diff options
author | Frederic Guillot <fred@kanboard.net> | 2016-06-26 10:25:13 -0400 |
---|---|---|
committer | Frederic Guillot <fred@kanboard.net> | 2016-06-26 10:25:13 -0400 |
commit | 4a230d331ec220fc32a48525afb308af0d9787fa (patch) | |
tree | 514aa3d703155b7f97a2c77147c9fd74cef60f84 /tests/integration/ProcedureAuthorizationTest.php | |
parent | 922e0fb6de06a98774418612e0b0f75af72b6dbb (diff) |
Added application and project roles validation for API procedure calls
Diffstat (limited to 'tests/integration/ProcedureAuthorizationTest.php')
-rw-r--r-- | tests/integration/ProcedureAuthorizationTest.php | 306 |
1 files changed, 306 insertions, 0 deletions
diff --git a/tests/integration/ProcedureAuthorizationTest.php b/tests/integration/ProcedureAuthorizationTest.php new file mode 100644 index 00000000..a63e9d8c --- /dev/null +++ b/tests/integration/ProcedureAuthorizationTest.php @@ -0,0 +1,306 @@ +<?php + +require_once __DIR__.'/BaseProcedureTest.php'; + +class ProcedureAuthorizationTest extends BaseProcedureTest +{ + public function testApiCredentialDoNotHaveAccessToUserCredentialProcedure() + { + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->app->getMe(); + } + + public function testUserCredentialDoNotHaveAccessToAdminProcedures() + { + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->getUser(1); + } + + public function testManagerCredentialDoNotHaveAccessToAdminProcedures() + { + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->getAllProjects(); + } + + public function testUserCredentialDoNotHaveAccessToManagerProcedures() + { + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->createProject('Team project creation are only for app managers'); + } + + public function testAppManagerCanCreateTeamProject() + { + $this->assertNotFalse($this->manager->createProject('Team project created by app manager')); + } + + public function testAdminManagerCanCreateTeamProject() + { + $projectId = $this->admin->createProject('Team project created by admin'); + $this->assertNotFalse($projectId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->assertNotNull($this->manager->getProjectById($projectId)); + } + + public function testProjectManagerCanUpdateHisProject() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Team project can be updated', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + $this->assertEquals('project-manager', $this->app->getProjectUserRole($projectId, $this->managerUserId)); + $this->assertNotNull($this->manager->getProjectById($projectId)); + + $this->assertTrue($this->manager->updateProject($projectId, 'My team project have been updated')); + } + + public function testProjectAuthorizationForbidden() + { + $projectId = $this->manager->createProject('A team project without members'); + $this->assertNotFalse($projectId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->getProjectById($projectId); + } + + public function testProjectAuthorizationGranted() + { + $projectId = $this->manager->createProject(array( + 'name' => 'A team project with members', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId)); + $this->assertNotNull($this->user->getProjectById($projectId)); + } + + public function testActionAuthorizationForbidden() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $actionId = $this->manager->createAction($projectId, 'task.move.column', '\Kanboard\Action\TaskCloseColumn', array('column_id' => 1)); + $this->assertNotFalse($actionId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeAction($projectId); + } + + public function testActionAuthorizationForbiddenBecauseNotProjectManager() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $actionId = $this->manager->createAction($projectId, 'task.move.column', '\Kanboard\Action\TaskCloseColumn', array('column_id' => 1)); + $this->assertNotFalse($actionId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member')); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeAction($actionId); + } + + public function testActionAuthorizationGranted() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $actionId = $this->manager->createAction($projectId, 'task.move.column', '\Kanboard\Action\TaskCloseColumn', array('column_id' => 1)); + $this->assertNotFalse($actionId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-manager')); + $this->assertTrue($this->user->removeAction($actionId)); + } + + public function testCategoryAuthorizationForbidden() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $categoryId = $this->manager->createCategory($projectId, 'Test'); + $this->assertNotFalse($categoryId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeCategory($categoryId); + } + + public function testCategoryAuthorizationForbiddenBecauseNotProjectManager() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $categoryId = $this->manager->createCategory($projectId, 'Test'); + $this->assertNotFalse($categoryId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member')); + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeCategory($categoryId); + } + + public function testCategoryAuthorizationGranted() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $categoryId = $this->manager->createCategory($projectId, 'Test'); + $this->assertNotFalse($categoryId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-manager')); + $this->assertTrue($this->user->removeCategory($categoryId)); + } + + public function testColumnAuthorizationForbidden() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $columnId = $this->manager->addColumn($projectId, 'Test'); + $this->assertNotFalse($columnId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeColumn($columnId); + } + + public function testColumnAuthorizationForbiddenBecauseNotProjectManager() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $columnId = $this->manager->addColumn($projectId, 'Test'); + $this->assertNotFalse($columnId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member')); + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeColumn($columnId); + } + + public function testColumnAuthorizationGranted() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + + $columnId = $this->manager->addColumn($projectId, 'Test'); + $this->assertNotFalse($columnId); + + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-manager')); + $this->assertTrue($this->user->removeColumn($columnId)); + } + + public function testCommentAuthorizationForbidden() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-viewer')); + + $taskId = $this->manager->createTask('My Task', $projectId); + $this->assertNotFalse($taskId); + + $commentId = $this->manager->createComment($taskId, $this->userUserId, 'My comment'); + $this->assertNotFalse($commentId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->updateComment($commentId, 'something else'); + } + + public function testCommentAuthorizationGranted() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member')); + + $taskId = $this->user->createTask('My Task', $projectId); + $this->assertNotFalse($taskId); + + $commentId = $this->user->createComment($taskId, $this->userUserId, 'My comment'); + $this->assertNotFalse($commentId); + + $this->assertTrue($this->user->updateComment($commentId, 'something else')); + } + + public function testSubtaskAuthorizationForbidden() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-viewer')); + + $taskId = $this->manager->createTask('My Task', $projectId); + $this->assertNotFalse($taskId); + + $subtaskId = $this->manager->createSubtask($taskId, 'My subtask'); + $this->assertNotFalse($subtaskId); + + $this->setExpectedException('JsonRPC\Exception\AccessDeniedException'); + $this->user->removeSubtask($subtaskId); + } + + public function testSubtaskAuthorizationGranted() + { + $projectId = $this->manager->createProject(array( + 'name' => 'Test Project', + 'owner_id' => $this->managerUserId, + )); + + $this->assertNotFalse($projectId); + $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member')); + + $taskId = $this->user->createTask('My Task', $projectId); + $this->assertNotFalse($taskId); + + $subtaskId = $this->manager->createSubtask($taskId, 'My subtask'); + $this->assertNotFalse($subtaskId); + + $this->assertTrue($this->user->removeSubtask($subtaskId)); + } +} |