPage->canDelete(FALSE),
|
||||||
'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants'
|
'Unauthenticated members cant delete a page if it doesnt have delete permissions on any of its descendants'
|
||||||
);
|
);
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$childPage->canDelete($randomUnauthedMember),
|
$childPage->canDelete(FALSE),
|
||||||
'Unauthenticated members cant delete a child page marked as "Editable by these groups"'
|
'Unauthenticated members cant delete a child page marked as "Editable by these groups"'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
@ -30,31 +30,42 @@ Member:
|
|||||||
Page:
|
Page:
|
||||||
restrictedViewLoggedInUsers:
|
restrictedViewLoggedInUsers:
|
||||||
CanViewType: LoggedInUsers
|
CanViewType: LoggedInUsers
|
||||||
|
URLSegment: restrictedViewLoggedInUsers
|
||||||
restrictedViewOnlyWebsiteUsers:
|
restrictedViewOnlyWebsiteUsers:
|
||||||
CanViewType: OnlyTheseUsers
|
CanViewType: OnlyTheseUsers
|
||||||
ViewerGroups: =>Group.websiteusers
|
ViewerGroups: =>Group.websiteusers
|
||||||
|
URLSegment: restrictedViewOnlyWebsiteUsers
|
||||||
restrictedViewOnlySubadminGroup:
|
restrictedViewOnlySubadminGroup:
|
||||||
CanViewType: OnlyTheseUsers
|
CanViewType: OnlyTheseUsers
|
||||||
ViewerGroups: =>Group.subadmingroup
|
ViewerGroups: =>Group.subadmingroup
|
||||||
|
URLSegment: restrictedViewOnlySubadminGroup
|
||||||
restrictedEditLoggedInUsers:
|
restrictedEditLoggedInUsers:
|
||||||
CanEditType: LoggedInUsers
|
CanEditType: LoggedInUsers
|
||||||
|
URLSegment: restrictedEditLoggedInUsers
|
||||||
restrictedEditOnlySubadminGroup:
|
restrictedEditOnlySubadminGroup:
|
||||||
CanEditType: OnlyTheseUsers
|
CanEditType: OnlyTheseUsers
|
||||||
EditorGroups: =>Group.subadmingroup
|
EditorGroups: =>Group.subadmingroup
|
||||||
|
URLSegment: restrictedEditOnlySubadminGroup
|
||||||
parent_restrictedViewOnlySubadminGroup:
|
parent_restrictedViewOnlySubadminGroup:
|
||||||
CanViewType: OnlyTheseUsers
|
CanViewType: OnlyTheseUsers
|
||||||
ViewerGroups: =>Group.subadmingroup
|
ViewerGroups: =>Group.subadmingroup
|
||||||
|
URLSegment: parent-restrictedViewOnlySubadminGroup
|
||||||
child_restrictedViewOnlySubadminGroup:
|
child_restrictedViewOnlySubadminGroup:
|
||||||
CanViewType: Inherit
|
CanViewType: Inherit
|
||||||
Parent: =>Page.parent_restrictedViewOnlySubadminGroup
|
Parent: =>Page.parent_restrictedViewOnlySubadminGroup
|
||||||
|
URLSegment: child-restrictedViewOnlySubadminGroup
|
||||||
parent_restrictedEditOnlySubadminGroup:
|
parent_restrictedEditOnlySubadminGroup:
|
||||||
CanEditType: OnlyTheseUsers
|
CanEditType: OnlyTheseUsers
|
||||||
EditorGroups: =>Group.subadmingroup
|
EditorGroups: =>Group.subadmingroup
|
||||||
|
URLSegment: parent-restrictedEditOnlySubadminGroup
|
||||||
child_restrictedEditOnlySubadminGroup:
|
child_restrictedEditOnlySubadminGroup:
|
||||||
CanEditType: Inherit
|
CanEditType: Inherit
|
||||||
Parent: =>Page.parent_restrictedEditOnlySubadminGroup
|
Parent: =>Page.parent_restrictedEditOnlySubadminGroup
|
||||||
|
URLSegment: child-restrictedEditOnlySubadminGroup
|
||||||
deleteTestParentPage:
|
deleteTestParentPage:
|
||||||
CanEditType: Inherit
|
CanEditType: Inherit
|
||||||
|
URLSegment: deleteTestParentPage
|
||||||
deleteTestChildPage:
|
deleteTestChildPage:
|
||||||
CanEditType: OnlyTheseUsers
|
CanEditType: OnlyTheseUsers
|
||||||
EditorGroups: =>Group.subadmingroup
|
EditorGroups: =>Group.subadmingroup
|
||||||
|
URLSegment: deleteTestChildPage
|
Loading…
Reference in New Issue
Block a user