From 486238b5485d61cdc4e66244632f91357d014059 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 12 Dec 2015 17:46:11 -0500
Subject: API: check project membership for task operations

---
 tests/functionals/UserApiTest.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'tests/functionals/UserApiTest.php')

diff --git a/tests/functionals/UserApiTest.php b/tests/functionals/UserApiTest.php
index 8a80c706..3c7fc04e 100644
--- a/tests/functionals/UserApiTest.php
+++ b/tests/functionals/UserApiTest.php
@@ -163,6 +163,12 @@ class UserApi extends PHPUnit_Framework_TestCase
         $this->assertEquals(2, $this->admin->createTask('my admin title', 1));
     }
 
+    public function testCreateTaskWithWrongMember()
+    {
+        $this->assertFalse($this->user->createTask(array('title' => 'something', 'project_id' => 2, 'owner_id' => 1)));
+        $this->assertFalse($this->app->createTask(array('title' => 'something', 'project_id' => 1, 'owner_id' => 2)));
+    }
+
     public function testGetTask()
     {
         $task = $this->user->getTask(1);
@@ -218,6 +224,11 @@ class UserApi extends PHPUnit_Framework_TestCase
         $this->assertTrue($this->user->moveTaskPosition(2, 1, 2, 1));
     }
 
+    public function testUpdateTaskWithWrongMember()
+    {
+        $this->assertFalse($this->user->updateTask(array('id' => 1, 'title' => 'new title', 'reference' => 'test', 'owner_id' => 1)));
+    }
+
     public function testUpdateTask()
     {
         $this->assertTrue($this->user->updateTask(array('id' => 1, 'title' => 'new title', 'reference' => 'test', 'owner_id' => 2)));
-- 
cgit v1.2.3