get($url); while ($location = $response->getHeader('Location')) { $response = $this->mainSession->followRedirection(); } echo $response->getHeader('Location'); return $response; } /** * Anonymous user cannot access anything. */ function testAnonymousIsForbiddenAdminAccess() { $response = $this->getAndFollowAll('admin/pages/?SubsiteID=0'); $this->assertRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'Admin is disallowed'); $subsite1 = $this->objFromFixture('Subsite', 'subsite1'); $response = $this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}"); $this->assertRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'Admin is disallowed'); $response = $this->getAndFollowAll('SubsiteXHRController'); $this->assertRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'SubsiteXHRController is disallowed'); } /** * Admin should be able to access all subsites and the main site */ function testAdminCanAccessAllSubsites() { $member = $this->objFromFixture('Member', 'admin'); Session::set("loggedInAs", $member->ID); $this->getAndFollowAll('admin/pages/?SubsiteID=0'); $this->assertEquals(Subsite::currentSubsiteID(), '0', 'Can access main site.'); $this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section'); $subsite1 = $this->objFromFixture('Subsite', 'subsite1'); $this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}"); $this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Can access other subsite.'); $this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section'); $response = $this->getAndFollowAll('SubsiteXHRController'); $this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'SubsiteXHRController is reachable'); } /** * User which has AccessAllSubsites set to 1 should be able to access all subsites and main site, * even though he does not have the ADMIN permission. */ function testEditorCanAccessAllSubsites() { $member = $this->objFromFixture('Member', 'editor'); Session::set("loggedInAs", $member->ID); $this->getAndFollowAll('admin/pages/?SubsiteID=0'); $this->assertEquals(Subsite::currentSubsiteID(), '0', 'Can access main site.'); $this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section'); $subsite1 = $this->objFromFixture('Subsite', 'subsite1'); $this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}"); $this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Can access other subsite.'); $this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section'); $response = $this->getAndFollowAll('SubsiteXHRController'); $this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'SubsiteXHRController is reachable'); } /** * Test a member who only has access to one subsite (subsite1) and only some sections (pages and security). */ function testSubsiteAdmin() { $member = $this->objFromFixture('Member', 'subsite1member'); Session::set("loggedInAs", $member->ID); $subsite1 = $this->objFromFixture('Subsite', 'subsite1'); // Check allowed URL. $this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}"); $this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Can access own subsite.'); $this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Can access permitted section.'); // Check forbidden section in allowed subsite. $this->getAndFollowAll("admin/assets/?SubsiteID={$subsite1->ID}"); $this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Is redirected within subsite.'); $this->assertNotRegExp('#^admin/assets/.*#', $this->mainSession->lastUrl(), 'Is redirected away from forbidden section'); // Check forbidden site, on a section that's allowed on another subsite $this->getAndFollowAll("admin/pages/?SubsiteID=0"); $this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Is redirected to permitted subsite.'); // Check forbidden site, on a section that's not allowed on any other subsite $this->getAndFollowAll("admin/assets/?SubsiteID=0"); $this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Is redirected to first permitted subsite.'); var_dump($this->mainSession->lastUrl()); $this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'Is not denied access'); // Check the standalone XHR controller. $response = $this->getAndFollowAll('SubsiteXHRController'); $this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'SubsiteXHRController is reachable'); } }