summaryrefslogtreecommitdiff
path: root/tests/integration/ProcedureAuthorizationTest.php
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2016-06-26 10:25:13 -0400
committerFrederic Guillot <fred@kanboard.net>2016-06-26 10:25:13 -0400
commit4a230d331ec220fc32a48525afb308af0d9787fa (patch)
tree514aa3d703155b7f97a2c77147c9fd74cef60f84 /tests/integration/ProcedureAuthorizationTest.php
parent922e0fb6de06a98774418612e0b0f75af72b6dbb (diff)
Added application and project roles validation for API procedure calls
Diffstat (limited to 'tests/integration/ProcedureAuthorizationTest.php')
-rw-r--r--tests/integration/ProcedureAuthorizationTest.php306
1 files changed, 306 insertions, 0 deletions
diff --git a/tests/integration/ProcedureAuthorizationTest.php b/tests/integration/ProcedureAuthorizationTest.php
new file mode 100644
index 00000000..a63e9d8c
--- /dev/null
+++ b/tests/integration/ProcedureAuthorizationTest.php
@@ -0,0 +1,306 @@
+<?php
+
+require_once __DIR__.'/BaseProcedureTest.php';
+
+class ProcedureAuthorizationTest extends BaseProcedureTest
+{
+ public function testApiCredentialDoNotHaveAccessToUserCredentialProcedure()
+ {
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->app->getMe();
+ }
+
+ public function testUserCredentialDoNotHaveAccessToAdminProcedures()
+ {
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->getUser(1);
+ }
+
+ public function testManagerCredentialDoNotHaveAccessToAdminProcedures()
+ {
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->getAllProjects();
+ }
+
+ public function testUserCredentialDoNotHaveAccessToManagerProcedures()
+ {
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->createProject('Team project creation are only for app managers');
+ }
+
+ public function testAppManagerCanCreateTeamProject()
+ {
+ $this->assertNotFalse($this->manager->createProject('Team project created by app manager'));
+ }
+
+ public function testAdminManagerCanCreateTeamProject()
+ {
+ $projectId = $this->admin->createProject('Team project created by admin');
+ $this->assertNotFalse($projectId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->assertNotNull($this->manager->getProjectById($projectId));
+ }
+
+ public function testProjectManagerCanUpdateHisProject()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Team project can be updated',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+ $this->assertEquals('project-manager', $this->app->getProjectUserRole($projectId, $this->managerUserId));
+ $this->assertNotNull($this->manager->getProjectById($projectId));
+
+ $this->assertTrue($this->manager->updateProject($projectId, 'My team project have been updated'));
+ }
+
+ public function testProjectAuthorizationForbidden()
+ {
+ $projectId = $this->manager->createProject('A team project without members');
+ $this->assertNotFalse($projectId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->getProjectById($projectId);
+ }
+
+ public function testProjectAuthorizationGranted()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'A team project with members',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId));
+ $this->assertNotNull($this->user->getProjectById($projectId));
+ }
+
+ public function testActionAuthorizationForbidden()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $actionId = $this->manager->createAction($projectId, 'task.move.column', '\Kanboard\Action\TaskCloseColumn', array('column_id' => 1));
+ $this->assertNotFalse($actionId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeAction($projectId);
+ }
+
+ public function testActionAuthorizationForbiddenBecauseNotProjectManager()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $actionId = $this->manager->createAction($projectId, 'task.move.column', '\Kanboard\Action\TaskCloseColumn', array('column_id' => 1));
+ $this->assertNotFalse($actionId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member'));
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeAction($actionId);
+ }
+
+ public function testActionAuthorizationGranted()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $actionId = $this->manager->createAction($projectId, 'task.move.column', '\Kanboard\Action\TaskCloseColumn', array('column_id' => 1));
+ $this->assertNotFalse($actionId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-manager'));
+ $this->assertTrue($this->user->removeAction($actionId));
+ }
+
+ public function testCategoryAuthorizationForbidden()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $categoryId = $this->manager->createCategory($projectId, 'Test');
+ $this->assertNotFalse($categoryId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeCategory($categoryId);
+ }
+
+ public function testCategoryAuthorizationForbiddenBecauseNotProjectManager()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $categoryId = $this->manager->createCategory($projectId, 'Test');
+ $this->assertNotFalse($categoryId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member'));
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeCategory($categoryId);
+ }
+
+ public function testCategoryAuthorizationGranted()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $categoryId = $this->manager->createCategory($projectId, 'Test');
+ $this->assertNotFalse($categoryId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-manager'));
+ $this->assertTrue($this->user->removeCategory($categoryId));
+ }
+
+ public function testColumnAuthorizationForbidden()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $columnId = $this->manager->addColumn($projectId, 'Test');
+ $this->assertNotFalse($columnId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeColumn($columnId);
+ }
+
+ public function testColumnAuthorizationForbiddenBecauseNotProjectManager()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $columnId = $this->manager->addColumn($projectId, 'Test');
+ $this->assertNotFalse($columnId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member'));
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeColumn($columnId);
+ }
+
+ public function testColumnAuthorizationGranted()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+
+ $columnId = $this->manager->addColumn($projectId, 'Test');
+ $this->assertNotFalse($columnId);
+
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-manager'));
+ $this->assertTrue($this->user->removeColumn($columnId));
+ }
+
+ public function testCommentAuthorizationForbidden()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-viewer'));
+
+ $taskId = $this->manager->createTask('My Task', $projectId);
+ $this->assertNotFalse($taskId);
+
+ $commentId = $this->manager->createComment($taskId, $this->userUserId, 'My comment');
+ $this->assertNotFalse($commentId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->updateComment($commentId, 'something else');
+ }
+
+ public function testCommentAuthorizationGranted()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member'));
+
+ $taskId = $this->user->createTask('My Task', $projectId);
+ $this->assertNotFalse($taskId);
+
+ $commentId = $this->user->createComment($taskId, $this->userUserId, 'My comment');
+ $this->assertNotFalse($commentId);
+
+ $this->assertTrue($this->user->updateComment($commentId, 'something else'));
+ }
+
+ public function testSubtaskAuthorizationForbidden()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-viewer'));
+
+ $taskId = $this->manager->createTask('My Task', $projectId);
+ $this->assertNotFalse($taskId);
+
+ $subtaskId = $this->manager->createSubtask($taskId, 'My subtask');
+ $this->assertNotFalse($subtaskId);
+
+ $this->setExpectedException('JsonRPC\Exception\AccessDeniedException');
+ $this->user->removeSubtask($subtaskId);
+ }
+
+ public function testSubtaskAuthorizationGranted()
+ {
+ $projectId = $this->manager->createProject(array(
+ 'name' => 'Test Project',
+ 'owner_id' => $this->managerUserId,
+ ));
+
+ $this->assertNotFalse($projectId);
+ $this->assertTrue($this->manager->addProjectUser($projectId, $this->userUserId, 'project-member'));
+
+ $taskId = $this->user->createTask('My Task', $projectId);
+ $this->assertNotFalse($taskId);
+
+ $subtaskId = $this->manager->createSubtask($taskId, 'My subtask');
+ $this->assertNotFalse($subtaskId);
+
+ $this->assertTrue($this->user->removeSubtask($subtaskId));
+ }
+}