From e9fedf3e5cd63aea4da7a71f6647ee427c62fa49 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 5 Dec 2015 20:31:27 -0500
Subject: Rewrite of the authentication and authorization system

---
 tests/units/Action/TaskAssignCurrentUserTest.php   |   2 +-
 tests/units/Auth/DatabaseAuthTest.php              |  52 ++
 tests/units/Auth/LdapTest.php                      | 697 ---------------------
 tests/units/Auth/ReverseProxyTest.php              |  37 --
 tests/units/Auth/TotpAuthTest.php                  |  63 ++
 tests/units/Base.php                               |   3 +
 tests/units/Core/Http/OAuth2Test.php               |  43 ++
 tests/units/Core/Http/RememberMeCookieTest.php     | 108 ++++
 tests/units/Core/Http/RequestTest.php              | 175 ++++++
 tests/units/Core/Ldap/ClientTest.php               |  53 +-
 tests/units/Core/Ldap/EntriesTest.php              |  55 ++
 tests/units/Core/Ldap/EntryTest.php                |  71 +++
 tests/units/Core/Ldap/LdapGroupTest.php            | 160 +++++
 tests/units/Core/Ldap/LdapUserTest.php             | 379 +++++++++++
 tests/units/Core/Ldap/QueryTest.php                |  45 +-
 tests/units/Core/Ldap/UserTest.php                 |  95 ---
 tests/units/Core/OAuth2Test.php                    |  43 --
 tests/units/Core/Security/AccessMapTest.php        |  29 +-
 .../Core/Security/AuthenticationManagerTest.php    | 150 +++++
 tests/units/Core/Security/AuthorizationTest.php    |  25 +-
 tests/units/Core/User/GroupSyncTest.php            |  30 +
 tests/units/Core/User/UserProfileTest.php          |  63 ++
 tests/units/Core/User/UserPropertyTest.php         |  60 ++
 tests/units/Core/User/UserSessionTest.php          | 144 +++++
 tests/units/Core/User/UserSyncTest.php             |  55 ++
 tests/units/Helper/UserHelperTest.php              | 261 +++++---
 tests/units/Integration/BitbucketWebhookTest.php   |  11 +-
 tests/units/Integration/GithubWebhookTest.php      |  15 +-
 tests/units/Integration/GitlabWebhookTest.php      |   7 +-
 tests/units/Model/AclTest.php                      | 296 ---------
 tests/units/Model/ActionTest.php                   |  27 +-
 tests/units/Model/AuthenticationTest.php           |  39 --
 tests/units/Model/ProjectDuplicationTest.php       |  37 +-
 tests/units/Model/ProjectGroupRoleTest.php         | 340 ++++++++++
 tests/units/Model/ProjectPermissionTest.php        | 318 ++--------
 tests/units/Model/ProjectTest.php                  |   1 -
 tests/units/Model/ProjectUserRoleTest.php          | 400 ++++++++++++
 tests/units/Model/SubtaskTest.php                  |   2 +-
 tests/units/Model/TaskCreationTest.php             |   1 -
 tests/units/Model/TaskDuplicationTest.php          |  35 +-
 tests/units/Model/TaskFinderTest.php               |   1 -
 tests/units/Model/TaskModificationTest.php         |   1 -
 tests/units/Model/TaskPermissionTest.php           |   2 +-
 tests/units/Model/TaskStatusTest.php               |   1 -
 tests/units/Model/TaskTest.php                     |   1 -
 tests/units/Model/UserLockingTest.php              |  43 ++
 tests/units/Model/UserNotificationTest.php         |  22 +-
 tests/units/Model/UserSessionTest.php              | 158 -----
 tests/units/Model/UserTest.php                     | 108 ++--
 tests/units/Notification/MailTest.php              |   1 -
 tests/units/User/DatabaseUserProviderTest.php      |  14 +
 51 files changed, 2855 insertions(+), 1924 deletions(-)
 create mode 100644 tests/units/Auth/DatabaseAuthTest.php
 delete mode 100644 tests/units/Auth/LdapTest.php
 delete mode 100644 tests/units/Auth/ReverseProxyTest.php
 create mode 100644 tests/units/Auth/TotpAuthTest.php
 create mode 100644 tests/units/Core/Http/OAuth2Test.php
 create mode 100644 tests/units/Core/Http/RememberMeCookieTest.php
 create mode 100644 tests/units/Core/Http/RequestTest.php
 create mode 100644 tests/units/Core/Ldap/EntriesTest.php
 create mode 100644 tests/units/Core/Ldap/EntryTest.php
 create mode 100644 tests/units/Core/Ldap/LdapGroupTest.php
 create mode 100644 tests/units/Core/Ldap/LdapUserTest.php
 delete mode 100644 tests/units/Core/Ldap/UserTest.php
 delete mode 100644 tests/units/Core/OAuth2Test.php
 create mode 100644 tests/units/Core/Security/AuthenticationManagerTest.php
 create mode 100644 tests/units/Core/User/GroupSyncTest.php
 create mode 100644 tests/units/Core/User/UserProfileTest.php
 create mode 100644 tests/units/Core/User/UserPropertyTest.php
 create mode 100644 tests/units/Core/User/UserSessionTest.php
 create mode 100644 tests/units/Core/User/UserSyncTest.php
 delete mode 100644 tests/units/Model/AclTest.php
 delete mode 100644 tests/units/Model/AuthenticationTest.php
 create mode 100644 tests/units/Model/ProjectGroupRoleTest.php
 create mode 100644 tests/units/Model/ProjectUserRoleTest.php
 create mode 100644 tests/units/Model/UserLockingTest.php
 delete mode 100644 tests/units/Model/UserSessionTest.php
 create mode 100644 tests/units/User/DatabaseUserProviderTest.php

(limited to 'tests/units')

diff --git a/tests/units/Action/TaskAssignCurrentUserTest.php b/tests/units/Action/TaskAssignCurrentUserTest.php
index 08176b1c..e2d1c11a 100644
--- a/tests/units/Action/TaskAssignCurrentUserTest.php
+++ b/tests/units/Action/TaskAssignCurrentUserTest.php
@@ -7,7 +7,7 @@ use Kanboard\Model\Task;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Project;
-use Kanboard\Model\UserSession;
+use Kanboard\Core\User\UserSession;
 use Kanboard\Action\TaskAssignCurrentUser;
 
 class TaskAssignCurrentUserTest extends Base
diff --git a/tests/units/Auth/DatabaseAuthTest.php b/tests/units/Auth/DatabaseAuthTest.php
new file mode 100644
index 00000000..a13b7fee
--- /dev/null
+++ b/tests/units/Auth/DatabaseAuthTest.php
@@ -0,0 +1,52 @@
+<?php
+
+require_once __DIR__.'/../Base.php';
+
+use Kanboard\Auth\DatabaseAuth;
+
+class DatabaseAuthTest extends Base
+{
+    public function testGetName()
+    {
+        $provider = new DatabaseAuth($this->container);
+        $this->assertEquals('Database', $provider->getName());
+    }
+
+    public function testAuthenticate()
+    {
+        $provider = new DatabaseAuth($this->container);
+
+        $provider->setUsername('admin');
+        $provider->setPassword('admin');
+        $this->assertTrue($provider->authenticate());
+
+        $provider->setUsername('admin');
+        $provider->setPassword('test');
+        $this->assertFalse($provider->authenticate());
+    }
+
+    public function testGetUser()
+    {
+        $provider = new DatabaseAuth($this->container);
+        $this->assertEquals(null, $provider->getUser());
+
+        $provider = new DatabaseAuth($this->container);
+        $provider->setUsername('admin');
+        $provider->setPassword('admin');
+
+        $this->assertTrue($provider->authenticate());
+        $this->assertInstanceOf('Kanboard\User\DatabaseUserProvider', $provider->getUser());
+    }
+
+    public function testIsvalidSession()
+    {
+        $provider = new DatabaseAuth($this->container);
+        $this->assertFalse($provider->isValidSession());
+
+        $this->container['sessionStorage']->user = array('id' => 1);
+        $this->assertTrue($provider->isValidSession());
+
+        $this->container['sessionStorage']->user = array('id' => 2);
+        $this->assertFalse($provider->isValidSession());
+    }
+}
diff --git a/tests/units/Auth/LdapTest.php b/tests/units/Auth/LdapTest.php
deleted file mode 100644
index bf2cec35..00000000
--- a/tests/units/Auth/LdapTest.php
+++ /dev/null
@@ -1,697 +0,0 @@
-<?php
-
-namespace Kanboard\Auth;
-
-require_once __DIR__.'/../Base.php';
-
-function ldap_connect($hostname, $port)
-{
-    return LdapTest::$functions->ldap_connect($hostname, $port);
-}
-
-function ldap_set_option()
-{
-}
-
-function ldap_bind($link_identifier, $bind_rdn, $bind_password)
-{
-    return LdapTest::$functions->ldap_bind($link_identifier, $bind_rdn, $bind_password);
-}
-
-function ldap_search($link_identifier, $base_dn, $filter, array $attributes)
-{
-    return LdapTest::$functions->ldap_search($link_identifier, $base_dn, $filter, $attributes);
-}
-
-function ldap_get_entries($link_identifier, $result_identifier)
-{
-    return LdapTest::$functions->ldap_get_entries($link_identifier, $result_identifier);
-}
-
-class LdapTest extends \Base
-{
-    public static $functions;
-    private $ldap;
-
-    public function setUp()
-    {
-        parent::setup();
-
-        self::$functions = $this
-            ->getMockBuilder('stdClass')
-            ->setMethods(array(
-                'ldap_connect',
-                'ldap_set_option',
-                'ldap_bind',
-                'ldap_search',
-                'ldap_get_entries',
-            ))
-            ->getMock();
-    }
-
-    public function tearDown()
-    {
-        parent::tearDown();
-        self::$functions = null;
-    }
-
-    public function testGetAttributes()
-    {
-        $ldap = new Ldap($this->container);
-        $this->assertCount(3, $ldap->getProfileAttributes());
-        $this->assertContains(LDAP_ACCOUNT_FULLNAME, $ldap->getProfileAttributes());
-        $this->assertContains(LDAP_ACCOUNT_EMAIL, $ldap->getProfileAttributes());
-        $this->assertContains(LDAP_ACCOUNT_MEMBEROF, $ldap->getProfileAttributes());
-    }
-
-    public function testConnectSuccess()
-    {
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapServer'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapServer')
-            ->will($this->returnValue('my_ldap_server'));
-
-        self::$functions
-            ->expects($this->once())
-            ->method('ldap_connect')
-            ->with(
-                $this->equalTo('my_ldap_server'),
-                $this->equalTo($ldap->getLdapPort())
-            )
-            ->will($this->returnValue('my_ldap_resource'));
-
-        $this->assertNotFalse($ldap->connect());
-    }
-
-    public function testConnectFailure()
-    {
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapServer'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapServer')
-            ->will($this->returnValue('my_ldap_server'));
-
-        self::$functions
-            ->expects($this->once())
-            ->method('ldap_connect')
-            ->with(
-                $this->equalTo('my_ldap_server'),
-                $this->equalTo($ldap->getLdapPort())
-            )
-            ->will($this->returnValue(false));
-
-        $this->assertFalse($ldap->connect());
-    }
-
-    public function testBindAnonymous()
-    {
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapBindType'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->any())
-            ->method('getLdapBindType')
-            ->will($this->returnValue('anonymous'));
-
-        self::$functions
-            ->expects($this->once())
-            ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo(null),
-                $this->equalTo(null)
-            )
-            ->will($this->returnValue(true));
-
-        $this->assertTrue($ldap->bind('my_ldap_connection', 'my_user', 'my_password'));
-    }
-
-    public function testBindUser()
-    {
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapUsername', 'getLdapBindType'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapUsername')
-            ->will($this->returnValue('uid=my_user'));
-
-        $ldap
-            ->expects($this->any())
-            ->method('getLdapBindType')
-            ->will($this->returnValue('user'));
-
-        self::$functions
-            ->expects($this->once())
-            ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('uid=my_user'),
-                $this->equalTo('my_password')
-            )
-            ->will($this->returnValue(true));
-
-        $this->assertTrue($ldap->bind('my_ldap_connection', 'my_user', 'my_password'));
-    }
-
-    public function testBindProxy()
-    {
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapUsername', 'getLdapPassword', 'getLdapBindType'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapUsername')
-            ->will($this->returnValue('someone'));
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapPassword')
-            ->will($this->returnValue('something'));
-
-        $ldap
-            ->expects($this->any())
-            ->method('getLdapBindType')
-            ->will($this->returnValue('proxy'));
-
-        self::$functions
-            ->expects($this->once())
-            ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('someone'),
-                $this->equalTo('something')
-            )
-            ->will($this->returnValue(true));
-
-        $this->assertTrue($ldap->bind('my_ldap_connection', 'my_user', 'my_password'));
-    }
-
-    public function testSearchSuccess()
-    {
-        $entries = array(
-            'count' => 1,
-            0 => array(
-                'count' => 2,
-                'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-                'displayname' => array(
-                    'count' => 1,
-                    0 => 'My user',
-                ),
-                'mail' => array(
-                    'count' => 2,
-                    0 => 'user1@localhost',
-                    1 => 'user2@localhost',
-                ),
-                0 => 'displayname',
-                1 => 'mail',
-            )
-        );
-
-        $expected = array(
-            'username' => 'my_user',
-            'name' => 'My user',
-            'email' => 'user1@localhost',
-            'is_admin' => 0,
-            'is_project_admin' => 0,
-            'is_ldap_user' => 1,
-        );
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapUserPattern', 'getLdapBaseDn'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapUserPattern')
-            ->will($this->returnValue('uid=my_user'));
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapBaseDn')
-            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
-
-        self::$functions
-            ->expects($this->at(0))
-            ->method('ldap_search')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('uid=my_user'),
-                $this->equalTo($ldap->getProfileAttributes())
-            )
-            ->will($this->returnValue('my_result_identifier'));
-
-        self::$functions
-            ->expects($this->at(1))
-            ->method('ldap_get_entries')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('my_result_identifier')
-            )
-            ->will($this->returnValue($entries));
-
-        self::$functions
-            ->expects($this->at(2))
-            ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('uid=my_user,ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('my_password')
-            )
-            ->will($this->returnValue(true));
-
-        $this->assertEquals($expected, $ldap->getProfile('my_ldap_connection', 'my_user', 'my_password'));
-    }
-
-    public function testSearchWithBadPassword()
-    {
-        $entries = array(
-            'count' => 1,
-            0 => array(
-                'count' => 2,
-                'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-                'displayname' => array(
-                    'count' => 1,
-                    0 => 'My user',
-                ),
-                'mail' => array(
-                    'count' => 2,
-                    0 => 'user1@localhost',
-                    1 => 'user2@localhost',
-                ),
-                0 => 'displayname',
-                1 => 'mail',
-            )
-        );
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapUserPattern', 'getLdapBaseDn'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapUserPattern')
-            ->will($this->returnValue('uid=my_user'));
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapBaseDn')
-            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
-
-        self::$functions
-            ->expects($this->at(0))
-            ->method('ldap_search')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('uid=my_user'),
-                $this->equalTo($ldap->getProfileAttributes())
-            )
-            ->will($this->returnValue('my_result_identifier'));
-
-        self::$functions
-            ->expects($this->at(1))
-            ->method('ldap_get_entries')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('my_result_identifier')
-            )
-            ->will($this->returnValue($entries));
-
-        self::$functions
-            ->expects($this->at(2))
-            ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('uid=my_user,ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('my_password')
-            )
-            ->will($this->returnValue(false));
-
-        $this->assertFalse($ldap->getProfile('my_ldap_connection', 'my_user', 'my_password'));
-    }
-
-    public function testSearchWithUserNotFound()
-    {
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getLdapUserPattern', 'getLdapBaseDn'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapUserPattern')
-            ->will($this->returnValue('uid=my_user'));
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapBaseDn')
-            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
-
-        self::$functions
-            ->expects($this->at(0))
-            ->method('ldap_search')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('uid=my_user'),
-                $this->equalTo($ldap->getProfileAttributes())
-            )
-            ->will($this->returnValue('my_result_identifier'));
-
-        self::$functions
-            ->expects($this->at(1))
-            ->method('ldap_get_entries')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('my_result_identifier')
-            )
-            ->will($this->returnValue(array()));
-
-        $this->assertFalse($ldap->getProfile('my_ldap_connection', 'my_user', 'my_password'));
-    }
-
-    public function testSuccessfulAuthentication()
-    {
-        $this->container['userSession'] = $this
-            ->getMockBuilder('\Kanboard\Model\UserSession')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('initialize'))
-            ->getMock();
-
-        $this->container['user'] = $this
-            ->getMockBuilder('\Kanboard\Model\User')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getByUsername'))
-            ->getMock();
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('findUser'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('findUser')
-            ->with(
-                $this->equalTo('user'),
-                $this->equalTo('password')
-            )
-            ->will($this->returnValue(array('username' => 'user', 'name' => 'My user', 'email' => 'user@here')));
-
-        $this->container['user']
-            ->expects($this->once())
-            ->method('getByUsername')
-            ->with(
-                $this->equalTo('user')
-            )
-            ->will($this->returnValue(array('id' => 2, 'username' => 'user', 'is_ldap_user' => 1)));
-
-        $this->container['userSession']
-            ->expects($this->once())
-            ->method('initialize');
-
-        $this->assertTrue($ldap->authenticate('user', 'password'));
-    }
-
-    public function testAuthenticationWithExistingLocalUser()
-    {
-        $this->container['userSession'] = $this
-            ->getMockBuilder('\Kanboard\Model\UserSession')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('initialize'))
-            ->getMock();
-
-        $this->container['user'] = $this
-            ->getMockBuilder('\Kanboard\Model\User')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getByUsername'))
-            ->getMock();
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('findUser'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('findUser')
-            ->with(
-                $this->equalTo('user'),
-                $this->equalTo('password')
-            )
-            ->will($this->returnValue(array('username' => 'user', 'name' => 'My user', 'email' => 'user@here')));
-
-        $this->container['user']
-            ->expects($this->once())
-            ->method('getByUsername')
-            ->with(
-                $this->equalTo('user')
-            )
-            ->will($this->returnValue(array('id' => 2, 'username' => 'user', 'is_ldap_user' => 0)));
-
-        $this->container['userSession']
-            ->expects($this->never())
-            ->method('initialize');
-
-        $this->assertFalse($ldap->authenticate('user', 'password'));
-    }
-
-    public function testAuthenticationWithAutomaticAccountCreation()
-    {
-        $ldap_profile = array('username' => 'user', 'name' => 'My user', 'email' => 'user@here');
-
-        $this->container['userSession'] = $this
-            ->getMockBuilder('\Kanboard\Model\UserSession')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('initialize'))
-            ->getMock();
-
-        $this->container['user'] = $this
-            ->getMockBuilder('\Kanboard\Model\User')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getByUsername', 'create'))
-            ->getMock();
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('findUser'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->at(0))
-            ->method('findUser')
-            ->with(
-                $this->equalTo('user'),
-                $this->equalTo('password')
-            )
-            ->will($this->returnValue($ldap_profile));
-
-        $this->container['user']
-            ->expects($this->at(0))
-            ->method('getByUsername')
-            ->with(
-                $this->equalTo('user')
-            )
-            ->will($this->returnValue(null));
-
-        $this->container['user']
-            ->expects($this->at(1))
-            ->method('create')
-            ->with(
-                $this->equalTo($ldap_profile)
-            )
-            ->will($this->returnValue(true));
-
-        $this->container['user']
-            ->expects($this->at(2))
-            ->method('getByUsername')
-            ->with(
-                $this->equalTo('user')
-            )
-            ->will($this->returnValue(array('id' => 2, 'username' => 'user', 'is_ldap_user' => 1)));
-
-        $this->container['userSession']
-            ->expects($this->once())
-            ->method('initialize');
-
-        $this->assertTrue($ldap->authenticate('user', 'password'));
-    }
-
-    public function testAuthenticationWithAutomaticAccountCreationFailed()
-    {
-        $ldap_profile = array('username' => 'user', 'name' => 'My user', 'email' => 'user@here');
-
-        $this->container['userSession'] = $this
-            ->getMockBuilder('\Kanboard\Model\UserSession')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('initialize'))
-            ->getMock();
-
-        $this->container['user'] = $this
-            ->getMockBuilder('\Kanboard\Model\User')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('getByUsername', 'create'))
-            ->getMock();
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('findUser'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->at(0))
-            ->method('findUser')
-            ->with(
-                $this->equalTo('user'),
-                $this->equalTo('password')
-            )
-            ->will($this->returnValue($ldap_profile));
-
-        $this->container['user']
-            ->expects($this->at(0))
-            ->method('getByUsername')
-            ->with(
-                $this->equalTo('user')
-            )
-            ->will($this->returnValue(null));
-
-        $this->container['user']
-            ->expects($this->at(1))
-            ->method('create')
-            ->with(
-                $this->equalTo($ldap_profile)
-            )
-            ->will($this->returnValue(false));
-
-        $this->container['userSession']
-            ->expects($this->never())
-            ->method('initialize');
-
-        $this->assertFalse($ldap->authenticate('user', 'password'));
-    }
-
-    public function testLookup()
-    {
-        $entries = array(
-            'count' => 1,
-            0 => array(
-                'count' => 2,
-                'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-                'displayname' => array(
-                    'count' => 1,
-                    0 => 'My LDAP user',
-                ),
-                'mail' => array(
-                    'count' => 2,
-                    0 => 'user1@localhost',
-                    1 => 'user2@localhost',
-                ),
-                'samaccountname' => array(
-                    'count' => 1,
-                    0 => 'my_ldap_user',
-                ),
-                0 => 'displayname',
-                1 => 'mail',
-                2 => 'samaccountname',
-            )
-        );
-
-        $expected = array(
-            'username' => 'my_ldap_user',
-            'name' => 'My LDAP user',
-            'email' => 'user1@localhost',
-            'is_admin' => 0,
-            'is_project_admin' => 0,
-            'is_ldap_user' => 1,
-        );
-
-        $ldap = $this
-            ->getMockBuilder('\Kanboard\Auth\Ldap')
-            ->setConstructorArgs(array($this->container))
-            ->setMethods(array('connect', 'getLdapUserPattern', 'getLdapBaseDn', 'getLdapAccountId'))
-            ->getMock();
-
-        $ldap
-            ->expects($this->once())
-            ->method('connect')
-            ->will($this->returnValue('my_ldap_connection'));
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapUserPattern')
-            ->will($this->returnValue('sAMAccountName=my_user'));
-
-        $ldap
-            ->expects($this->any())
-            ->method('getLdapAccountId')
-            ->will($this->returnValue('samaccountname'));
-
-        $ldap
-            ->expects($this->once())
-            ->method('getLdapBaseDn')
-            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
-
-        self::$functions
-            ->expects($this->at(0))
-            ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo(null),
-                $this->equalTo(null)
-            )
-            ->will($this->returnValue(true));
-
-        self::$functions
-            ->expects($this->at(1))
-            ->method('ldap_search')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('(&(sAMAccountName=my_user)(mail=user@localhost))'),
-                $this->equalTo($ldap->getProfileAttributes())
-            )
-            ->will($this->returnValue('my_result_identifier'));
-
-        self::$functions
-            ->expects($this->at(2))
-            ->method('ldap_get_entries')
-            ->with(
-                $this->equalTo('my_ldap_connection'),
-                $this->equalTo('my_result_identifier')
-            )
-            ->will($this->returnValue($entries));
-
-        $this->assertEquals($expected, $ldap->lookup('my_user', 'user@localhost'));
-    }
-}
diff --git a/tests/units/Auth/ReverseProxyTest.php b/tests/units/Auth/ReverseProxyTest.php
deleted file mode 100644
index 6aaa5a67..00000000
--- a/tests/units/Auth/ReverseProxyTest.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-require_once __DIR__.'/../Base.php';
-
-use Kanboard\Auth\ReverseProxy;
-use Kanboard\Model\User;
-
-class ReverseProxyTest extends Base
-{
-    public function setUp()
-    {
-        parent::setup();
-        $_SERVER = array();
-    }
-
-    public function testFailedAuthentication()
-    {
-        $auth = new ReverseProxy($this->container);
-        $this->assertFalse($auth->authenticate());
-    }
-
-    public function testSuccessfulAuthentication()
-    {
-        $_SERVER[REVERSE_PROXY_USER_HEADER] = 'my_user';
-
-        $a = new ReverseProxy($this->container);
-        $u = new User($this->container);
-
-        $this->assertTrue($a->authenticate());
-
-        $user = $u->getByUsername('my_user');
-        $this->assertNotEmpty($user);
-        $this->assertEquals(0, $user['is_admin']);
-        $this->assertEquals(1, $user['is_ldap_user']);
-        $this->assertEquals(1, $user['disable_login_form']);
-    }
-}
diff --git a/tests/units/Auth/TotpAuthTest.php b/tests/units/Auth/TotpAuthTest.php
new file mode 100644
index 00000000..fcb7ea31
--- /dev/null
+++ b/tests/units/Auth/TotpAuthTest.php
@@ -0,0 +1,63 @@
+<?php
+
+require_once __DIR__.'/../Base.php';
+
+use Kanboard\Auth\TotpAuth;
+
+class TotpAuthTest extends Base
+{
+    public function testGetName()
+    {
+        $provider = new TotpAuth($this->container);
+        $this->assertEquals('Time-based One-time Password Algorithm', $provider->getName());
+    }
+
+    public function testGetSecret()
+    {
+        $provider = new TotpAuth($this->container);
+        $secret = $provider->getSecret();
+
+        $this->assertNotEmpty($secret);
+        $this->assertEquals($secret, $provider->getSecret());
+        $this->assertEquals($secret, $provider->getSecret());
+    }
+
+    public function testSetSecret()
+    {
+        $provider = new TotpAuth($this->container);
+        $provider->setSecret('mySecret');
+        $this->assertEquals('mySecret', $provider->getSecret());
+    }
+
+    public function testGetUrl()
+    {
+        $provider = new TotpAuth($this->container);
+        $this->assertEmpty($provider->getQrCodeUrl('me'));
+        $this->assertEmpty($provider->getKeyUrl('me'));
+
+        $provider->setSecret('mySecret');
+        $this->assertEquals(
+            'https://chart.googleapis.com/chart?chs=200x200&cht=qr&chld=M|0&chl=otpauth%3A%2F%2Ftotp%2Fme%3Fsecret%3DmySecret',
+            $provider->getQrCodeUrl('me')
+        );
+
+        $this->assertEquals('otpauth://totp/me?secret=mySecret', $provider->getKeyUrl('me'));
+    }
+
+    public function testAuthentication()
+    {
+        $provider = new TotpAuth($this->container);
+
+        $secret = $provider->getSecret();
+        $this->assertNotEmpty($secret);
+
+        $provider->setCode('1234');
+        $this->assertFalse($provider->authenticate());
+
+        if (!!`which oathtool`) {
+            $code = shell_exec('oathtool --totp -b '.$secret);
+            $provider->setCode(trim($code));
+            $this->assertTrue($provider->authenticate());
+        }
+    }
+}
diff --git a/tests/units/Base.php b/tests/units/Base.php
index 6d7a97a3..4b54cdb0 100644
--- a/tests/units/Base.php
+++ b/tests/units/Base.php
@@ -75,8 +75,11 @@ abstract class Base extends PHPUnit_Framework_TestCase
         }
 
         $this->container = new Pimple\Container;
+        $this->container->register(new Kanboard\ServiceProvider\AuthenticationProvider);
         $this->container->register(new Kanboard\ServiceProvider\DatabaseProvider);
         $this->container->register(new Kanboard\ServiceProvider\ClassProvider);
+        $this->container->register(new Kanboard\ServiceProvider\NotificationProvider);
+        $this->container->register(new Kanboard\ServiceProvider\RouteProvider);
 
         $this->container['dispatcher'] = new TraceableEventDispatcher(
             new EventDispatcher,
diff --git a/tests/units/Core/Http/OAuth2Test.php b/tests/units/Core/Http/OAuth2Test.php
new file mode 100644
index 00000000..d703dd7a
--- /dev/null
+++ b/tests/units/Core/Http/OAuth2Test.php
@@ -0,0 +1,43 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Http\OAuth2;
+
+class OAuth2Test extends Base
+{
+    public function testAuthUrl()
+    {
+        $oauth = new OAuth2($this->container);
+        $oauth->createService('A', 'B', 'C', 'D', 'E', array('f', 'g'));
+        $this->assertEquals('D?response_type=code&client_id=A&redirect_uri=C&scope=f+g', $oauth->getAuthorizationUrl());
+    }
+
+    public function testAuthHeader()
+    {
+        $oauth = new OAuth2($this->container);
+        $oauth->createService('A', 'B', 'C', 'D', 'E', array('f', 'g'));
+
+        $oauth->setAccessToken('foobar', 'BeaRer');
+        $this->assertEquals('Authorization: Bearer foobar', $oauth->getAuthorizationHeader());
+
+        $oauth->setAccessToken('foobar', 'unknown');
+        $this->assertEquals('', $oauth->getAuthorizationHeader());
+    }
+
+    public function testAccessToken()
+    {
+        $oauth = new OAuth2($this->container);
+        $oauth->createService('A', 'B', 'C', 'D', 'E', array('f', 'g'));
+        $oauth->getAccessToken('something');
+
+        $data = $this->container['httpClient']->getData();
+        $this->assertEquals('something', $data['code']);
+        $this->assertEquals('A', $data['client_id']);
+        $this->assertEquals('B', $data['client_secret']);
+        $this->assertEquals('C', $data['redirect_uri']);
+        $this->assertEquals('authorization_code', $data['grant_type']);
+
+        $this->assertEquals('E', $this->container['httpClient']->getUrl());
+    }
+}
diff --git a/tests/units/Core/Http/RememberMeCookieTest.php b/tests/units/Core/Http/RememberMeCookieTest.php
new file mode 100644
index 00000000..ae5606ac
--- /dev/null
+++ b/tests/units/Core/Http/RememberMeCookieTest.php
@@ -0,0 +1,108 @@
+<?php
+
+namespace Kanboard\Core\Http;
+
+require_once __DIR__.'/../../Base.php';
+
+function setcookie($name, $value = "", $expire = 0, $path = "", $domain = "", $secure = false, $httponly = false)
+{
+    return RememberMeCookieTest::$functions->setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
+}
+
+class RememberMeCookieTest extends \Base
+{
+    public static $functions;
+
+    public function setUp()
+    {
+        parent::setup();
+
+        self::$functions = $this
+            ->getMockBuilder('stdClass')
+            ->setMethods(array(
+                'setcookie',
+            ))
+            ->getMock();
+    }
+
+    public function tearDown()
+    {
+        parent::tearDown();
+        self::$functions = null;
+    }
+
+    public function testEncode()
+    {
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertEquals('a|b', $cookie->encode('a', 'b'));
+    }
+
+    public function testDecode()
+    {
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertEquals(array('token' => 'a', 'sequence' => 'b'), $cookie->decode('a|b'));
+    }
+
+    public function testHasCookie()
+    {
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array());
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertFalse($cookie->hasCookie());
+
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array(RememberMeCookie::COOKIE_NAME => 'miam'));
+        $this->assertTrue($cookie->hasCookie());
+    }
+
+    public function testWrite()
+    {
+        self::$functions
+            ->expects($this->once())
+            ->method('setcookie')
+            ->with(
+                RememberMeCookie::COOKIE_NAME,
+                'myToken|mySequence',
+                1234,
+                '',
+                '',
+                false,
+                true
+            )
+            ->will($this->returnValue(true));
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertTrue($cookie->write('myToken', 'mySequence', 1234));
+    }
+
+    public function testRead()
+    {
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array());
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertFalse($cookie->read());
+
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array(RememberMeCookie::COOKIE_NAME => 'T|S'));
+
+        $this->assertEquals(array('token' => 'T', 'sequence' => 'S'), $cookie->read());
+    }
+
+    public function testRemove()
+    {
+        self::$functions
+            ->expects($this->once())
+            ->method('setcookie')
+            ->with(
+                RememberMeCookie::COOKIE_NAME,
+                '',
+                time() - 3600,
+                '',
+                '',
+                false,
+                true
+            )
+            ->will($this->returnValue(true));
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertTrue($cookie->remove());
+    }
+}
diff --git a/tests/units/Core/Http/RequestTest.php b/tests/units/Core/Http/RequestTest.php
new file mode 100644
index 00000000..217698f9
--- /dev/null
+++ b/tests/units/Core/Http/RequestTest.php
@@ -0,0 +1,175 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Http\Request;
+
+class RequestTest extends Base
+{
+    public function testGetStringParam()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('', $request->getStringParam('myvar'));
+
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('default', $request->getStringParam('myvar', 'default'));
+
+        $request = new Request($this->container, array(), array('myvar' => 'myvalue'), array(), array(), array());
+        $this->assertEquals('myvalue', $request->getStringParam('myvar'));
+    }
+
+    public function testGetIntegerParam()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals(0, $request->getIntegerParam('myvar'));
+
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals(5, $request->getIntegerParam('myvar', 5));
+
+        $request = new Request($this->container, array(), array('myvar' => 'myvalue'), array(), array(), array());
+        $this->assertEquals(0, $request->getIntegerParam('myvar'));
+
+        $request = new Request($this->container, array(), array('myvar' => '123'), array(), array(), array());
+        $this->assertEquals(123, $request->getIntegerParam('myvar'));
+    }
+
+    public function testGetValues()
+    {
+        $request = new Request($this->container, array(), array(), array('myvar' => 'myvalue'), array(), array());
+        $this->assertEmpty($request->getValue('myvar'));
+
+        $request = new Request($this->container, array(), array(), array('myvar' => 'myvalue', 'csrf_token' => $this->container['token']->getCSRFToken()), array(), array());
+        $this->assertEquals('myvalue', $request->getValue('myvar'));
+
+        $request = new Request($this->container, array(), array(), array('myvar' => 'myvalue', 'csrf_token' => $this->container['token']->getCSRFToken()), array(), array());
+        $this->assertEquals(array('myvar' => 'myvalue'), $request->getValues());
+    }
+
+    public function testGetFileContent()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getFileContent('myfile'));
+
+        $filename = tempnam(sys_get_temp_dir(), 'UnitTest');
+        file_put_contents($filename, 'something');
+
+        $request = new Request($this->container, array(), array(), array(), array('myfile' => array('tmp_name' => $filename)), array());
+        $this->assertEquals('something', $request->getFileContent('myfile'));
+
+        unlink($filename);
+    }
+
+    public function testGetFilePath()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getFilePath('myfile'));
+
+        $request = new Request($this->container, array(), array(), array(), array('myfile' => array('tmp_name' => 'somewhere')), array());
+        $this->assertEquals('somewhere', $request->getFilePath('myfile'));
+    }
+
+    public function testIsPost()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertFalse($request->isPost());
+
+        $request = new Request($this->container, array('REQUEST_METHOD' => 'POST'), array(), array(), array(), array());
+        $this->assertTrue($request->isPost());
+    }
+
+    public function testIsAjax()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertFalse($request->isAjax());
+
+        $request = new Request($this->container, array('HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest'), array(), array(), array(), array());
+        $this->assertTrue($request->isAjax());
+    }
+
+    public function testIsHTTPS()
+    {
+        $request = new Request($this->container, array(), array(), array(), array());
+        $this->assertFalse($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => ''), array(), array(), array(), array());
+        $this->assertFalse($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => 'off'), array(), array(), array(), array());
+        $this->assertFalse($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => 'on'), array(), array(), array(), array());
+        $this->assertTrue($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => '1'), array(), array(), array(), array());
+        $this->assertTrue($request->isHTTPS());
+    }
+
+    public function testGetCookie()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getCookie('mycookie'));
+
+        $request = new Request($this->container, array(), array(), array(), array(), array('mycookie' => 'miam'));
+        $this->assertEquals('miam', $request->getCookie('mycookie'));
+    }
+
+    public function testGetHeader()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getHeader('X-Forwarded-For'));
+
+        $request = new Request($this->container, array('HTTP_X_FORWARDED_FOR' => 'test'), array(), array(), array(), array());
+        $this->assertEquals('test', $request->getHeader('X-Forwarded-For'));
+    }
+
+    public function testGetRemoteUser()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getRemoteUser());
+
+        $request = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => 'test'), array(), array(), array(), array());
+        $this->assertEquals('test', $request->getRemoteUser());
+    }
+
+    public function testGetQueryString()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getQueryString());
+
+        $request = new Request($this->container, array('QUERY_STRING' => 'k=v'), array(), array(), array(), array());
+        $this->assertEquals('k=v', $request->getQueryString());
+    }
+
+    public function testGetUri()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getUri());
+
+        $request = new Request($this->container, array('REQUEST_URI' => '/blah'), array(), array(), array(), array());
+        $this->assertEquals('/blah', $request->getUri());
+    }
+
+    public function testGetUserAgent()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('Unknown', $request->getUserAgent());
+
+        $request = new Request($this->container, array('HTTP_USER_AGENT' => 'My browser'), array(), array(), array(), array());
+        $this->assertEquals('My browser', $request->getUserAgent());
+    }
+
+    public function testGetIpAddress()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('Unknown', $request->getIpAddress());
+
+        $request = new Request($this->container, array('HTTP_X_FORWARDED_FOR' => '192.168.0.1,127.0.0.1'), array(), array(), array(), array());
+        $this->assertEquals('192.168.0.1', $request->getIpAddress());
+
+        $request = new Request($this->container, array('REMOTE_ADDR' => '192.168.0.1'), array(), array(), array(), array());
+        $this->assertEquals('192.168.0.1', $request->getIpAddress());
+
+        $request = new Request($this->container, array('REMOTE_ADDR' => ''), array(), array(), array(), array());
+        $this->assertEquals('Unknown', $request->getIpAddress());
+    }
+}
diff --git a/tests/units/Core/Ldap/ClientTest.php b/tests/units/Core/Ldap/ClientTest.php
index 7b6e983d..d149500e 100644
--- a/tests/units/Core/Ldap/ClientTest.php
+++ b/tests/units/Core/Ldap/ClientTest.php
@@ -49,6 +49,13 @@ class ClientTest extends \Base
         self::$functions = null;
     }
 
+    public function testGetLdapServerNotConfigured()
+    {
+        $this->setExpectedException('\LogicException');
+        $ldap = new Client;
+        $ldap->getLdapServer();
+    }
+
     public function testConnectSuccess()
     {
         self::$functions
@@ -61,7 +68,8 @@ class ClientTest extends \Base
             ->will($this->returnValue('my_ldap_resource'));
 
         $ldap = new Client;
-        $this->assertEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server'));
+        $ldap->open('my_ldap_server');
+        $this->assertEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testConnectFailure()
@@ -78,7 +86,8 @@ class ClientTest extends \Base
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server'));
+        $ldap->open('my_ldap_server');
+        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testConnectSuccessWithTLS()
@@ -101,7 +110,8 @@ class ClientTest extends \Base
             ->will($this->returnValue(true));
 
         $ldap = new Client;
-        $this->assertEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server', 389, true));
+        $ldap->open('my_ldap_server', 389, true);
+        $this->assertEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testConnectFailureWithTLS()
@@ -126,7 +136,8 @@ class ClientTest extends \Base
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server', 389, true));
+        $ldap->open('my_ldap_server', 389, true);
+        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testAnonymousAuthenticationSuccess()
@@ -134,13 +145,10 @@ class ClientTest extends \Base
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_resource')
-            )
             ->will($this->returnValue(true));
 
         $ldap = new Client;
-        $this->assertTrue($ldap->useAnonymousAuthentication('my_ldap_resource'));
+        $this->assertTrue($ldap->useAnonymousAuthentication());
     }
 
     public function testAnonymousAuthenticationFailure()
@@ -148,19 +156,25 @@ class ClientTest extends \Base
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_resource')
-            )
             ->will($this->returnValue(false));
 
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $ldap->useAnonymousAuthentication('my_ldap_resource');
+        $ldap->useAnonymousAuthentication();
     }
 
     public function testUserAuthenticationSuccess()
     {
+        self::$functions
+            ->expects($this->once())
+            ->method('ldap_connect')
+            ->with(
+                $this->equalTo('my_ldap_server'),
+                $this->equalTo(389)
+            )
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
@@ -172,11 +186,21 @@ class ClientTest extends \Base
             ->will($this->returnValue(true));
 
         $ldap = new Client;
-        $this->assertTrue($ldap->authenticate('my_ldap_resource', 'my_ldap_user', 'my_ldap_password'));
+        $ldap->open('my_ldap_server');
+        $this->assertTrue($ldap->authenticate('my_ldap_user', 'my_ldap_password'));
     }
 
     public function testUserAuthenticationFailure()
     {
+        self::$functions
+            ->expects($this->once())
+            ->method('ldap_connect')
+            ->with(
+                $this->equalTo('my_ldap_server'),
+                $this->equalTo(389)
+            )
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
@@ -190,6 +214,7 @@ class ClientTest extends \Base
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $ldap->authenticate('my_ldap_resource', 'my_ldap_user', 'my_ldap_password');
+        $ldap->open('my_ldap_server');
+        $ldap->authenticate('my_ldap_user', 'my_ldap_password');
     }
 }
diff --git a/tests/units/Core/Ldap/EntriesTest.php b/tests/units/Core/Ldap/EntriesTest.php
new file mode 100644
index 00000000..65025b6e
--- /dev/null
+++ b/tests/units/Core/Ldap/EntriesTest.php
@@ -0,0 +1,55 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\Entries;
+
+class EntriesTest extends Base
+{
+    private $entries = array(
+        'count' => 2,
+        0 => array(
+            'cn' => array(
+                'count' => 1,
+                0 => 'Kanboard Other Group',
+            ),
+            0 => 'cn',
+            'count' => 1,
+            'dn' => 'CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local',
+        ),
+        1 => array(
+            'cn' => array(
+                'count' => 1,
+                0 => 'Kanboard Users',
+            ),
+            0 => 'cn',
+            'count' => 1,
+            'dn' => 'CN=Kanboard Users,CN=Users,DC=kanboard,DC=local',
+        ),
+    );
+
+    public function testGetAll()
+    {
+        $entries = new Entries(array());
+        $this->assertEmpty($entries->getAll());
+
+        $entries = new Entries($this->entries);
+        $result = $entries->getAll();
+        $this->assertCount(2, $result);
+        $this->assertInstanceOf('Kanboard\Core\Ldap\Entry', $result[0]);
+        $this->assertEquals('CN=Kanboard Users,CN=Users,DC=kanboard,DC=local', $result[1]->getDn());
+        $this->assertEquals('Kanboard Users', $result[1]->getFirstValue('cn'));
+    }
+
+    public function testGetFirst()
+    {
+        $entries = new Entries(array());
+        $this->assertEquals('', $entries->getFirstEntry()->getDn());
+
+        $entries = new Entries($this->entries);
+        $result = $entries->getFirstEntry();
+        $this->assertInstanceOf('Kanboard\Core\Ldap\Entry', $result);
+        $this->assertEquals('CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local', $result->getDn());
+        $this->assertEquals('Kanboard Other Group', $result->getFirstValue('cn'));
+    }
+}
diff --git a/tests/units/Core/Ldap/EntryTest.php b/tests/units/Core/Ldap/EntryTest.php
new file mode 100644
index 00000000..45585e77
--- /dev/null
+++ b/tests/units/Core/Ldap/EntryTest.php
@@ -0,0 +1,71 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\Entry;
+
+class EntryTest extends Base
+{
+    private $entry = array(
+        'count' => 2,
+        'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
+        'displayname' => array(
+            'count' => 1,
+            0 => 'My LDAP user',
+        ),
+        'broken' => array(
+        ),
+        'mail' => array(
+            'count' => 2,
+            0 => 'user1@localhost',
+            1 => 'user2@localhost',
+        ),
+        'samaccountname' => array(
+            'count' => 1,
+            0 => 'my_ldap_user',
+        ),
+        0 => 'displayname',
+        1 => 'mail',
+        2 => 'samaccountname',
+    );
+
+    public function testGetAll()
+    {
+        $expected = array(
+            'user1@localhost',
+            'user2@localhost',
+        );
+
+        $entry = new Entry($this->entry);
+        $this->assertEquals($expected, $entry->getAll('mail'));
+        $this->assertEmpty($entry->getAll('not found'));
+        $this->assertEmpty($entry->getAll('broken'));
+    }
+
+    public function testGetFirst()
+    {
+        $entry = new Entry($this->entry);
+        $this->assertEquals('user1@localhost', $entry->getFirstValue('mail'));
+        $this->assertEquals('', $entry->getFirstValue('not found'));
+        $this->assertEquals('default', $entry->getFirstValue('not found', 'default'));
+        $this->assertEquals('default', $entry->getFirstValue('broken', 'default'));
+    }
+
+    public function testGetDn()
+    {
+        $entry = new Entry($this->entry);
+        $this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $entry->getDn());
+
+        $entry = new Entry(array());
+        $this->assertEquals('', $entry->getDn());
+    }
+
+    public function testHasValue()
+    {
+        $entry = new Entry($this->entry);
+        $this->assertTrue($entry->hasValue('mail', 'user2@localhost'));
+        $this->assertFalse($entry->hasValue('mail', 'user3@localhost'));
+        $this->assertTrue($entry->hasValue('displayname', 'My LDAP user'));
+        $this->assertFalse($entry->hasValue('displayname', 'Something else'));
+    }
+}
diff --git a/tests/units/Core/Ldap/LdapGroupTest.php b/tests/units/Core/Ldap/LdapGroupTest.php
new file mode 100644
index 00000000..3f538249
--- /dev/null
+++ b/tests/units/Core/Ldap/LdapGroupTest.php
@@ -0,0 +1,160 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\Group;
+use Kanboard\Core\Ldap\Entries;
+use Kanboard\Core\Security\Role;
+
+class LdapGroupTest extends Base
+{
+    private $query;
+    private $client;
+    private $group;
+
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->client = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Client')
+            ->setMethods(array(
+                'getConnection',
+            ))
+            ->getMock();
+
+        $this->query = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Query')
+            ->setConstructorArgs(array($this->client))
+            ->setMethods(array(
+                'execute',
+                'hasResult',
+                'getEntries',
+            ))
+            ->getMock();
+
+        $this->group = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Group')
+            ->setConstructorArgs(array($this->query))
+            ->setMethods(array(
+                'getAttributeName',
+                'getBasDn',
+            ))
+            ->getMock();
+    }
+
+    public function testGetGroups()
+    {
+        $entries = new Entries(array(
+            'count' => 2,
+            0 => array(
+                'cn' => array(
+                    'count' => 1,
+                    0 => 'Kanboard Other Group',
+                ),
+                0 => 'cn',
+                'count' => 1,
+                'dn' => 'CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local',
+            ),
+            1 => array(
+                'cn' => array(
+                    'count' => 1,
+                    0 => 'Kanboard Users',
+                ),
+                0 => 'cn',
+                'count' => 1,
+                'dn' => 'CN=Kanboard Users,CN=Users,DC=kanboard,DC=local',
+            ),
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('CN=Users,DC=kanboard,DC=local'),
+                $this->equalTo('(&(objectClass=group)(sAMAccountName=Kanboard*))')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->group
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('cn'));
+
+        $this->group
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('CN=Users,DC=kanboard,DC=local'));
+
+        $groups = $this->group->find('(&(objectClass=group)(sAMAccountName=Kanboard*))');
+        $this->assertCount(2, $groups);
+        $this->assertInstanceOf('Kanboard\Group\LdapGroupProvider', $groups[0]);
+        $this->assertInstanceOf('Kanboard\Group\LdapGroupProvider', $groups[1]);
+        $this->assertEquals('Kanboard Other Group', $groups[0]->getName());
+        $this->assertEquals('Kanboard Users', $groups[1]->getName());
+        $this->assertEquals('CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local', $groups[0]->getExternalId());
+        $this->assertEquals('CN=Kanboard Users,CN=Users,DC=kanboard,DC=local', $groups[1]->getExternalId());
+    }
+
+    public function testGetGroupsWithNoResult()
+    {
+        $entries = new Entries(array());
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('CN=Users,DC=kanboard,DC=local'),
+                $this->equalTo('(&(objectClass=group)(sAMAccountName=Kanboard*))')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(false));
+
+        $this->query
+            ->expects($this->never())
+            ->method('getEntries');
+
+        $this->group
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('cn'));
+
+        $this->group
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('CN=Users,DC=kanboard,DC=local'));
+
+        $groups = $this->group->find('(&(objectClass=group)(sAMAccountName=Kanboard*))');
+        $this->assertCount(0, $groups);
+    }
+
+    public function testGetBaseDnNotConfigured()
+    {
+        $this->setExpectedException('\LogicException');
+
+        $group = new Group($this->query);
+        $group->getBasDn();
+    }
+}
diff --git a/tests/units/Core/Ldap/LdapUserTest.php b/tests/units/Core/Ldap/LdapUserTest.php
new file mode 100644
index 00000000..2b3db1e5
--- /dev/null
+++ b/tests/units/Core/Ldap/LdapUserTest.php
@@ -0,0 +1,379 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\User;
+use Kanboard\Core\Ldap\Entries;
+use Kanboard\Core\Security\Role;
+
+class LdapUserTest extends Base
+{
+    private $query;
+    private $client;
+    private $user;
+
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->client = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Client')
+            ->setMethods(array(
+                'getConnection',
+            ))
+            ->getMock();
+
+        $this->query = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Query')
+            ->setConstructorArgs(array($this->client))
+            ->setMethods(array(
+                'execute',
+                'hasResult',
+                'getEntries',
+            ))
+            ->getMock();
+
+        $this->user = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\User')
+            ->setConstructorArgs(array($this->query))
+            ->setMethods(array(
+                'getAttributeUsername',
+                'getAttributeEmail',
+                'getAttributeName',
+                'getAttributeGroup',
+                'getGroupAdminDn',
+                'getGroupManagerDn',
+                'getBasDn',
+            ))
+            ->getMock();
+    }
+
+    public function testGetUser()
+    {
+        $entries = new Entries(array(
+            'count' => 1,
+            0 => array(
+                'count' => 2,
+                'dn' => 'uid=my_ldap_user,ou=People,dc=kanboard,dc=local',
+                'displayname' => array(
+                    'count' => 1,
+                    0 => 'My LDAP user',
+                ),
+                'mail' => array(
+                    'count' => 2,
+                    0 => 'user1@localhost',
+                    1 => 'user2@localhost',
+                ),
+                'samaccountname' => array(
+                    'count' => 1,
+                    0 => 'my_ldap_user',
+                ),
+                0 => 'displayname',
+                1 => 'mail',
+                2 => 'samaccountname',
+            )
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertInstanceOf('Kanboard\User\LdapUserProvider', $user);
+        $this->assertEquals('uid=my_ldap_user,ou=People,dc=kanboard,dc=local', $user->getDn());
+        $this->assertEquals('my_ldap_user', $user->getUsername());
+        $this->assertEquals('My LDAP user', $user->getName());
+        $this->assertEquals('user1@localhost', $user->getEmail());
+        $this->assertEquals(Role::APP_USER, $user->getRole());
+        $this->assertEquals(array(), $user->getExternalGroupIds());
+        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
+    }
+
+    public function testGetUserWithAdminRole()
+    {
+        $entries = new Entries(array(
+            'count' => 1,
+            0 => array(
+                'count' => 2,
+                'dn' => 'uid=my_ldap_user,ou=People,dc=kanboard,dc=local',
+                'displayname' => array(
+                    'count' => 1,
+                    0 => 'My LDAP user',
+                ),
+                'mail' => array(
+                    'count' => 2,
+                    0 => 'user1@localhost',
+                    1 => 'user2@localhost',
+                ),
+                'samaccountname' => array(
+                    'count' => 1,
+                    0 => 'my_ldap_user',
+                ),
+                'memberof' => array(
+                    'count' => 1,
+                    0 => 'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
+                ),
+                0 => 'displayname',
+                1 => 'mail',
+                2 => 'samaccountname',
+                3 => 'memberof',
+            )
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeGroup')
+            ->will($this->returnValue('memberof'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getGroupAdminDn')
+            ->will($this->returnValue('CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertInstanceOf('Kanboard\User\LdapUserProvider', $user);
+        $this->assertEquals('uid=my_ldap_user,ou=People,dc=kanboard,dc=local', $user->getDn());
+        $this->assertEquals('my_ldap_user', $user->getUsername());
+        $this->assertEquals('My LDAP user', $user->getName());
+        $this->assertEquals('user1@localhost', $user->getEmail());
+        $this->assertEquals(Role::APP_ADMIN, $user->getRole());
+        $this->assertEquals(array('CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local'), $user->getExternalGroupIds());
+        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
+    }
+
+    public function testGetUserWithManagerRole()
+    {
+        $entries = new Entries(array(
+            'count' => 1,
+            0 => array(
+                'count' => 2,
+                'dn' => 'uid=my_ldap_user,ou=People,dc=kanboard,dc=local',
+                'displayname' => array(
+                    'count' => 1,
+                    0 => 'My LDAP user',
+                ),
+                'mail' => array(
+                    'count' => 2,
+                    0 => 'user1@localhost',
+                    1 => 'user2@localhost',
+                ),
+                'samaccountname' => array(
+                    'count' => 1,
+                    0 => 'my_ldap_user',
+                ),
+                'memberof' => array(
+                    'count' => 2,
+                    0 => 'CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local',
+                    1 => 'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local',
+                ),
+                0 => 'displayname',
+                1 => 'mail',
+                2 => 'samaccountname',
+                3 => 'memberof',
+            )
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeGroup')
+            ->will($this->returnValue('memberof'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getGroupManagerDn')
+            ->will($this->returnValue('CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertInstanceOf('Kanboard\User\LdapUserProvider', $user);
+        $this->assertEquals('uid=my_ldap_user,ou=People,dc=kanboard,dc=local', $user->getDn());
+        $this->assertEquals('my_ldap_user', $user->getUsername());
+        $this->assertEquals('My LDAP user', $user->getName());
+        $this->assertEquals('user1@localhost', $user->getEmail());
+        $this->assertEquals(Role::APP_MANAGER, $user->getRole());
+        $this->assertEquals(array('CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local', 'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local'), $user->getExternalGroupIds());
+        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
+    }
+
+    public function testGetUserNotFound()
+    {
+        $entries = new Entries(array());
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(false));
+
+        $this->query
+            ->expects($this->never())
+            ->method('getEntries');
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertEquals(null, $user);
+    }
+
+    public function testGetBaseDnNotConfigured()
+    {
+        $this->setExpectedException('\LogicException');
+
+        $user = new User($this->query);
+        $user->getBasDn();
+    }
+}
diff --git a/tests/units/Core/Ldap/QueryTest.php b/tests/units/Core/Ldap/QueryTest.php
index 2eb3940f..b3987df0 100644
--- a/tests/units/Core/Ldap/QueryTest.php
+++ b/tests/units/Core/Ldap/QueryTest.php
@@ -17,6 +17,7 @@ function ldap_get_entries($link_identifier, $result_identifier)
 class QueryTest extends \Base
 {
     public static $functions;
+    private $client;
 
     public function setUp()
     {
@@ -29,6 +30,13 @@ class QueryTest extends \Base
                 'ldap_get_entries',
             ))
             ->getMock();
+
+        $this->client = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Client')
+            ->setMethods(array(
+                'getConnection',
+            ))
+            ->getMock();
     }
 
     public function tearDown()
@@ -58,6 +66,11 @@ class QueryTest extends \Base
             )
         );
 
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_search')
@@ -78,20 +91,25 @@ class QueryTest extends \Base
             )
             ->will($this->returnValue($entries));
 
-        $query = new Query;
-        $query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
+        $query = new Query($this->client);
+        $query->execute('ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
         $this->assertTrue($query->hasResult());
 
-        $this->assertEquals('My user', $query->getAttributeValue('displayname'));
-        $this->assertEquals('user1@localhost', $query->getAttributeValue('mail'));
-        $this->assertEquals('', $query->getAttributeValue('not_found'));
+        $this->assertEquals('My user', $query->getEntries()->getFirstEntry()->getFirstValue('displayname'));
+        $this->assertEquals('user1@localhost', $query->getEntries()->getFirstEntry()->getFirstValue('mail'));
+        $this->assertEquals('', $query->getEntries()->getFirstEntry()->getFirstValue('not_found'));
 
-        $this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $query->getAttribute('dn'));
-        $this->assertEquals(null, $query->getAttribute('missing'));
+        $this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $query->getEntries()->getFirstEntry()->getDn());
+        $this->assertEquals('', $query->getEntries()->getFirstEntry()->getFirstValue('missing'));
     }
 
     public function testExecuteQueryNotFound()
     {
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_search')
@@ -112,13 +130,18 @@ class QueryTest extends \Base
             )
             ->will($this->returnValue(array()));
 
-        $query = new Query;
-        $query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
+        $query = new Query($this->client);
+        $query->execute('ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
         $this->assertFalse($query->hasResult());
     }
 
     public function testExecuteQueryFailed()
     {
+        $this->client
+            ->expects($this->once())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_search')
@@ -130,8 +153,8 @@ class QueryTest extends \Base
             )
             ->will($this->returnValue(false));
 
-        $query = new Query;
-        $query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
+        $query = new Query($this->client);
+        $query->execute('ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
         $this->assertFalse($query->hasResult());
     }
 }
diff --git a/tests/units/Core/Ldap/UserTest.php b/tests/units/Core/Ldap/UserTest.php
deleted file mode 100644
index 56cc588c..00000000
--- a/tests/units/Core/Ldap/UserTest.php
+++ /dev/null
@@ -1,95 +0,0 @@
-<?php
-
-namespace Kanboard\Core\Ldap;
-
-require_once __DIR__.'/../../Base.php';
-
-class UserTest extends \Base
-{
-    public function testGetProfile()
-    {
-        $entries = array(
-            'count' => 1,
-            0 => array(
-                'count' => 2,
-                'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-                'displayname' => array(
-                    'count' => 1,
-                    0 => 'My LDAP user',
-                ),
-                'mail' => array(
-                    'count' => 2,
-                    0 => 'user1@localhost',
-                    1 => 'user2@localhost',
-                ),
-                'samaccountname' => array(
-                    'count' => 1,
-                    0 => 'my_ldap_user',
-                ),
-                0 => 'displayname',
-                1 => 'mail',
-                2 => 'samaccountname',
-            )
-        );
-
-        $expected = array(
-            'ldap_id' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-            'username' => 'my_ldap_user',
-            'name' => 'My LDAP user',
-            'email' => 'user1@localhost',
-            'is_admin' => 0,
-            'is_project_admin' => 0,
-            'is_ldap_user' => 1,
-        );
-
-        $query = $this
-            ->getMockBuilder('\Kanboard\Core\Ldap\Query')
-            ->setConstructorArgs(array($entries))
-            ->setMethods(array(
-                'execute',
-                'hasResult',
-            ))
-            ->getMock();
-
-        $query
-            ->expects($this->once())
-            ->method('execute')
-            ->with(
-                $this->equalTo('my_ldap_resource'),
-                $this->equalTo('ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('(uid=my_user)')
-            );
-
-        $query
-            ->expects($this->once())
-            ->method('hasResult')
-            ->will($this->returnValue(true));
-
-        $user = $this
-            ->getMockBuilder('\Kanboard\Core\Ldap\User')
-            ->setConstructorArgs(array($query))
-            ->setMethods(array(
-                'getAttributeUsername',
-                'getAttributeEmail',
-                'getAttributeName',
-            ))
-            ->getMock();
-
-        $user
-            ->expects($this->any())
-            ->method('getAttributeUsername')
-            ->will($this->returnValue('samaccountname'));
-
-        $user
-            ->expects($this->any())
-            ->method('getAttributeName')
-            ->will($this->returnValue('displayname'));
-
-        $user
-            ->expects($this->any())
-            ->method('getAttributeEmail')
-            ->will($this->returnValue('mail'));
-
-        $this->assertEquals($expected, $user->getProfile('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', '(uid=my_user)'));
-    }
-}
diff --git a/tests/units/Core/OAuth2Test.php b/tests/units/Core/OAuth2Test.php
deleted file mode 100644
index d5713608..00000000
--- a/tests/units/Core/OAuth2Test.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-
-require_once __DIR__.'/../Base.php';
-
-use Kanboard\Core\OAuth2;
-
-class OAuth2Test extends Base
-{
-    public function testAuthUrl()
-    {
-        $oauth = new OAuth2($this->container);
-        $oauth->createService('A', 'B', 'C', 'D', 'E', array('f', 'g'));
-        $this->assertEquals('D?response_type=code&client_id=A&redirect_uri=C&scope=f+g', $oauth->getAuthorizationUrl());
-    }
-
-    public function testAuthHeader()
-    {
-        $oauth = new OAuth2($this->container);
-        $oauth->createService('A', 'B', 'C', 'D', 'E', array('f', 'g'));
-
-        $oauth->setAccessToken('foobar', 'BeaRer');
-        $this->assertEquals('Authorization: Bearer foobar', $oauth->getAuthorizationHeader());
-
-        $oauth->setAccessToken('foobar', 'unknown');
-        $this->assertEquals('', $oauth->getAuthorizationHeader());
-    }
-
-    public function testAccessToken()
-    {
-        $oauth = new OAuth2($this->container);
-        $oauth->createService('A', 'B', 'C', 'D', 'E', array('f', 'g'));
-        $oauth->getAccessToken('something');
-
-        $data = $this->container['httpClient']->getData();
-        $this->assertEquals('something', $data['code']);
-        $this->assertEquals('A', $data['client_id']);
-        $this->assertEquals('B', $data['client_secret']);
-        $this->assertEquals('C', $data['redirect_uri']);
-        $this->assertEquals('authorization_code', $data['grant_type']);
-
-        $this->assertEquals('E', $this->container['httpClient']->getUrl());
-    }
-}
diff --git a/tests/units/Core/Security/AccessMapTest.php b/tests/units/Core/Security/AccessMapTest.php
index ab74e036..61693ce8 100644
--- a/tests/units/Core/Security/AccessMapTest.php
+++ b/tests/units/Core/Security/AccessMapTest.php
@@ -6,17 +6,34 @@ use Kanboard\Core\Security\AccessMap;
 
 class AccessMapTest extends Base
 {
-    public function testGetRoles()
+    public function testRoleHierarchy()
+    {
+        $acl = new AccessMap;
+        $acl->setRoleHierarchy('admin', array('manager', 'user'));
+        $acl->setRoleHierarchy('manager', array('user'));
+
+        $this->assertEquals(array('admin'), $acl->getRoleHierarchy('admin'));
+        $this->assertEquals(array('manager', 'admin'), $acl->getRoleHierarchy('manager'));
+        $this->assertEquals(array('user', 'admin', 'manager'), $acl->getRoleHierarchy('user'));
+    }
+
+    public function testAddRulesAndGetRoles()
     {
         $acl = new AccessMap;
         $acl->setDefaultRole('role3');
-        $acl->add('MyController', 'myAction1', array('role1', 'role2'));
-        $acl->add('MyController', 'myAction2', array('role1'));
-        $acl->add('MyAdminController', '*', array('role2'));
+        $acl->setRoleHierarchy('role2', array('role1'));
+
+        $acl->add('MyController', 'myAction1', 'role2');
+        $acl->add('MyController', 'myAction2', 'role1');
+        $acl->add('MyAdminController', '*', 'role2');
+        $acl->add('SomethingElse', array('actionA', 'actionB'), 'role2');
 
-        $this->assertEquals(array('role1', 'role2'), $acl->getRoles('mycontroller', 'MyAction1'));
-        $this->assertEquals(array('role1'), $acl->getRoles('mycontroller', 'MyAction2'));
+        $this->assertEquals(array('role2'), $acl->getRoles('mycontroller', 'MyAction1'));
+        $this->assertEquals(array('role1', 'role2'), $acl->getRoles('mycontroller', 'MyAction2'));
         $this->assertEquals(array('role2'), $acl->getRoles('Myadmincontroller', 'MyAction'));
         $this->assertEquals(array('role3'), $acl->getRoles('AnotherController', 'ActionNotFound'));
+        $this->assertEquals(array('role2'), $acl->getRoles('somethingelse', 'actiona'));
+        $this->assertEquals(array('role2'), $acl->getRoles('somethingelse', 'actionb'));
+        $this->assertEquals(array('role3'), $acl->getRoles('somethingelse', 'actionc'));
     }
 }
diff --git a/tests/units/Core/Security/AuthenticationManagerTest.php b/tests/units/Core/Security/AuthenticationManagerTest.php
new file mode 100644
index 00000000..c2369626
--- /dev/null
+++ b/tests/units/Core/Security/AuthenticationManagerTest.php
@@ -0,0 +1,150 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Http\Request;
+use Kanboard\Core\Security\AuthenticationManager;
+use Kanboard\Auth\DatabaseAuth;
+use Kanboard\Auth\TotpAuth;
+use Kanboard\Auth\ReverseProxyAuth;
+
+class AuthenticationManagerTest extends Base
+{
+    public function testRegister()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+        $provider = $authManager->getProvider('Database');
+
+        $this->assertInstanceOf('Kanboard\Core\Security\AuthenticationProviderInterface', $provider);
+    }
+
+    public function testGetProviderNotFound()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $this->setExpectedException('LogicException');
+        $authManager->getProvider('Dababase');
+    }
+
+    public function testGetPostProviderNotFound()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $this->setExpectedException('LogicException');
+        $authManager->getPostAuthenticationProvider();
+    }
+
+    public function testGetPostProvider()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new TotpAuth($this->container));
+        $provider = $authManager->getPostAuthenticationProvider();
+
+        $this->assertInstanceOf('Kanboard\Core\Security\PostAuthenticationProviderInterface', $provider);
+    }
+
+    public function testCheckSessionWhenNobodyIsLogged()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->assertFalse($this->container['userSession']->isLogged());
+        $this->assertTrue($authManager->checkCurrentSession());
+    }
+
+    public function testCheckSessionWhenSomeoneIsLogged()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->container['sessionStorage']->user = array('id' => 1);
+
+        $this->assertTrue($this->container['userSession']->isLogged());
+        $this->assertTrue($authManager->checkCurrentSession());
+    }
+
+    public function testCheckSessionWhenNotValid()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->container['sessionStorage']->user = array('id' => 2);
+
+        $this->assertTrue($this->container['userSession']->isLogged());
+        $this->assertFalse($authManager->checkCurrentSession());
+        $this->assertFalse($this->container['userSession']->isLogged());
+    }
+
+    public function testPreAuthenticationSuccessful()
+    {
+        $this->container['request'] = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => 'admin'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new ReverseProxyAuth($this->container));
+
+        $this->assertTrue($authManager->preAuthentication());
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function testPreAuthenticationFailed()
+    {
+        $this->container['request'] = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => ''));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new ReverseProxyAuth($this->container));
+
+        $this->assertFalse($authManager->preAuthentication());
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function testPasswordAuthenticationSuccessful()
+    {
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->assertTrue($authManager->passwordAuthentication('admin', 'admin'));
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function testPasswordAuthenticationFailed()
+    {
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->assertFalse($authManager->passwordAuthentication('admin', 'wrong password'));
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function onSuccess($event)
+    {
+        $this->assertInstanceOf('Kanboard\Event\AuthSuccessEvent', $event);
+        $this->assertTrue(in_array($event->getAuthType(), array('Database', 'ReverseProxy')));
+    }
+
+    public function onFailure($event)
+    {
+        $this->assertInstanceOf('Kanboard\Event\AuthFailureEvent', $event);
+        $this->assertEquals('admin', $event->getUsername());
+    }
+}
diff --git a/tests/units/Core/Security/AuthorizationTest.php b/tests/units/Core/Security/AuthorizationTest.php
index ffeb3741..70561ad8 100644
--- a/tests/units/Core/Security/AuthorizationTest.php
+++ b/tests/units/Core/Security/AuthorizationTest.php
@@ -12,17 +12,28 @@ class AuthorizationTest extends Base
     {
         $acl = new AccessMap;
         $acl->setDefaultRole(Role::APP_USER);
-        $acl->add('MyController', 'myAction1', array(Role::APP_ADMIN, Role::APP_MANAGER));
-        $acl->add('MyController', 'myAction2', array(Role::APP_ADMIN));
-        $acl->add('MyAdminController', '*', array(Role::APP_MANAGER));
+        $acl->setRoleHierarchy(Role::APP_ADMIN, array(Role::APP_MANAGER, Role::APP_USER));
+        $acl->setRoleHierarchy(Role::APP_MANAGER, array(Role::APP_USER));
+
+        $acl->add('MyController', 'myAction1', Role::APP_MANAGER);
+        $acl->add('MyController', 'myAction2', Role::APP_ADMIN);
+        $acl->add('MyManagerController', '*', Role::APP_MANAGER);
 
         $authorization = new Authorization($acl);
+
         $this->assertTrue($authorization->isAllowed('myController', 'myAction1', Role::APP_ADMIN));
         $this->assertTrue($authorization->isAllowed('myController', 'myAction1', Role::APP_MANAGER));
         $this->assertFalse($authorization->isAllowed('myController', 'myAction1', Role::APP_USER));
-        $this->assertTrue($authorization->isAllowed('anotherController', 'anotherAction', Role::APP_USER));
-        $this->assertTrue($authorization->isAllowed('MyAdminController', 'myAction', Role::APP_MANAGER));
-        $this->assertFalse($authorization->isAllowed('MyAdminController', 'myAction', Role::APP_ADMIN));
-        $this->assertFalse($authorization->isAllowed('MyAdminController', 'myAction', 'something else'));
+        $this->assertFalse($authorization->isAllowed('myController', 'myAction1', 'something else'));
+
+        $this->assertTrue($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_ADMIN));
+        $this->assertTrue($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_MANAGER));
+        $this->assertFalse($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_USER));
+        $this->assertFalse($authorization->isAllowed('MyManagerController', 'myAction', 'something else'));
+
+        $this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_ADMIN));
+        $this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_MANAGER));
+        $this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_USER));
+        $this->assertFalse($authorization->isAllowed('MyUserController', 'myAction', 'something else'));
     }
 }
diff --git a/tests/units/Core/User/GroupSyncTest.php b/tests/units/Core/User/GroupSyncTest.php
new file mode 100644
index 00000000..e22b86d4
--- /dev/null
+++ b/tests/units/Core/User/GroupSyncTest.php
@@ -0,0 +1,30 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\User\GroupSync;
+use Kanboard\Model\Group;
+use Kanboard\Model\GroupMember;
+
+class GroupSyncTest extends Base
+{
+    public function testSynchronize()
+    {
+        $group = new Group($this->container);
+        $groupMember = new GroupMember($this->container);
+        $groupSync = new GroupSync($this->container);
+
+        $this->assertEquals(1, $group->create('My Group 1', 'externalId1'));
+        $this->assertEquals(2, $group->create('My Group 2', 'externalId2'));
+
+        $this->assertTrue($groupMember->addUser(1, 1));
+
+        $this->assertTrue($groupMember->isMember(1, 1));
+        $this->assertFalse($groupMember->isMember(2, 1));
+
+        $groupSync->synchronize(1, array('externalId1', 'externalId2', 'externalId3'));
+
+        $this->assertTrue($groupMember->isMember(1, 1));
+        $this->assertTrue($groupMember->isMember(2, 1));
+    }
+}
diff --git a/tests/units/Core/User/UserProfileTest.php b/tests/units/Core/User/UserProfileTest.php
new file mode 100644
index 00000000..4886a945
--- /dev/null
+++ b/tests/units/Core/User/UserProfileTest.php
@@ -0,0 +1,63 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Security\Role;
+use Kanboard\Core\User\UserProfile;
+use Kanboard\User\LdapUserProvider;
+use Kanboard\User\DatabaseUserProvider;
+
+class UserProfileTest extends Base
+{
+    public function testInitializeLocalUser()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new DatabaseUserProvider(array('id' => 1));
+
+        $this->assertTrue($userProfile->initialize($user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals('admin', $this->container['sessionStorage']->user['username']);
+    }
+
+    public function testInitializeLocalUserNotFound()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new DatabaseUserProvider(array('id' => 2));
+
+        $this->assertFalse($userProfile->initialize($user));
+        $this->assertFalse(isset($this->container['sessionStorage']->user));
+    }
+
+    public function testInitializeRemoteUser()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+
+        $this->assertTrue($userProfile->initialize($user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals(2, $this->container['sessionStorage']->user['id']);
+        $this->assertEquals('bob', $this->container['sessionStorage']->user['username']);
+        $this->assertEquals(Role::APP_MANAGER, $this->container['sessionStorage']->user['role']);
+
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+
+        $this->assertTrue($userProfile->initialize($user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals(2, $this->container['sessionStorage']->user['id']);
+        $this->assertEquals('bob', $this->container['sessionStorage']->user['username']);
+    }
+
+    public function testAssignRemoteUser()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+
+        $this->assertTrue($userProfile->assign(1, $user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals(1, $this->container['sessionStorage']->user['id']);
+        $this->assertEquals('admin', $this->container['sessionStorage']->user['username']);
+        $this->assertEquals('Bob', $this->container['sessionStorage']->user['name']);
+        $this->assertEquals('', $this->container['sessionStorage']->user['email']);
+        $this->assertEquals(Role::APP_ADMIN, $this->container['sessionStorage']->user['role']);
+    }
+}
diff --git a/tests/units/Core/User/UserPropertyTest.php b/tests/units/Core/User/UserPropertyTest.php
new file mode 100644
index 00000000..170eab4c
--- /dev/null
+++ b/tests/units/Core/User/UserPropertyTest.php
@@ -0,0 +1,60 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Security\Role;
+use Kanboard\Core\User\UserProperty;
+use Kanboard\User\LdapUserProvider;
+
+class UserPropertyTest extends Base
+{
+    public function testGetProperties()
+    {
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_USER, array());
+
+        $expected = array(
+            'username' => 'bob',
+            'name' => 'Bob',
+            'role' => Role::APP_USER,
+            'is_ldap_user' => 1,
+        );
+
+        $this->assertEquals($expected, UserProperty::getProperties($user));
+
+        $user = new LdapUserProvider('ldapId', 'bob', '', '', '', array());
+
+        $expected = array(
+            'username' => 'bob',
+            'is_ldap_user' => 1,
+        );
+
+        $this->assertEquals($expected, UserProperty::getProperties($user));
+    }
+
+    public function testFilterProperties()
+    {
+        $profile = array(
+            'id' => 123,
+            'username' => 'bob',
+            'name' => null,
+            'email' => '',
+            'other_column' => 'myvalue',
+            'role' => Role::APP_ADMIN,
+        );
+
+        $properties = array(
+            'external_id' => '456',
+            'username' => 'bobby',
+            'name' => 'Bobby',
+            'email' => 'admin@localhost',
+            'role' => '',
+        );
+
+        $expected = array(
+            'name' => 'Bobby',
+            'email' => 'admin@localhost',
+        );
+
+        $this->assertEquals($expected, UserProperty::filterProperties($profile, $properties));
+    }
+}
diff --git a/tests/units/Core/User/UserSessionTest.php b/tests/units/Core/User/UserSessionTest.php
new file mode 100644
index 00000000..64413f98
--- /dev/null
+++ b/tests/units/Core/User/UserSessionTest.php
@@ -0,0 +1,144 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\User\UserSession;
+use Kanboard\Core\Security\Role;
+
+class UserSessionTest extends Base
+{
+    public function testInitialize()
+    {
+        $us = new UserSession($this->container);
+
+        $user = array(
+            'id' => '123',
+            'username' => 'john',
+            'password' => 'something',
+            'twofactor_secret' => 'something else',
+            'is_admin' => '1',
+            'is_project_admin' => '0',
+            'is_ldap_user' => '0',
+            'twofactor_activated' => '0',
+            'role' => Role::APP_MANAGER,
+        );
+
+        $us->initialize($user);
+
+        $session = $this->container['sessionStorage']->getAll();
+
+        $this->assertNotEmpty($session);
+        $this->assertEquals(123, $session['user']['id']);
+        $this->assertEquals('john', $session['user']['username']);
+        $this->assertEquals(Role::APP_MANAGER, $session['user']['role']);
+        $this->assertFalse($session['user']['is_ldap_user']);
+        $this->assertFalse($session['user']['twofactor_activated']);
+        $this->assertArrayNotHasKey('password', $session['user']);
+        $this->assertArrayNotHasKey('twofactor_secret', $session['user']);
+        $this->assertArrayNotHasKey('is_admin', $session['user']);
+        $this->assertArrayNotHasKey('is_project_admin', $session['user']);
+
+        $this->assertEquals('john', $us->getUsername());
+    }
+
+    public function testGetId()
+    {
+        $us = new UserSession($this->container);
+
+        $this->assertEquals(0, $us->getId());
+
+        $this->container['sessionStorage']->user = array('id' => 2);
+        $this->assertEquals(2, $us->getId());
+
+        $this->container['sessionStorage']->user = array('id' => '2');
+        $this->assertEquals(2, $us->getId());
+    }
+
+    public function testIsLogged()
+    {
+        $us = new UserSession($this->container);
+
+        $this->assertFalse($us->isLogged());
+
+        $this->container['sessionStorage']->user = array();
+        $this->assertFalse($us->isLogged());
+
+        $this->container['sessionStorage']->user = array('id' => 1);
+        $this->assertTrue($us->isLogged());
+    }
+
+    public function testIsAdmin()
+    {
+        $us = new UserSession($this->container);
+
+        $this->assertFalse($us->isAdmin());
+
+        $this->container['sessionStorage']->user = array('role' => Role::APP_ADMIN);
+        $this->assertTrue($us->isAdmin());
+
+        $this->container['sessionStorage']->user = array('role' => Role::APP_USER);
+        $this->assertFalse($us->isAdmin());
+
+        $this->container['sessionStorage']->user = array('role' => '');
+        $this->assertFalse($us->isAdmin());
+    }
+
+    public function testCommentSorting()
+    {
+        $us = new UserSession($this->container);
+        $this->assertEquals('ASC', $us->getCommentSorting());
+
+        $us->setCommentSorting('DESC');
+        $this->assertEquals('DESC', $us->getCommentSorting());
+    }
+
+    public function testBoardCollapseMode()
+    {
+        $us = new UserSession($this->container);
+        $this->assertFalse($us->isBoardCollapsed(2));
+
+        $us->setBoardDisplayMode(3, false);
+        $this->assertFalse($us->isBoardCollapsed(3));
+
+        $us->setBoardDisplayMode(3, true);
+        $this->assertTrue($us->isBoardCollapsed(3));
+    }
+
+    public function testFilters()
+    {
+        $us = new UserSession($this->container);
+        $this->assertEquals('status:open', $us->getFilters(1));
+
+        $us->setFilters(1, 'assignee:me');
+        $this->assertEquals('assignee:me', $us->getFilters(1));
+
+        $this->assertEquals('status:open', $us->getFilters(2));
+
+        $us->setFilters(2, 'assignee:bob');
+        $this->assertEquals('assignee:bob', $us->getFilters(2));
+    }
+
+    public function testPostAuthentication()
+    {
+        $us = new UserSession($this->container);
+        $this->assertFalse($us->isPostAuthenticationValidated());
+
+        $this->container['sessionStorage']->postAuthenticationValidated = false;
+        $this->assertFalse($us->isPostAuthenticationValidated());
+
+        $us->validatePostAuthentication();
+        $this->assertTrue($us->isPostAuthenticationValidated());
+
+        $this->container['sessionStorage']->user = array();
+        $this->assertFalse($us->hasPostAuthentication());
+
+        $this->container['sessionStorage']->user = array('twofactor_activated' => false);
+        $this->assertFalse($us->hasPostAuthentication());
+
+        $this->container['sessionStorage']->user = array('twofactor_activated' => true);
+        $this->assertTrue($us->hasPostAuthentication());
+
+        $us->disablePostAuthentication();
+        $this->assertFalse($us->hasPostAuthentication());
+    }
+}
diff --git a/tests/units/Core/User/UserSyncTest.php b/tests/units/Core/User/UserSyncTest.php
new file mode 100644
index 00000000..e7ce42b2
--- /dev/null
+++ b/tests/units/Core/User/UserSyncTest.php
@@ -0,0 +1,55 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Security\Role;
+use Kanboard\Core\User\UserSync;
+use Kanboard\User\LdapUserProvider;
+
+class UserSyncTest extends Base
+{
+    public function testSynchronizeNewUser()
+    {
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+        $userSync = new UserSync($this->container);
+
+        $profile = array(
+            'id' => 2,
+            'username' => 'bob',
+            'name' => 'Bob',
+            'email' => '',
+            'role' => Role::APP_MANAGER,
+            'is_ldap_user' => 1,
+        );
+
+        $this->assertArraySubset($profile, $userSync->synchronize($user));
+    }
+
+    public function testSynchronizeExistingUser()
+    {
+        $userSync = new UserSync($this->container);
+        $user = new LdapUserProvider('ldapId', 'admin', 'Admin', 'email@localhost', Role::APP_MANAGER, array());
+
+        $profile = array(
+            'id' => 1,
+            'username' => 'admin',
+            'name' => 'Admin',
+            'email' => 'email@localhost',
+            'role' => Role::APP_MANAGER,
+        );
+
+        $this->assertArraySubset($profile, $userSync->synchronize($user));
+
+        $user = new LdapUserProvider('ldapId', 'admin', '', '', Role::APP_ADMIN, array());
+
+        $profile = array(
+            'id' => 1,
+            'username' => 'admin',
+            'name' => 'Admin',
+            'email' => 'email@localhost',
+            'role' => Role::APP_ADMIN,
+        );
+
+        $this->assertArraySubset($profile, $userSync->synchronize($user));
+    }
+}
diff --git a/tests/units/Helper/UserHelperTest.php b/tests/units/Helper/UserHelperTest.php
index eba977ee..2b503157 100644
--- a/tests/units/Helper/UserHelperTest.php
+++ b/tests/units/Helper/UserHelperTest.php
@@ -4,172 +4,227 @@ require_once __DIR__.'/../Base.php';
 
 use Kanboard\Helper\User;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\User as UserModel;
+use Kanboard\Core\Security\Role;
 
 class UserHelperTest extends Base
 {
     public function testInitials()
     {
-        $h = new User($this->container);
+        $helper = new User($this->container);
 
-        $this->assertEquals('CN', $h->getInitials('chuck norris'));
-        $this->assertEquals('A', $h->getInitials('admin'));
+        $this->assertEquals('CN', $helper->getInitials('chuck norris'));
+        $this->assertEquals('A', $helper->getInitials('admin'));
     }
 
-    public function testIsProjectAdministrationAllowedForProjectAdmin()
+    public function testGetRoleName()
     {
-        $h = new User($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new UserModel($this->container);
-
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
+        $helper = new User($this->container);
+        $this->assertEquals('Administrator', $helper->getRoleName(Role::APP_ADMIN));
+        $this->assertEquals('Manager', $helper->getRoleName(Role::APP_MANAGER));
+        $this->assertEquals('Project Viewer', $helper->getRoleName(Role::PROJECT_VIEWER));
+    }
 
-        // We create a project and set our user as project manager
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
+    public function testHasAccessForAdmins()
+    {
+        $helper = new User($this->container);
 
-        // We fake a session for him
         $this->container['sessionStorage']->user = array(
             'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => true,
+            'role' => Role::APP_ADMIN,
         );
 
-        $this->assertTrue($h->isProjectAdministrationAllowed(1));
+        $this->assertTrue($helper->hasAccess('user', 'create'));
+        $this->assertTrue($helper->hasAccess('project', 'create'));
+        $this->assertTrue($helper->hasAccess('project', 'createPrivate'));
     }
 
-    public function testIsProjectAdministrationAllowedForProjectMember()
+    public function testHasAccessForManagers()
     {
-        $h = new User($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new UserModel($this->container);
-
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create a project and set our user as project member
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
+        $helper = new User($this->container);
 
-        // We fake a session for him
         $this->container['sessionStorage']->user = array(
             'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => false,
+            'role' => Role::APP_MANAGER,
         );
 
-        $this->assertFalse($h->isProjectAdministrationAllowed(1));
+        $this->assertFalse($helper->hasAccess('user', 'create'));
+        $this->assertTrue($helper->hasAccess('project', 'create'));
+        $this->assertTrue($helper->hasAccess('project', 'createPrivate'));
     }
 
-    public function testIsProjectAdministrationAllowedForProjectManager()
+    public function testHasAccessForUsers()
     {
-        $h = new User($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new UserModel($this->container);
+        $helper = new User($this->container);
 
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
+        $this->container['sessionStorage']->user = array(
+            'id' => 2,
+            'role' => Role::APP_USER,
+        );
+
+        $this->assertFalse($helper->hasAccess('user', 'create'));
+        $this->assertFalse($helper->hasAccess('project', 'create'));
+        $this->assertTrue($helper->hasAccess('project', 'createPrivate'));
+    }
 
-        // We create a project and set our user as project member
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addManager(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertTrue($pp->isManager(1, 2));
+    public function testHasProjectAccessForAdmins()
+    {
+        $helper = new User($this->container);
+        $project = new Project($this->container);
 
-        // We fake a session for him
         $this->container['sessionStorage']->user = array(
             'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => false,
+            'role' => Role::APP_ADMIN,
         );
 
-        $this->assertFalse($h->isProjectAdministrationAllowed(1));
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
+
+        $this->assertTrue($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertTrue($helper->hasProjectAccess('board', 'show', 1));
     }
 
-    public function testIsProjectManagementAllowedForProjectAdmin()
+    public function testHasProjectAccessForManagers()
     {
-        $h = new User($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new UserModel($this->container);
+        $helper = new User($this->container);
+        $project = new Project($this->container);
+
+        $this->container['sessionStorage']->user = array(
+            'id' => 2,
+            'role' => Role::APP_MANAGER,
+        );
 
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
 
-        // We create a project and set our user as project manager
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertFalse($helper->hasProjectAccess('board', 'show', 1));
+    }
+
+    public function testHasProjectAccessForUsers()
+    {
+        $helper = new User($this->container);
+        $project = new Project($this->container);
 
-        // We fake a session for him
         $this->container['sessionStorage']->user = array(
             'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => true,
+            'role' => Role::APP_USER,
         );
 
-        $this->assertTrue($h->isProjectManagementAllowed(1));
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
+
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertFalse($helper->hasProjectAccess('board', 'show', 1));
     }
 
-    public function testIsProjectManagementAllowedForProjectMember()
+    public function testHasProjectAccessForAppManagerAndProjectManagers()
     {
-        $h = new User($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new UserModel($this->container);
+        $helper = new User($this->container);
+        $user = new UserModel($this->container);
+        $project = new Project($this->container);
+        $projectUserRole = new ProjectUserRole($this->container);
 
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
+        $this->container['sessionStorage']->user = array(
+            'id' => 2,
+            'role' => Role::APP_MANAGER,
+        );
+
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $user->create(array('username' => 'user')));
+        $this->assertTrue($projectUserRole->addUser(1, 2, Role::PROJECT_MANAGER));
+
+        $this->assertTrue($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertTrue($helper->hasProjectAccess('board', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('task', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('taskcreation', 'save', 1));
 
-        // We create a project and set our user as project member
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 2));
+        $this->assertFalse($helper->hasProjectAccess('board', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('task', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('taskcreation', 'save', 2));
+    }
+
+    public function testHasProjectAccessForProjectManagers()
+    {
+        $helper = new User($this->container);
+        $user = new UserModel($this->container);
+        $project = new Project($this->container);
+        $projectUserRole = new ProjectUserRole($this->container);
 
-        // We fake a session for him
         $this->container['sessionStorage']->user = array(
             'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => false,
+            'role' => Role::APP_USER,
         );
 
-        $this->assertFalse($h->isProjectManagementAllowed(1));
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $user->create(array('username' => 'user')));
+        $this->assertTrue($projectUserRole->addUser(1, 2, Role::PROJECT_MANAGER));
+
+        $this->assertTrue($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertTrue($helper->hasProjectAccess('board', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('task', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('taskcreation', 'save', 1));
+
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 2));
+        $this->assertFalse($helper->hasProjectAccess('board', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('task', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('taskcreation', 'save', 2));
     }
 
-    public function testIsProjectManagementAllowedForProjectManager()
+    public function testHasProjectAccessForProjectMembers()
     {
-        $h = new User($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new UserModel($this->container);
+        $helper = new User($this->container);
+        $user = new UserModel($this->container);
+        $project = new Project($this->container);
+        $projectUserRole = new ProjectUserRole($this->container);
 
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
+        $this->container['sessionStorage']->user = array(
+            'id' => 2,
+            'role' => Role::APP_USER,
+        );
+
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $user->create(array('username' => 'user')));
+        $this->assertTrue($projectUserRole->addUser(1, 2, Role::PROJECT_MEMBER));
+
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertTrue($helper->hasProjectAccess('board', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('task', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('taskcreation', 'save', 1));
 
-        // We create a project and set our user as project member
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addManager(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertTrue($pp->isManager(1, 2));
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 2));
+        $this->assertFalse($helper->hasProjectAccess('board', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('task', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('taskcreation', 'save', 2));
+    }
+
+    public function testHasProjectAccessForProjectViewers()
+    {
+        $helper = new User($this->container);
+        $user = new UserModel($this->container);
+        $project = new Project($this->container);
+        $projectUserRole = new ProjectUserRole($this->container);
 
-        // We fake a session for him
         $this->container['sessionStorage']->user = array(
             'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => false,
+            'role' => Role::APP_USER,
         );
 
-        $this->assertTrue($h->isProjectManagementAllowed(1));
+        $this->assertEquals(1, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $project->create(array('name' => 'My project')));
+        $this->assertEquals(2, $user->create(array('username' => 'user')));
+        $this->assertTrue($projectUserRole->addUser(1, 2, Role::PROJECT_VIEWER));
+
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 1));
+        $this->assertTrue($helper->hasProjectAccess('board', 'show', 1));
+        $this->assertTrue($helper->hasProjectAccess('task', 'show', 1));
+        $this->assertFalse($helper->hasProjectAccess('taskcreation', 'save', 1));
+
+        $this->assertFalse($helper->hasProjectAccess('project', 'edit', 2));
+        $this->assertFalse($helper->hasProjectAccess('board', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('task', 'show', 2));
+        $this->assertFalse($helper->hasProjectAccess('taskcreation', 'save', 2));
     }
 }
diff --git a/tests/units/Integration/BitbucketWebhookTest.php b/tests/units/Integration/BitbucketWebhookTest.php
index 1a3b005b..40dbde2e 100644
--- a/tests/units/Integration/BitbucketWebhookTest.php
+++ b/tests/units/Integration/BitbucketWebhookTest.php
@@ -6,8 +6,9 @@ use Kanboard\Integration\BitbucketWebhook;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\User;
+use Kanboard\Core\Security\Role;
 
 class BitbucketWebhookTest extends Base
 {
@@ -108,8 +109,8 @@ class BitbucketWebhookTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'minicoders')));
 
-        $pp = new ProjectPermission($this->container);
-        $this->assertTrue($pp->addMember(1, 2));
+        $pp = new ProjectUserRole($this->container);
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $g = new BitbucketWebhook($this->container);
         $g->setProjectId(1);
@@ -232,8 +233,8 @@ class BitbucketWebhookTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'minicoders')));
 
-        $pp = new ProjectPermission($this->container);
-        $this->assertTrue($pp->addMember(1, 2));
+        $pp = new ProjectUserRole($this->container);
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $g = new BitbucketWebhook($this->container);
         $g->setProjectId(1);
diff --git a/tests/units/Integration/GithubWebhookTest.php b/tests/units/Integration/GithubWebhookTest.php
index d64e783e..f00e5dde 100644
--- a/tests/units/Integration/GithubWebhookTest.php
+++ b/tests/units/Integration/GithubWebhookTest.php
@@ -6,8 +6,9 @@ use Kanboard\Integration\GithubWebhook;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\User;
+use Kanboard\Core\Security\Role;
 
 class GithubWebhookTest extends Base
 {
@@ -40,8 +41,8 @@ class GithubWebhookTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'fguillot')));
 
-        $pp = new ProjectPermission($this->container);
-        $this->assertTrue($pp->addMember(1, 2));
+        $pp = new ProjectUserRole($this->container);
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $g = new GithubWebhook($this->container);
         $g->setProjectId(1);
@@ -111,8 +112,8 @@ class GithubWebhookTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'fguillot')));
 
-        $pp = new ProjectPermission($this->container);
-        $this->assertTrue($pp->addMember(1, 2));
+        $pp = new ProjectUserRole($this->container);
+        $this->assertTrue($pp->addUser(1, 2, ROLE::PROJECT_MANAGER));
 
         $g = new GithubWebhook($this->container);
         $g->setProjectId(1);
@@ -323,8 +324,8 @@ class GithubWebhookTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'fguillot')));
 
-        $pp = new ProjectPermission($this->container);
-        $this->assertTrue($pp->addMember(1, 2));
+        $pp = new ProjectUserRole($this->container);
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $g = new GithubWebhook($this->container);
         $g->setProjectId(1);
diff --git a/tests/units/Integration/GitlabWebhookTest.php b/tests/units/Integration/GitlabWebhookTest.php
index fa05f292..3e0e6d2c 100644
--- a/tests/units/Integration/GitlabWebhookTest.php
+++ b/tests/units/Integration/GitlabWebhookTest.php
@@ -6,8 +6,9 @@ use Kanboard\Integration\GitlabWebhook;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\User;
+use Kanboard\Core\Security\Role;
 
 class GitlabWebhookTest extends Base
 {
@@ -179,8 +180,8 @@ class GitlabWebhookTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'minicoders')));
 
-        $pp = new ProjectPermission($this->container);
-        $this->assertTrue($pp->addMember(1, 2));
+        $pp = new ProjectUserRole($this->container);
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $g = new GitlabWebhook($this->container);
         $g->setProjectId(1);
diff --git a/tests/units/Model/AclTest.php b/tests/units/Model/AclTest.php
deleted file mode 100644
index afda446b..00000000
--- a/tests/units/Model/AclTest.php
+++ /dev/null
@@ -1,296 +0,0 @@
-<?php
-
-require_once __DIR__.'/../Base.php';
-
-use Kanboard\Model\Acl;
-use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
-use Kanboard\Model\User;
-
-class AclTest extends Base
-{
-    public function testMatchAcl()
-    {
-        $acl_rules = array(
-            'controller1' => array('action1', 'action3'),
-            'controller3' => '*',
-            'controller5' => '-',
-            'controller6' => array(),
-            'controllera' => '*',
-        );
-
-        $acl = new Acl($this->container);
-        $this->assertTrue($acl->matchAcl($acl_rules, 'controller1', 'aCtiOn1'));
-        $this->assertTrue($acl->matchAcl($acl_rules, 'controller1', 'action1'));
-        $this->assertTrue($acl->matchAcl($acl_rules, 'controller1', 'action3'));
-        $this->assertFalse($acl->matchAcl($acl_rules, 'controller1', 'action2'));
-        $this->assertFalse($acl->matchAcl($acl_rules, 'controller2', 'action2'));
-        $this->assertFalse($acl->matchAcl($acl_rules, 'controller2', 'action3'));
-        $this->assertTrue($acl->matchAcl($acl_rules, 'controller3', 'anything'));
-        $this->assertFalse($acl->matchAcl($acl_rules, 'controller4', 'anything'));
-        $this->assertFalse($acl->matchAcl($acl_rules, 'controller5', 'anything'));
-        $this->assertFalse($acl->matchAcl($acl_rules, 'controller6', 'anything'));
-        $this->assertTrue($acl->matchAcl($acl_rules, 'ControllerA', 'anything'));
-        $this->assertTrue($acl->matchAcl($acl_rules, 'controllera', 'anything'));
-    }
-
-    public function testPublicActions()
-    {
-        $acl = new Acl($this->container);
-        $this->assertTrue($acl->isPublicAction('task', 'readonly'));
-        $this->assertTrue($acl->isPublicAction('board', 'readonly'));
-        $this->assertFalse($acl->isPublicAction('board', 'show'));
-        $this->assertTrue($acl->isPublicAction('feed', 'project'));
-        $this->assertTrue($acl->isPublicAction('feed', 'user'));
-        $this->assertTrue($acl->isPublicAction('ical', 'project'));
-        $this->assertTrue($acl->isPublicAction('ical', 'user'));
-        $this->assertTrue($acl->isPublicAction('oauth', 'github'));
-        $this->assertTrue($acl->isPublicAction('oauth', 'google'));
-        $this->assertTrue($acl->isPublicAction('auth', 'login'));
-        $this->assertTrue($acl->isPublicAction('auth', 'check'));
-        $this->assertTrue($acl->isPublicAction('auth', 'captcha'));
-    }
-
-    public function testAdminActions()
-    {
-        $acl = new Acl($this->container);
-        $this->assertFalse($acl->isAdminAction('board', 'show'));
-        $this->assertFalse($acl->isAdminAction('task', 'show'));
-        $this->assertTrue($acl->isAdminAction('config', 'api'));
-        $this->assertTrue($acl->isAdminAction('config', 'anything'));
-        $this->assertTrue($acl->isAdminAction('config', 'anything'));
-        $this->assertTrue($acl->isAdminAction('user', 'save'));
-    }
-
-    public function testProjectAdminActions()
-    {
-        $acl = new Acl($this->container);
-        $this->assertFalse($acl->isProjectAdminAction('config', 'save'));
-        $this->assertFalse($acl->isProjectAdminAction('user', 'index'));
-        $this->assertTrue($acl->isProjectAdminAction('project', 'remove'));
-    }
-
-    public function testProjectManagerActions()
-    {
-        $acl = new Acl($this->container);
-        $this->assertFalse($acl->isProjectManagerAction('board', 'readonly'));
-        $this->assertFalse($acl->isProjectManagerAction('project', 'remove'));
-        $this->assertFalse($acl->isProjectManagerAction('project', 'show'));
-        $this->assertTrue($acl->isProjectManagerAction('project', 'disable'));
-        $this->assertTrue($acl->isProjectManagerAction('category', 'index'));
-        $this->assertTrue($acl->isProjectManagerAction('project', 'users'));
-        $this->assertFalse($acl->isProjectManagerAction('app', 'index'));
-    }
-
-    public function testPageAccessNoSession()
-    {
-        $acl = new Acl($this->container);
-
-        $this->assertFalse($acl->isAllowed('board', 'readonly'));
-        $this->assertFalse($acl->isAllowed('task', 'show'));
-        $this->assertFalse($acl->isAllowed('config', 'application'));
-        $this->assertFalse($acl->isAllowed('project', 'users'));
-        $this->assertFalse($acl->isAllowed('task', 'remove'));
-        $this->assertTrue($acl->isAllowed('app', 'index'));
-    }
-
-    public function testPageAccessEmptySession()
-    {
-        $acl = new Acl($this->container);
-        $this->container['sessionStorage']->user = array();
-
-        $this->assertFalse($acl->isAllowed('board', 'readonly'));
-        $this->assertFalse($acl->isAllowed('task', 'show'));
-        $this->assertFalse($acl->isAllowed('config', 'application'));
-        $this->assertFalse($acl->isAllowed('project', 'users'));
-        $this->assertFalse($acl->isAllowed('task', 'remove'));
-        $this->assertTrue($acl->isAllowed('app', 'index'));
-    }
-
-    public function testPageAccessAdminUser()
-    {
-        $acl = new Acl($this->container);
-        $this->container['sessionStorage']->user = array(
-            'is_admin' => true,
-        );
-
-        $this->assertTrue($acl->isAllowed('board', 'readonly'));
-        $this->assertTrue($acl->isAllowed('task', 'readonly'));
-        $this->assertTrue($acl->isAllowed('webhook', 'github'));
-        $this->assertTrue($acl->isAllowed('task', 'show'));
-        $this->assertTrue($acl->isAllowed('task', 'update'));
-        $this->assertTrue($acl->isAllowed('config', 'application'));
-        $this->assertTrue($acl->isAllowed('project', 'show'));
-        $this->assertTrue($acl->isAllowed('project', 'users'));
-        $this->assertTrue($acl->isAllowed('project', 'remove'));
-        $this->assertTrue($acl->isAllowed('category', 'edit'));
-        $this->assertTrue($acl->isAllowed('task', 'remove'));
-        $this->assertTrue($acl->isAllowed('app', 'index'));
-    }
-
-    public function testPageAccessProjectAdmin()
-    {
-        $acl = new Acl($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new User($this->container);
-
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create a project and set our user as project manager
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
-
-        // We fake a session for him
-        $this->container['sessionStorage']->user = array(
-            'id' => 2,
-            'is_admin' => false,
-            'is_project_admin' => true,
-        );
-
-        $this->assertTrue($acl->isAllowed('board', 'readonly', 1));
-        $this->assertTrue($acl->isAllowed('task', 'readonly', 1));
-        $this->assertTrue($acl->isAllowed('webhook', 'github', 1));
-        $this->assertTrue($acl->isAllowed('task', 'show', 1));
-        $this->assertFalse($acl->isAllowed('task', 'show', 2));
-        $this->assertTrue($acl->isAllowed('task', 'update', 1));
-        $this->assertTrue($acl->isAllowed('project', 'show', 1));
-        $this->assertFalse($acl->isAllowed('config', 'application', 1));
-
-        $this->assertTrue($acl->isAllowed('project', 'users', 1));
-        $this->assertFalse($acl->isAllowed('project', 'users', 2));
-
-        $this->assertTrue($acl->isAllowed('project', 'remove', 1));
-        $this->assertFalse($acl->isAllowed('project', 'remove', 2));
-
-        $this->assertTrue($acl->isAllowed('category', 'edit', 1));
-        $this->assertTrue($acl->isAllowed('task', 'remove', 1));
-        $this->assertTrue($acl->isAllowed('app', 'index', 1));
-    }
-
-    public function testPageAccessProjectManager()
-    {
-        $acl = new Acl($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new User($this->container);
-
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create a project and set our user as project manager
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest'), 2, true));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertTrue($pp->isManager(1, 2));
-
-        // We fake a session for him
-        $this->container['sessionStorage']->user = array(
-            'id' => 2,
-            'is_admin' => false,
-        );
-
-        $this->assertTrue($acl->isAllowed('board', 'readonly', 1));
-        $this->assertTrue($acl->isAllowed('task', 'readonly', 1));
-        $this->assertTrue($acl->isAllowed('webhook', 'github', 1));
-        $this->assertTrue($acl->isAllowed('task', 'show', 1));
-        $this->assertFalse($acl->isAllowed('task', 'show', 2));
-        $this->assertTrue($acl->isAllowed('task', 'update', 1));
-        $this->assertTrue($acl->isAllowed('project', 'show', 1));
-        $this->assertFalse($acl->isAllowed('config', 'application', 1));
-
-        $this->assertTrue($acl->isAllowed('project', 'users', 1));
-        $this->assertFalse($acl->isAllowed('project', 'users', 2));
-
-        $this->assertFalse($acl->isAllowed('project', 'remove', 1));
-        $this->assertFalse($acl->isAllowed('project', 'remove', 2));
-
-        $this->assertTrue($acl->isAllowed('category', 'edit', 1));
-        $this->assertTrue($acl->isAllowed('task', 'remove', 1));
-        $this->assertTrue($acl->isAllowed('app', 'index', 1));
-    }
-
-    public function testPageAccessMember()
-    {
-        $acl = new Acl($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new User($this->container);
-
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create a project and set our user as member
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest1')));
-        $this->assertEquals(2, $p->create(array('name' => 'UnitTest2')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
-
-        $this->container['sessionStorage']->user = array(
-            'id' => 2,
-            'is_admin' => false,
-        );
-
-        $this->assertTrue($acl->isAllowed('board', 'readonly', 1));
-        $this->assertTrue($acl->isAllowed('task', 'readonly', 1));
-        $this->assertTrue($acl->isAllowed('webhook', 'github', 1));
-        $this->assertFalse($acl->isAllowed('board', 'show', 2));
-        $this->assertTrue($acl->isAllowed('board', 'show', 1));
-        $this->assertFalse($acl->isAllowed('task', 'show', 2));
-        $this->assertTrue($acl->isAllowed('task', 'show', 1));
-        $this->assertTrue($acl->isAllowed('task', 'update', 1));
-        $this->assertTrue($acl->isAllowed('project', 'show', 1));
-        $this->assertFalse($acl->isAllowed('config', 'application', 1));
-        $this->assertFalse($acl->isAllowed('project', 'users', 1));
-        $this->assertTrue($acl->isAllowed('task', 'remove', 1));
-        $this->assertFalse($acl->isAllowed('task', 'remove', 2));
-        $this->assertTrue($acl->isAllowed('app', 'index', 1));
-    }
-
-    public function testPageAccessNotMember()
-    {
-        $acl = new Acl($this->container);
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new User($this->container);
-
-        // We create our user
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create a project and set our user as member
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest1')));
-        $this->assertEquals(2, $p->create(array('name' => 'UnitTest2')));
-        $this->assertFalse($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
-
-        $this->container['sessionStorage']->user = array(
-            'id' => 2,
-            'is_admin' => false,
-        );
-
-        $this->assertFalse($acl->isAllowed('board', 'show', 2));
-        $this->assertFalse($acl->isAllowed('board', 'show', 1));
-        $this->assertFalse($acl->isAllowed('task', 'show', 1));
-        $this->assertFalse($acl->isAllowed('task', 'update', 1));
-        $this->assertFalse($acl->isAllowed('project', 'show', 1));
-        $this->assertFalse($acl->isAllowed('config', 'application', 1));
-        $this->assertFalse($acl->isAllowed('project', 'users', 1));
-        $this->assertFalse($acl->isAllowed('task', 'remove', 1));
-        $this->assertTrue($acl->isAllowed('app', 'index', 1));
-    }
-
-    public function testExtend()
-    {
-        $acl = new Acl($this->container);
-
-        $this->assertFalse($acl->isProjectManagerAction('plop', 'show'));
-
-        $acl->extend('project_manager_acl', array('plop' => '*'));
-
-        $this->assertTrue($acl->isProjectManagerAction('plop', 'show'));
-        $this->assertTrue($acl->isProjectManagerAction('swimlane', 'index'));
-    }
-}
diff --git a/tests/units/Model/ActionTest.php b/tests/units/Model/ActionTest.php
index 30f6b22c..4a338707 100644
--- a/tests/units/Model/ActionTest.php
+++ b/tests/units/Model/ActionTest.php
@@ -11,9 +11,10 @@ use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Category;
 use Kanboard\Model\User;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Integration\GithubWebhook;
 use Kanboard\Integration\BitbucketWebhook;
+use Kanboard\Core\Security\Role;
 
 class ActionTest extends Base
 {
@@ -62,7 +63,7 @@ class ActionTest extends Base
     public function testResolveDuplicatedParameters()
     {
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $a = new Action($this->container);
         $c = new Category($this->container);
         $u = new User($this->container);
@@ -78,9 +79,9 @@ class ActionTest extends Base
         $this->assertEquals(2, $u->create(array('username' => 'unittest1')));
         $this->assertEquals(3, $u->create(array('username' => 'unittest2')));
 
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(1, 3));
-        $this->assertTrue($pp->addMember(2, 3));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 3, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(2, 3, Role::PROJECT_MEMBER));
 
         // anything
         $this->assertEquals('blah', $a->resolveParameters(array('name' => 'foobar', 'value' => 'blah'), 2));
@@ -113,7 +114,7 @@ class ActionTest extends Base
     public function testDuplicateSuccess()
     {
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $a = new Action($this->container);
         $u = new User($this->container);
 
@@ -123,9 +124,9 @@ class ActionTest extends Base
         $this->assertEquals(2, $u->create(array('username' => 'unittest1')));
         $this->assertEquals(3, $u->create(array('username' => 'unittest2')));
 
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(1, 3));
-        $this->assertTrue($pp->addMember(2, 3));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 3, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(2, 3, Role::PROJECT_MEMBER));
 
         $this->assertEquals(1, $a->create(array(
             'project_id' => 1,
@@ -159,7 +160,7 @@ class ActionTest extends Base
     public function testDuplicateUnableToResolveParams()
     {
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $a = new Action($this->container);
         $u = new User($this->container);
 
@@ -168,7 +169,7 @@ class ActionTest extends Base
 
         $this->assertEquals(2, $u->create(array('username' => 'unittest1')));
 
-        $this->assertTrue($pp->addMember(1, 2));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $this->assertEquals(1, $a->create(array(
             'project_id' => 1,
@@ -196,7 +197,7 @@ class ActionTest extends Base
     public function testDuplicateMixedResults()
     {
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $a = new Action($this->container);
         $u = new User($this->container);
         $c = new Category($this->container);
@@ -210,7 +211,7 @@ class ActionTest extends Base
 
         $this->assertEquals(2, $u->create(array('username' => 'unittest1')));
 
-        $this->assertTrue($pp->addMember(1, 2));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $this->assertEquals(1, $a->create(array(
             'project_id' => 1,
diff --git a/tests/units/Model/AuthenticationTest.php b/tests/units/Model/AuthenticationTest.php
deleted file mode 100644
index 6b48affe..00000000
--- a/tests/units/Model/AuthenticationTest.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-require_once __DIR__.'/../Base.php';
-
-use Kanboard\Model\User;
-use Kanboard\Model\Authentication;
-
-class AuthenticationTest extends Base
-{
-    public function testHasCaptcha()
-    {
-        $u = new User($this->container);
-        $a = new Authentication($this->container);
-
-        $this->assertFalse($a->hasCaptcha('not_found'));
-        $this->assertFalse($a->hasCaptcha('admin'));
-
-        $this->assertTrue($u->incrementFailedLogin('admin'));
-        $this->assertTrue($u->incrementFailedLogin('admin'));
-        $this->assertTrue($u->incrementFailedLogin('admin'));
-
-        $this->assertFalse($a->hasCaptcha('not_found'));
-        $this->assertTrue($a->hasCaptcha('admin'));
-    }
-
-    public function testHandleFailedLogin()
-    {
-        $u = new User($this->container);
-        $a = new Authentication($this->container);
-
-        $this->assertFalse($u->isLocked('admin'));
-
-        for ($i = 0; $i <= 6; $i++) {
-            $a->handleFailedLogin('admin');
-        }
-
-        $this->assertTrue($u->isLocked('admin'));
-    }
-}
diff --git a/tests/units/Model/ProjectDuplicationTest.php b/tests/units/Model/ProjectDuplicationTest.php
index e3234dfe..8b74675b 100644
--- a/tests/units/Model/ProjectDuplicationTest.php
+++ b/tests/units/Model/ProjectDuplicationTest.php
@@ -5,13 +5,14 @@ require_once __DIR__.'/../Base.php';
 use Kanboard\Model\Action;
 use Kanboard\Model\Project;
 use Kanboard\Model\Category;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\ProjectDuplication;
 use Kanboard\Model\User;
 use Kanboard\Model\Swimlane;
 use Kanboard\Model\Task;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
+use Kanboard\Core\Security\Role;
 
 class ProjectDuplicationTest extends Base
 {
@@ -72,10 +73,10 @@ class ProjectDuplicationTest extends Base
         $this->assertEquals(0, $project['is_public']);
         $this->assertEmpty($project['token']);
 
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
 
-        $this->assertEquals(array(1 => 'admin'), $pp->getMembers(1));
-        $this->assertEquals(array(1 => 'admin'), $pp->getMembers(2));
+        $this->assertEquals(array(1 => 'admin'), $pp->getAssignableUsers(1));
+        $this->assertEquals(array(1 => 'admin'), $pp->getAssignableUsers(2));
     }
 
     public function testCloneProjectWithCategories()
@@ -114,7 +115,7 @@ class ProjectDuplicationTest extends Base
     {
         $p = new Project($this->container);
         $c = new Category($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $u = new User($this->container);
         $pd = new ProjectDuplication($this->container);
 
@@ -123,15 +124,12 @@ class ProjectDuplicationTest extends Base
         $this->assertEquals(4, $u->create(array('username' => 'unittest3', 'password' => 'unittest')));
 
         $this->assertEquals(1, $p->create(array('name' => 'P1')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(1, 4));
-        $this->assertTrue($pp->addManager(1, 3));
-        $this->assertTrue($pp->isMember(1, 2));
-        $this->assertTrue($pp->isMember(1, 3));
-        $this->assertTrue($pp->isMember(1, 4));
-        $this->assertFalse($pp->isManager(1, 2));
-        $this->assertTrue($pp->isManager(1, 3));
-        $this->assertFalse($pp->isManager(1, 4));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 3, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 4, Role::PROJECT_MANAGER));
+        $this->assertEquals(Role::PROJECT_MEMBER, $pp->getUserRole(1, 2));
+        $this->assertEquals(Role::PROJECT_MEMBER, $pp->getUserRole(1, 3));
+        $this->assertEquals(Role::PROJECT_MANAGER, $pp->getUserRole(1, 4));
 
         $this->assertEquals(2, $pd->duplicate(1));
 
@@ -139,13 +137,10 @@ class ProjectDuplicationTest extends Base
         $this->assertNotEmpty($project);
         $this->assertEquals('P1 (Clone)', $project['name']);
 
-        $this->assertEquals(3, count($pp->getMembers(2)));
-        $this->assertTrue($pp->isMember(2, 2));
-        $this->assertTrue($pp->isMember(2, 3));
-        $this->assertTrue($pp->isMember(2, 4));
-        $this->assertFalse($pp->isManager(2, 2));
-        $this->assertTrue($pp->isManager(2, 3));
-        $this->assertFalse($pp->isManager(2, 4));
+        $this->assertEquals(3, count($pp->getUsers(2)));
+        $this->assertEquals(Role::PROJECT_MEMBER, $pp->getUserRole(2, 2));
+        $this->assertEquals(Role::PROJECT_MEMBER, $pp->getUserRole(2, 3));
+        $this->assertEquals(Role::PROJECT_MANAGER, $pp->getUserRole(2, 4));
     }
 
     public function testCloneProjectWithActionTaskAssignCurrentUser()
diff --git a/tests/units/Model/ProjectGroupRoleTest.php b/tests/units/Model/ProjectGroupRoleTest.php
new file mode 100644
index 00000000..52b83082
--- /dev/null
+++ b/tests/units/Model/ProjectGroupRoleTest.php
@@ -0,0 +1,340 @@
+<?php
+
+require_once __DIR__.'/../Base.php';
+
+use Kanboard\Model\Project;
+use Kanboard\Model\User;
+use Kanboard\Model\Group;
+use Kanboard\Model\GroupMember;
+use Kanboard\Model\ProjectGroupRole;
+use Kanboard\Core\Security\Role;
+
+class ProjectGroupRoleTest extends Base
+{
+    public function testGetUserRole()
+    {
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(1, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 1));
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+
+        $this->assertEquals(Role::PROJECT_VIEWER, $groupRoleModel->getUserRole(1, 1));
+        $this->assertEquals('', $groupRoleModel->getUserRole(1, 2));
+    }
+
+    public function testAddGroup()
+    {
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(1, $groupModel->create('Test'));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertFalse($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+
+        $groups = $groupRoleModel->getGroups(1);
+        $this->assertCount(1, $groups);
+        $this->assertEquals(1, $groups[0]['id']);
+        $this->assertEquals('Test', $groups[0]['name']);
+        $this->assertEquals(Role::PROJECT_VIEWER, $groups[0]['role']);
+    }
+
+    public function testRemoveGroup()
+    {
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(1, $groupModel->create('Test'));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->removeGroup(1, 1));
+        $this->assertFalse($groupRoleModel->removeGroup(1, 1));
+
+        $this->assertEmpty($groupRoleModel->getGroups(1));
+    }
+
+    public function testChangeRole()
+    {
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(1, $groupModel->create('Test'));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->changeGroupRole(1, 1, Role::PROJECT_MANAGER));
+
+        $groups = $groupRoleModel->getGroups(1);
+        $this->assertCount(1, $groups);
+        $this->assertEquals(1, $groups[0]['id']);
+        $this->assertEquals('Test', $groups[0]['name']);
+        $this->assertEquals(Role::PROJECT_MANAGER, $groups[0]['role']);
+    }
+
+    public function testGetGroups()
+    {
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $groups = $groupRoleModel->getGroups(1);
+        $this->assertCount(3, $groups);
+
+        $this->assertEquals(3, $groups[0]['id']);
+        $this->assertEquals('Group A', $groups[0]['name']);
+        $this->assertEquals(Role::PROJECT_MANAGER, $groups[0]['role']);
+
+        $this->assertEquals(2, $groups[1]['id']);
+        $this->assertEquals('Group B', $groups[1]['name']);
+        $this->assertEquals(Role::PROJECT_MEMBER, $groups[1]['role']);
+
+        $this->assertEquals(1, $groups[2]['id']);
+        $this->assertEquals('Group C', $groups[2]['name']);
+        $this->assertEquals(Role::PROJECT_VIEWER, $groups[2]['role']);
+    }
+
+    public function testGetUsers()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1')));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+
+        $this->assertEquals(1, $groupModel->create('Group A'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group C'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $users = $groupRoleModel->getUsers(2);
+        $this->assertCount(0, $users);
+
+        $users = $groupRoleModel->getUsers(1);
+        $this->assertCount(3, $users);
+
+        $this->assertEquals(2, $users[0]['id']);
+        $this->assertEquals('user 1', $users[0]['username']);
+        $this->assertEquals('User #1', $users[0]['name']);
+        $this->assertEquals(Role::PROJECT_MANAGER, $users[0]['role']);
+
+        $this->assertEquals(3, $users[1]['id']);
+        $this->assertEquals('user 2', $users[1]['username']);
+        $this->assertEquals('', $users[1]['name']);
+        $this->assertEquals(Role::PROJECT_MEMBER, $users[1]['role']);
+
+        $this->assertEquals(4, $users[2]['id']);
+        $this->assertEquals('user 3', $users[2]['username']);
+        $this->assertEquals('', $users[2]['name']);
+        $this->assertEquals(Role::PROJECT_VIEWER, $users[2]['role']);
+    }
+
+    public function testGetAssignableUsers()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1')));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+
+        $this->assertEquals(1, $groupModel->create('Group A'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group C'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $users = $groupRoleModel->getAssignableUsers(2);
+        $this->assertCount(0, $users);
+
+        $users = $groupRoleModel->getAssignableUsers(1);
+        $this->assertCount(2, $users);
+
+        $this->assertEquals(2, $users[0]['id']);
+        $this->assertEquals('user 1', $users[0]['username']);
+        $this->assertEquals('User #1', $users[0]['name']);
+
+        $this->assertEquals(3, $users[1]['id']);
+        $this->assertEquals('user 2', $users[1]['username']);
+        $this->assertEquals('', $users[1]['name']);
+    }
+
+    public function testGetProjectsByUser()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1')));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(2, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $projects = $groupRoleModel->getProjectsByUser(2);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $groupRoleModel->getProjectsByUser(3);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $groupRoleModel->getProjectsByUser(4);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $groupRoleModel->getProjectsByUser(5);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+    }
+
+    public function testGetActiveProjectsByUser()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1', 'is_active' => 0)));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(2, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $projects = $groupRoleModel->getProjectsByUser(2, array(Project::ACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $groupRoleModel->getProjectsByUser(3, array(Project::ACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $groupRoleModel->getProjectsByUser(4, array(Project::ACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $groupRoleModel->getProjectsByUser(5, array(Project::ACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+    }
+
+    public function testGetInactiveProjectsByUser()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1', 'is_active' => 0)));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(2, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $projects = $groupRoleModel->getProjectsByUser(2, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $groupRoleModel->getProjectsByUser(3, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $groupRoleModel->getProjectsByUser(4, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $groupRoleModel->getProjectsByUser(5, array(Project::INACTIVE));
+        $this->assertCount(0, $projects);
+    }
+}
diff --git a/tests/units/Model/ProjectPermissionTest.php b/tests/units/Model/ProjectPermissionTest.php
index 1ee63a76..8f118cd9 100644
--- a/tests/units/Model/ProjectPermissionTest.php
+++ b/tests/units/Model/ProjectPermissionTest.php
@@ -2,286 +2,54 @@
 
 require_once __DIR__.'/../Base.php';
 
-use Kanboard\Model\Project;
 use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\Project;
 use Kanboard\Model\User;
+use Kanboard\Model\Group;
+use Kanboard\Model\GroupMember;
+use Kanboard\Model\ProjectGroupRole;
+use Kanboard\Model\ProjectUserRole;
+use Kanboard\Core\Security\Role;
 
 class ProjectPermissionTest extends Base
 {
-    public function testAllowEverybody()
-    {
-        $user = new User($this->container);
-        $this->assertNotFalse($user->create(array('username' => 'unittest#1', 'password' => 'unittest')));
-        $this->assertNotFalse($user->create(array('username' => 'unittest#2', 'password' => 'unittest')));
-
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-        $this->assertFalse($pp->isEverybodyAllowed(1));
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertFalse($pp->isUserAllowed(1, 2));
-        $this->assertFalse($pp->isUserAllowed(1, 3));
-        $this->assertEquals(array(), $pp->getMembers(1));
-        $this->assertEquals(array('Unassigned'), $pp->getMemberList(1));
-
-        $this->assertEmpty($pp->getMemberProjects(1));
-        $this->assertEmpty($pp->getMemberProjects(2));
-        $this->assertEmpty($pp->getMemberProjects(3));
-
-        $this->assertEmpty($pp->getMemberProjectIds(1));
-        $this->assertEmpty($pp->getMemberProjectIds(2));
-        $this->assertEmpty($pp->getMemberProjectIds(3));
-
-        $this->assertEmpty($pp->getActiveMemberProjectIds(1));
-        $this->assertEmpty($pp->getActiveMemberProjectIds(2));
-        $this->assertEmpty($pp->getActiveMemberProjectIds(3));
-
-        $this->assertEmpty($pp->getActiveMemberProjects(1));
-        $this->assertEmpty($pp->getActiveMemberProjects(2));
-        $this->assertEmpty($pp->getActiveMemberProjects(3));
-
-        $this->assertTrue($p->update(array('id' => 1, 'is_everybody_allowed' => 1)));
-        $this->assertTrue($pp->isEverybodyAllowed(1));
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-        $this->assertTrue($pp->isUserAllowed(1, 3));
-        $this->assertEquals(array('1' => 'admin', '2' => 'unittest#1', '3' => 'unittest#2'), $pp->getMembers(1));
-        $this->assertEquals(array('Unassigned', '1' => 'admin', '2' => 'unittest#1', '3' => 'unittest#2'), $pp->getMemberList(1));
-
-        $this->assertNotEmpty($pp->getMemberProjects(1));
-        $this->assertNotEmpty($pp->getMemberProjects(2));
-        $this->assertNotEmpty($pp->getMemberProjects(3));
-
-        $this->assertNotEmpty($pp->getMemberProjectIds(1));
-        $this->assertNotEmpty($pp->getMemberProjectIds(2));
-        $this->assertNotEmpty($pp->getMemberProjectIds(3));
-
-        $this->assertNotEmpty($pp->getActiveMemberProjectIds(1));
-        $this->assertNotEmpty($pp->getActiveMemberProjectIds(2));
-        $this->assertNotEmpty($pp->getActiveMemberProjectIds(3));
-
-        $this->assertNotEmpty($pp->getActiveMemberProjects(1));
-        $this->assertNotEmpty($pp->getActiveMemberProjects(2));
-        $this->assertNotEmpty($pp->getActiveMemberProjects(3));
-
-        $this->assertTrue($p->disable(1));
-
-        $this->assertEmpty($pp->getActiveMemberProjectIds(1));
-        $this->assertEmpty($pp->getActiveMemberProjectIds(2));
-        $this->assertEmpty($pp->getActiveMemberProjectIds(3));
-
-        $this->assertEmpty($pp->getActiveMemberProjects(1));
-        $this->assertEmpty($pp->getActiveMemberProjects(2));
-        $this->assertEmpty($pp->getActiveMemberProjects(3));
-    }
-
-    public function testDisallowEverybody()
-    {
-        // We create a regular user
-        $user = new User($this->container);
-        $user->create(array('username' => 'unittest', 'password' => 'unittest'));
-
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-
-        $this->assertEmpty($pp->getMembers(1)); // Nobody is specified for the given project
-        $this->assertTrue($pp->isUserAllowed(1, 1)); // Admin should be allowed
-        $this->assertFalse($pp->isUserAllowed(1, 2)); // Regular user should be denied
-    }
-
-    public function testAllowUser()
-    {
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $user = new User($this->container);
-
-        $this->assertNotFalse($user->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create a project
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-
-        $this->assertEmpty($pp->getMemberProjects(1));
-        $this->assertEmpty($pp->getMemberProjects(2));
-
-        $this->assertEmpty($pp->getMemberProjectIds(1));
-        $this->assertEmpty($pp->getMemberProjectIds(2));
-
-        $this->assertEmpty($pp->getActiveMemberProjectIds(1));
-        $this->assertEmpty($pp->getActiveMemberProjectIds(2));
-
-        $this->assertEmpty($pp->getActiveMemberProjects(1));
-        $this->assertEmpty($pp->getActiveMemberProjects(2));
-
-        // We allow the admin user
-        $this->assertTrue($pp->addMember(1, 1));
-        $this->assertTrue($pp->addMember(1, 2));
-
-        // Non-existant project
-        $this->assertFalse($pp->addMember(50, 1));
-
-        // Non-existant user
-        $this->assertFalse($pp->addMember(1, 50));
-
-        // Both users should be allowed
-        $this->assertEquals(array('1' => 'admin', '2' => 'unittest'), $pp->getMembers(1));
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-
-        $this->assertNotEmpty($pp->getMemberProjects(1));
-        $this->assertNotEmpty($pp->getMemberProjects(2));
-
-        $this->assertNotEmpty($pp->getMemberProjectIds(1));
-        $this->assertNotEmpty($pp->getMemberProjectIds(2));
-
-        $this->assertNotEmpty($pp->getActiveMemberProjectIds(1));
-        $this->assertNotEmpty($pp->getActiveMemberProjectIds(2));
-
-        $this->assertNotEmpty($pp->getActiveMemberProjects(1));
-        $this->assertNotEmpty($pp->getActiveMemberProjects(2));
-    }
-
-    public function testRevokeUser()
-    {
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $user = new User($this->container);
-
-        $user->create(array('username' => 'unittest', 'password' => 'unittest'));
-
-        // We create a project
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-
-        // We revoke our admin user (not existing row)
-        $this->assertFalse($pp->revokeMember(1, 1));
-
-        // We should have nobody in the users list
-        $this->assertEmpty($pp->getMembers(1));
-
-        // Only admin is allowed
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertFalse($pp->isUserAllowed(1, 2));
-
-        // We allow only the regular user
-        $this->assertTrue($pp->addMember(1, 2));
-
-        // All users should be allowed (admin and regular)
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-
-        // However, we should have only our regular user in the list
-        $this->assertEquals(array('2' => 'unittest'), $pp->getMembers(1));
-
-        // We allow our admin, we should have both in the list
-        $this->assertTrue($pp->addMember(1, 1));
-        $this->assertEquals(array('1' => 'admin', '2' => 'unittest'), $pp->getMembers(1));
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-
-        // We revoke the regular user
-        $this->assertTrue($pp->revokeMember(1, 2));
-
-        // Only admin should be allowed
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertFalse($pp->isUserAllowed(1, 2));
-
-        // We should have only admin in the list
-        $this->assertEquals(array('1' => 'admin'), $pp->getMembers(1));
-
-        // We revoke the admin user
-        $this->assertTrue($pp->revokeMember(1, 1));
-        $this->assertEmpty($pp->getMembers(1));
-
-        // Only admin should be allowed again
-        $this->assertTrue($pp->isUserAllowed(1, 1));
-        $this->assertFalse($pp->isUserAllowed(1, 2));
-    }
-
-    public function testManager()
-    {
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-        $u = new User($this->container);
-
-        $this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest1')));
-        $this->assertFalse($pp->isMember(1, 2));
-        $this->assertFalse($pp->isManager(1, 2));
-
-        $this->assertEquals(2, $p->create(array('name' => 'UnitTest2'), 1, true));
-        $this->assertFalse($pp->isMember(2, 2));
-        $this->assertFalse($pp->isManager(2, 2));
-
-        $this->assertEquals(3, $p->create(array('name' => 'UnitTest3'), 2, true));
-        $this->assertTrue($pp->isMember(3, 2));
-        $this->assertTrue($pp->isManager(3, 2));
-
-        $this->assertEquals(4, $p->create(array('name' => 'UnitTest4')));
-
-        $this->assertTrue($pp->addManager(4, 2));
-        $this->assertTrue($pp->isMember(4, 2));
-        $this->assertTrue($pp->isManager(4, 2));
-
-        $this->assertEquals(5, $p->create(array('name' => 'UnitTest5')));
-        $this->assertTrue($pp->addMember(5, 2));
-        $this->assertTrue($pp->changeRole(5, 2, 1));
-        $this->assertTrue($pp->isMember(5, 2));
-        $this->assertTrue($pp->isManager(5, 2));
-        $this->assertTrue($pp->changeRole(5, 2, 0));
-        $this->assertTrue($pp->isMember(5, 2));
-        $this->assertFalse($pp->isManager(5, 2));
-    }
-
-    public function testUsersList()
+    public function testDuplicate()
     {
-        $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
-
-        $user = new User($this->container);
-        $this->assertNotFalse($user->create(array('username' => 'unittest', 'password' => 'unittest')));
-
-        // We create project
-        $this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
-
-        // No restriction, we should have no body
-        $this->assertEquals(
-            array('Unassigned'),
-            $pp->getMemberList(1)
-        );
-
-        // We allow only the regular user
-        $this->assertTrue($pp->addMember(1, 2));
-
-        $this->assertEquals(
-            array(0 => 'Unassigned', 2 => 'unittest'),
-            $pp->getMemberList(1)
-        );
-
-        // We allow the admin user
-        $this->assertTrue($pp->addMember(1, 1));
-
-        $this->assertEquals(
-            array(0 => 'Unassigned', 1 => 'admin', 2 => 'unittest'),
-            $pp->getMemberList(1)
-        );
-
-        // We revoke only the regular user
-        $this->assertTrue($pp->revokeMember(1, 2));
-
-        $this->assertEquals(
-            array(0 => 'Unassigned', 1 => 'admin'),
-            $pp->getMemberList(1)
-        );
-
-        // We revoke only the admin user, we should have everybody
-        $this->assertTrue($pp->revokeMember(1, 1));
-
-        $this->assertEquals(
-            array(0 => 'Unassigned'),
-            $pp->getMemberList(1)
-        );
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+        $projectPermission = new ProjectPermission($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1')));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+        $this->assertEquals(6, $userModel->create(array('username' => 'user 5', 'name' => 'User #5')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $this->assertTrue($userRoleModel->addUser(1, 5, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(1, 6, Role::PROJECT_MEMBER));
+
+        $this->assertTrue($projectPermission->duplicate(1, 2));
+
+        $this->assertCount(2, $userRoleModel->getUsers(2));
+        $this->assertCount(3, $groupRoleModel->getUsers(2));
     }
 }
diff --git a/tests/units/Model/ProjectTest.php b/tests/units/Model/ProjectTest.php
index 56791700..4d8e6fc7 100644
--- a/tests/units/Model/ProjectTest.php
+++ b/tests/units/Model/ProjectTest.php
@@ -5,7 +5,6 @@ require_once __DIR__.'/../Base.php';
 use Kanboard\Core\Translator;
 use Kanboard\Subscriber\ProjectModificationDateSubscriber;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
 use Kanboard\Model\User;
 use Kanboard\Model\Task;
 use Kanboard\Model\TaskCreation;
diff --git a/tests/units/Model/ProjectUserRoleTest.php b/tests/units/Model/ProjectUserRoleTest.php
new file mode 100644
index 00000000..c6b4eb7c
--- /dev/null
+++ b/tests/units/Model/ProjectUserRoleTest.php
@@ -0,0 +1,400 @@
+<?php
+
+require_once __DIR__.'/../Base.php';
+
+use Kanboard\Model\Project;
+use Kanboard\Model\User;
+use Kanboard\Model\Group;
+use Kanboard\Model\GroupMember;
+use Kanboard\Model\ProjectGroupRole;
+use Kanboard\Model\ProjectUserRole;
+use Kanboard\Core\Security\Role;
+
+class ProjectUserRoleTest extends Base
+{
+    public function testAddUser()
+    {
+        $projectModel = new Project($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_VIEWER));
+        $this->assertFalse($userRoleModel->addUser(1, 1, Role::PROJECT_VIEWER));
+
+        $users = $userRoleModel->getUsers(1);
+        $this->assertCount(1, $users);
+        $this->assertEquals(1, $users[0]['id']);
+        $this->assertEquals('admin', $users[0]['username']);
+        $this->assertEquals('', $users[0]['name']);
+        $this->assertEquals(Role::PROJECT_VIEWER, $users[0]['role']);
+    }
+
+    public function testRemoveUser()
+    {
+        $projectModel = new Project($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->removeUser(1, 1));
+        $this->assertFalse($userRoleModel->removeUser(1, 1));
+
+        $this->assertEmpty($userRoleModel->getUsers(1));
+    }
+
+    public function testChangeRole()
+    {
+        $projectModel = new Project($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($userRoleModel->changeUserRole(1, 1, Role::PROJECT_MANAGER));
+
+        $users = $userRoleModel->getUsers(1);
+        $this->assertCount(1, $users);
+        $this->assertEquals(1, $users[0]['id']);
+        $this->assertEquals('admin', $users[0]['username']);
+        $this->assertEquals('', $users[0]['name']);
+        $this->assertEquals(Role::PROJECT_MANAGER, $users[0]['role']);
+    }
+
+    public function testGetRole()
+    {
+        $projectModel = new Project($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEmpty($userRoleModel->getUserRole(1, 1));
+
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_VIEWER));
+        $this->assertEquals(Role::PROJECT_VIEWER, $userRoleModel->getUserRole(1, 1));
+
+        $this->assertTrue($userRoleModel->changeUserRole(1, 1, Role::PROJECT_MEMBER));
+        $this->assertEquals(Role::PROJECT_MEMBER, $userRoleModel->getUserRole(1, 1));
+
+        $this->assertTrue($userRoleModel->changeUserRole(1, 1, Role::PROJECT_MANAGER));
+        $this->assertEquals(Role::PROJECT_MANAGER, $userRoleModel->getUserRole(1, 1));
+
+        $this->assertEquals('', $userRoleModel->getUserRole(1, 2));
+    }
+
+    public function testGetRoleWithGroups()
+    {
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(1, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 1));
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+
+        $this->assertEquals(Role::PROJECT_VIEWER, $userRoleModel->getUserRole(1, 1));
+        $this->assertEquals('', $userRoleModel->getUserRole(1, 2));
+    }
+
+    public function testGetAssignableUsersWithoutGroups()
+    {
+        $projectModel = new Project($this->container);
+        $userModel = new User($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+        $this->assertEquals(2, $userModel->create(array('username' => 'user1', 'name' => 'User1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user2', 'name' => 'User2')));
+
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(1, 2, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(1, 3, Role::PROJECT_VIEWER));
+
+        $users = $userRoleModel->getAssignableUsers(1);
+        $this->assertCount(2, $users);
+
+        $this->assertEquals('admin', $users[1]);
+        $this->assertEquals('User1', $users[2]);
+    }
+
+    public function testGetAssignableUsersWithGroups()
+    {
+        $projectModel = new Project($this->container);
+        $userModel = new User($this->container);
+        $groupModel = new Group($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user1', 'name' => 'User1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user2', 'name' => 'User2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user3', 'name' => 'User3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user4', 'name' => 'User4')));
+
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(1, 2, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(1, 3, Role::PROJECT_VIEWER));
+
+        $this->assertEquals(1, $groupModel->create('Group A'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 2, Role::PROJECT_MEMBER));
+
+        $users = $userRoleModel->getAssignableUsers(1);
+        $this->assertCount(3, $users);
+
+        $this->assertEquals('admin', $users[1]);
+        $this->assertEquals('User1', $users[2]);
+        $this->assertEquals('User4', $users[5]);
+    }
+
+    public function testGetAssignableUsersList()
+    {
+        $projectModel = new Project($this->container);
+        $userModel = new User($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test1')));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Test2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user1', 'name' => 'User1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user2', 'name' => 'User2')));
+
+        $this->assertTrue($userRoleModel->addUser(2, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(1, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(1, 2, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(1, 3, Role::PROJECT_VIEWER));
+
+        $users = $userRoleModel->getAssignableUsersList(1);
+        $this->assertCount(3, $users);
+
+        $this->assertEquals('Unassigned', $users[0]);
+        $this->assertEquals('admin', $users[1]);
+        $this->assertEquals('User1', $users[2]);
+
+        $users = $userRoleModel->getAssignableUsersList(1, true, true, true);
+        $this->assertCount(4, $users);
+
+        $this->assertEquals('Unassigned', $users[0]);
+        $this->assertEquals('Everybody', $users[-1]);
+        $this->assertEquals('admin', $users[1]);
+        $this->assertEquals('User1', $users[2]);
+
+        $users = $userRoleModel->getAssignableUsersList(2, true, true, true);
+        $this->assertCount(1, $users);
+
+        $this->assertEquals('admin', $users[1]);
+    }
+
+    public function testGetAssignableUsersWithEverybodyAllowed()
+    {
+        $projectModel = new Project($this->container);
+        $userModel = new User($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Test', 'is_everybody_allowed' => 1)));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user1', 'name' => 'User1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user2', 'name' => 'User2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user3', 'name' => 'User3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user4', 'name' => 'User4')));
+
+        $users = $userRoleModel->getAssignableUsers(1);
+        $this->assertCount(5, $users);
+
+        $this->assertEquals('admin', $users[1]);
+        $this->assertEquals('User1', $users[2]);
+        $this->assertEquals('User2', $users[3]);
+        $this->assertEquals('User3', $users[4]);
+        $this->assertEquals('User4', $users[5]);
+    }
+
+    public function testGetProjectsByUser()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1')));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+        $this->assertEquals(6, $userModel->create(array('username' => 'user 5', 'name' => 'User #5')));
+        $this->assertEquals(7, $userModel->create(array('username' => 'user 6')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(2, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $this->assertTrue($userRoleModel->addUser(1, 6, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(2, 6, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(2, 7, Role::PROJECT_MEMBER));
+
+        $projects = $userRoleModel->getProjectsByUser(2);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(3);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(4);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(5);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+
+        $projects = $userRoleModel->getProjectsByUser(6);
+        $this->assertCount(2, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+        $this->assertEquals('Project 2', $projects[2]);
+
+        $projects = $userRoleModel->getProjectsByUser(7);
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+    }
+
+    public function testGetActiveProjectsByUser()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1', 'is_active' => 0)));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+        $this->assertEquals(6, $userModel->create(array('username' => 'user 5', 'name' => 'User #5')));
+        $this->assertEquals(7, $userModel->create(array('username' => 'user 6')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(2, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $this->assertTrue($userRoleModel->addUser(1, 6, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(2, 6, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(2, 7, Role::PROJECT_MEMBER));
+
+        $projects = $userRoleModel->getProjectsByUser(2, array(Project::ACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $userRoleModel->getProjectsByUser(3, array(Project::ACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $userRoleModel->getProjectsByUser(4, array(Project::ACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $userRoleModel->getProjectsByUser(5, array(Project::ACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+
+        $projects = $userRoleModel->getProjectsByUser(6, array(Project::ACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+
+        $projects = $userRoleModel->getProjectsByUser(7, array(Project::ACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 2', $projects[2]);
+    }
+
+    public function testGetInactiveProjectsByUser()
+    {
+        $userModel = new User($this->container);
+        $projectModel = new Project($this->container);
+        $groupModel = new Group($this->container);
+        $groupMemberModel = new GroupMember($this->container);
+        $groupRoleModel = new ProjectGroupRole($this->container);
+        $userRoleModel = new ProjectUserRole($this->container);
+
+        $this->assertEquals(1, $projectModel->create(array('name' => 'Project 1', 'is_active' => 0)));
+        $this->assertEquals(2, $projectModel->create(array('name' => 'Project 2')));
+
+        $this->assertEquals(2, $userModel->create(array('username' => 'user 1', 'name' => 'User #1')));
+        $this->assertEquals(3, $userModel->create(array('username' => 'user 2')));
+        $this->assertEquals(4, $userModel->create(array('username' => 'user 3')));
+        $this->assertEquals(5, $userModel->create(array('username' => 'user 4')));
+        $this->assertEquals(6, $userModel->create(array('username' => 'user 5', 'name' => 'User #5')));
+        $this->assertEquals(7, $userModel->create(array('username' => 'user 6')));
+
+        $this->assertEquals(1, $groupModel->create('Group C'));
+        $this->assertEquals(2, $groupModel->create('Group B'));
+        $this->assertEquals(3, $groupModel->create('Group A'));
+
+        $this->assertTrue($groupMemberModel->addUser(1, 4));
+        $this->assertTrue($groupMemberModel->addUser(2, 5));
+        $this->assertTrue($groupMemberModel->addUser(3, 3));
+        $this->assertTrue($groupMemberModel->addUser(3, 2));
+
+        $this->assertTrue($groupRoleModel->addGroup(1, 1, Role::PROJECT_VIEWER));
+        $this->assertTrue($groupRoleModel->addGroup(2, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($groupRoleModel->addGroup(1, 3, Role::PROJECT_MANAGER));
+
+        $this->assertTrue($userRoleModel->addUser(1, 6, Role::PROJECT_MANAGER));
+        $this->assertTrue($userRoleModel->addUser(2, 6, Role::PROJECT_MEMBER));
+        $this->assertTrue($userRoleModel->addUser(2, 7, Role::PROJECT_MEMBER));
+
+        $projects = $userRoleModel->getProjectsByUser(2, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(3, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(4, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(5, array(Project::INACTIVE));
+        $this->assertCount(0, $projects);
+
+        $projects = $userRoleModel->getProjectsByUser(6, array(Project::INACTIVE));
+        $this->assertCount(1, $projects);
+        $this->assertEquals('Project 1', $projects[1]);
+
+        $projects = $userRoleModel->getProjectsByUser(7, array(Project::INACTIVE));
+        $this->assertCount(0, $projects);
+    }
+}
diff --git a/tests/units/Model/SubtaskTest.php b/tests/units/Model/SubtaskTest.php
index e446e104..9be2dff4 100644
--- a/tests/units/Model/SubtaskTest.php
+++ b/tests/units/Model/SubtaskTest.php
@@ -8,7 +8,7 @@ use Kanboard\Model\Subtask;
 use Kanboard\Model\Project;
 use Kanboard\Model\Category;
 use Kanboard\Model\User;
-use Kanboard\Model\UserSession;
+use Kanboard\Core\User\UserSession;
 
 class SubtaskTest extends Base
 {
diff --git a/tests/units/Model/TaskCreationTest.php b/tests/units/Model/TaskCreationTest.php
index 5de0a5cc..e35f1bc7 100644
--- a/tests/units/Model/TaskCreationTest.php
+++ b/tests/units/Model/TaskCreationTest.php
@@ -8,7 +8,6 @@ use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\TaskStatus;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
 
 class TaskCreationTest extends Base
 {
diff --git a/tests/units/Model/TaskDuplicationTest.php b/tests/units/Model/TaskDuplicationTest.php
index d65e8f28..798b3835 100644
--- a/tests/units/Model/TaskDuplicationTest.php
+++ b/tests/units/Model/TaskDuplicationTest.php
@@ -8,10 +8,11 @@ use Kanboard\Model\TaskDuplication;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\TaskStatus;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\Category;
 use Kanboard\Model\User;
 use Kanboard\Model\Swimlane;
+use Kanboard\Core\Security\Role;
 
 class TaskDuplicationTest extends Base
 {
@@ -127,7 +128,7 @@ class TaskDuplicationTest extends Base
         // Check the values of the duplicated task
         $task = $tf->getById(2);
         $this->assertNotEmpty($task);
-        $this->assertEquals(1, $task['owner_id']);
+        $this->assertEquals(0, $task['owner_id']);
         $this->assertEquals(0, $task['category_id']);
         $this->assertEquals(0, $task['swimlane_id']);
         $this->assertEquals(6, $task['column_id']);
@@ -333,7 +334,7 @@ class TaskDuplicationTest extends Base
         $tc = new TaskCreation($this->container);
         $tf = new TaskFinder($this->container);
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
 
         // We create 2 projects
         $this->assertEquals(1, $p->create(array('name' => 'test1')));
@@ -357,10 +358,8 @@ class TaskDuplicationTest extends Base
         // We create a new user for our project
         $user = new User($this->container);
         $this->assertNotFalse($user->create(array('username' => 'unittest#1', 'password' => 'unittest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(2, 2));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-        $this->assertTrue($pp->isUserAllowed(2, 2));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(2, 2, Role::PROJECT_MEMBER));
 
         // We duplicate our task to the 2nd project
         $this->assertEquals(3, $td->duplicateToProject(1, 2));
@@ -391,7 +390,7 @@ class TaskDuplicationTest extends Base
         $tc = new TaskCreation($this->container);
         $tf = new TaskFinder($this->container);
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pr = new ProjectUserRole($this->container);
 
         // We create 2 projects
         $this->assertEquals(1, $p->create(array('name' => 'test1')));
@@ -399,6 +398,7 @@ class TaskDuplicationTest extends Base
 
         // We create a task
         $this->assertEquals(1, $tc->create(array('title' => 'test', 'project_id' => 1, 'column_id' => 2, 'owner_id' => 2)));
+        $this->assertTrue($pr->addUser(2, 1, Role::PROJECT_MEMBER));
 
         // We duplicate our task to the 2nd project
         $this->assertEquals(2, $td->duplicateToProject(1, 2, null, null, null, 1));
@@ -425,7 +425,6 @@ class TaskDuplicationTest extends Base
         $tc = new TaskCreation($this->container);
         $tf = new TaskFinder($this->container);
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
         $user = new User($this->container);
 
         // We create 2 projects
@@ -446,7 +445,7 @@ class TaskDuplicationTest extends Base
         // Check the values of the moved task
         $task = $tf->getById(1);
         $this->assertNotEmpty($task);
-        $this->assertEquals(1, $task['owner_id']);
+        $this->assertEquals(0, $task['owner_id']);
         $this->assertEquals(0, $task['category_id']);
         $this->assertEquals(0, $task['swimlane_id']);
         $this->assertEquals(2, $task['project_id']);
@@ -496,7 +495,7 @@ class TaskDuplicationTest extends Base
         $tc = new TaskCreation($this->container);
         $tf = new TaskFinder($this->container);
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $user = new User($this->container);
 
         // We create 2 projects
@@ -505,10 +504,8 @@ class TaskDuplicationTest extends Base
 
         // We create a new user for our project
         $this->assertNotFalse($user->create(array('username' => 'unittest#1', 'password' => 'unittest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(2, 2));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-        $this->assertTrue($pp->isUserAllowed(2, 2));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(2, 2, Role::PROJECT_MEMBER));
 
         // We create a task
         $this->assertEquals(1, $tc->create(array('title' => 'test', 'project_id' => 1, 'column_id' => 2, 'owner_id' => 2)));
@@ -531,7 +528,7 @@ class TaskDuplicationTest extends Base
         $tc = new TaskCreation($this->container);
         $tf = new TaskFinder($this->container);
         $p = new Project($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
         $user = new User($this->container);
 
         // We create 2 projects
@@ -540,10 +537,8 @@ class TaskDuplicationTest extends Base
 
         // We create a new user for our project
         $this->assertNotFalse($user->create(array('username' => 'unittest#1', 'password' => 'unittest')));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(2, 2));
-        $this->assertTrue($pp->isUserAllowed(1, 2));
-        $this->assertTrue($pp->isUserAllowed(2, 2));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(2, 2, Role::PROJECT_MEMBER));
 
         // We create a task
         $this->assertEquals(1, $tc->create(array('title' => 'test', 'project_id' => 1, 'column_id' => 2, 'owner_id' => 3)));
diff --git a/tests/units/Model/TaskFinderTest.php b/tests/units/Model/TaskFinderTest.php
index e22f14e1..b21a4ea3 100644
--- a/tests/units/Model/TaskFinderTest.php
+++ b/tests/units/Model/TaskFinderTest.php
@@ -6,7 +6,6 @@ use Kanboard\Model\Task;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
 use Kanboard\Model\Category;
 use Kanboard\Model\User;
 
diff --git a/tests/units/Model/TaskModificationTest.php b/tests/units/Model/TaskModificationTest.php
index 49b51f9b..25a4952e 100644
--- a/tests/units/Model/TaskModificationTest.php
+++ b/tests/units/Model/TaskModificationTest.php
@@ -8,7 +8,6 @@ use Kanboard\Model\TaskModification;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\TaskStatus;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
 
 class TaskModificationTest extends Base
 {
diff --git a/tests/units/Model/TaskPermissionTest.php b/tests/units/Model/TaskPermissionTest.php
index 56886ee7..0b093bbb 100644
--- a/tests/units/Model/TaskPermissionTest.php
+++ b/tests/units/Model/TaskPermissionTest.php
@@ -9,7 +9,7 @@ use Kanboard\Model\TaskPermission;
 use Kanboard\Model\Project;
 use Kanboard\Model\Category;
 use Kanboard\Model\User;
-use Kanboard\Model\UserSession;
+use Kanboard\Core\User\UserSession;
 
 class TaskPermissionTest extends Base
 {
diff --git a/tests/units/Model/TaskStatusTest.php b/tests/units/Model/TaskStatusTest.php
index de08ffb3..612afd23 100644
--- a/tests/units/Model/TaskStatusTest.php
+++ b/tests/units/Model/TaskStatusTest.php
@@ -8,7 +8,6 @@ use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\TaskStatus;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
 
 class TaskStatusTest extends Base
 {
diff --git a/tests/units/Model/TaskTest.php b/tests/units/Model/TaskTest.php
index 192dc098..60e752e5 100644
--- a/tests/units/Model/TaskTest.php
+++ b/tests/units/Model/TaskTest.php
@@ -7,7 +7,6 @@ use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\TaskStatus;
 use Kanboard\Model\Project;
-use Kanboard\Model\ProjectPermission;
 use Kanboard\Model\Category;
 use Kanboard\Model\User;
 
diff --git a/tests/units/Model/UserLockingTest.php b/tests/units/Model/UserLockingTest.php
new file mode 100644
index 00000000..c743f8eb
--- /dev/null
+++ b/tests/units/Model/UserLockingTest.php
@@ -0,0 +1,43 @@
+<?php
+
+require_once __DIR__.'/../Base.php';
+
+use Kanboard\Model\UserLocking;
+
+class UserLockingTest extends Base
+{
+    public function testFailedLogin()
+    {
+        $u = new UserLocking($this->container);
+
+        $this->assertEquals(0, $u->getFailedLogin('admin'));
+        $this->assertEquals(0, $u->getFailedLogin('not_found'));
+
+        $this->assertTrue($u->incrementFailedLogin('admin'));
+        $this->assertTrue($u->incrementFailedLogin('admin'));
+
+        $this->assertEquals(2, $u->getFailedLogin('admin'));
+        $this->assertTrue($u->resetFailedLogin('admin'));
+        $this->assertEquals(0, $u->getFailedLogin('admin'));
+    }
+
+    public function testLocking()
+    {
+        $u = new UserLocking($this->container);
+
+        $this->assertFalse($u->isLocked('admin'));
+        $this->assertFalse($u->isLocked('not_found'));
+        $this->assertTrue($u->lock('admin', 1));
+        $this->assertTrue($u->isLocked('admin'));
+    }
+
+    public function testCaptcha()
+    {
+        $u = new UserLocking($this->container);
+        $this->assertTrue($u->incrementFailedLogin('admin'));
+        $this->assertFalse($u->hasCaptcha('admin', 2));
+
+        $this->assertTrue($u->incrementFailedLogin('admin'));
+        $this->assertTrue($u->hasCaptcha('admin', 2));
+    }
+}
diff --git a/tests/units/Model/UserNotificationTest.php b/tests/units/Model/UserNotificationTest.php
index 729667de..bf3b1b3f 100644
--- a/tests/units/Model/UserNotificationTest.php
+++ b/tests/units/Model/UserNotificationTest.php
@@ -9,12 +9,14 @@ use Kanboard\Model\Comment;
 use Kanboard\Model\User;
 use Kanboard\Model\File;
 use Kanboard\Model\Project;
-use Kanboard\Model\Task;
 use Kanboard\Model\ProjectPermission;
+use Kanboard\Model\Task;
+use Kanboard\Model\ProjectUserRole;
 use Kanboard\Model\UserNotification;
 use Kanboard\Model\UserNotificationFilter;
 use Kanboard\Model\UserNotificationType;
 use Kanboard\Subscriber\UserNotificationSubscriber;
+use Kanboard\Core\Security\Role;
 
 class UserNotificationTest extends Base
 {
@@ -23,11 +25,11 @@ class UserNotificationTest extends Base
         $u = new User($this->container);
         $p = new Project($this->container);
         $n = new UserNotification($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
 
         $this->assertEquals(1, $p->create(array('name' => 'UnitTest1')));
         $this->assertEquals(2, $u->create(array('username' => 'user1')));
-        $this->assertTrue($pp->addMember(1, 2));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
 
         $this->assertEmpty($n->getUsersWithNotificationEnabled(1));
         $n->enableNotification(2);
@@ -101,7 +103,7 @@ class UserNotificationTest extends Base
         $u = new User($this->container);
         $p = new Project($this->container);
         $n = new UserNotification($this->container);
-        $pp = new ProjectPermission($this->container);
+        $pp = new ProjectUserRole($this->container);
 
         $this->assertEquals(1, $p->create(array('name' => 'UnitTest1')));
 
@@ -118,16 +120,16 @@ class UserNotificationTest extends Base
         $this->assertNotFalse($u->create(array('username' => 'user4')));
 
         // Nobody is member of any projects
-        $this->assertEmpty($pp->getMembers(1));
+        $this->assertEmpty($pp->getUsers(1));
         $this->assertEmpty($n->getUsersWithNotificationEnabled(1));
 
         // We allow all users to be member of our projects
-        $this->assertTrue($pp->addMember(1, 1));
-        $this->assertTrue($pp->addMember(1, 2));
-        $this->assertTrue($pp->addMember(1, 3));
-        $this->assertTrue($pp->addMember(1, 4));
+        $this->assertTrue($pp->addUser(1, 1, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 2, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 3, Role::PROJECT_MEMBER));
+        $this->assertTrue($pp->addUser(1, 4, Role::PROJECT_MEMBER));
 
-        $this->assertNotEmpty($pp->getMembers(1));
+        $this->assertNotEmpty($pp->getUsers(1));
         $users = $n->getUsersWithNotificationEnabled(1);
 
         $this->assertNotEmpty($users);
diff --git a/tests/units/Model/UserSessionTest.php b/tests/units/Model/UserSessionTest.php
deleted file mode 100644
index ba1f8aac..00000000
--- a/tests/units/Model/UserSessionTest.php
+++ /dev/null
@@ -1,158 +0,0 @@
-<?php
-
-require_once __DIR__.'/../Base.php';
-
-use Kanboard\Model\UserSession;
-
-class UserSessionTest extends Base
-{
-    public function testInitialize()
-    {
-        $us = new UserSession($this->container);
-
-        $user = array(
-            'id' => '123',
-            'username' => 'john',
-            'password' => 'something',
-            'twofactor_secret' => 'something else',
-            'is_admin' => '1',
-            'is_project_admin' => '0',
-            'is_ldap_user' => '0',
-            'twofactor_activated' => '0',
-        );
-
-        $us->initialize($user);
-
-        $session = $this->container['sessionStorage']->getAll();
-
-        $this->assertNotEmpty($session);
-        $this->assertEquals(123, $session['user']['id']);
-        $this->assertEquals('john', $session['user']['username']);
-        $this->assertTrue($session['user']['is_admin']);
-        $this->assertFalse($session['user']['is_project_admin']);
-        $this->assertFalse($session['user']['is_ldap_user']);
-        $this->assertFalse($session['user']['twofactor_activated']);
-        $this->assertArrayNotHasKey('password', $session['user']);
-        $this->assertArrayNotHasKey('twofactor_secret', $session['user']);
-
-        $this->assertEquals('john', $us->getUsername());
-    }
-
-    public function testGetId()
-    {
-        $us = new UserSession($this->container);
-
-        $this->assertEquals(0, $us->getId());
-
-        $this->container['sessionStorage']->user = array('id' => 2);
-        $this->assertEquals(2, $us->getId());
-
-        $this->container['sessionStorage']->user = array('id' => '2');
-        $this->assertEquals(2, $us->getId());
-    }
-
-    public function testIsLogged()
-    {
-        $us = new UserSession($this->container);
-
-        $this->assertFalse($us->isLogged());
-
-        $this->container['sessionStorage']->user = array();
-        $this->assertFalse($us->isLogged());
-
-        $this->container['sessionStorage']->user = array('id' => 1);
-        $this->assertTrue($us->isLogged());
-    }
-
-    public function testIsAdmin()
-    {
-        $us = new UserSession($this->container);
-
-        $this->assertFalse($us->isAdmin());
-
-        $this->container['sessionStorage']->user = array('is_admin' => '1');
-        $this->assertFalse($us->isAdmin());
-
-        $this->container['sessionStorage']->user = array('is_admin' => '2');
-        $this->assertFalse($us->isAdmin());
-
-        $this->container['sessionStorage']->user = array('is_admin' => false);
-        $this->assertFalse($us->isAdmin());
-
-        $this->container['sessionStorage']->user = array('is_admin' => true);
-        $this->assertTrue($us->isAdmin());
-    }
-
-    public function testIsProjectAdmin()
-    {
-        $us = new UserSession($this->container);
-
-        $this->assertFalse($us->isProjectAdmin());
-
-        $this->container['sessionStorage']->user = array('is_project_admin' => false);
-        $this->assertFalse($us->isProjectAdmin());
-
-        $this->container['sessionStorage']->user = array('is_project_admin' => true);
-        $this->assertTrue($us->isProjectAdmin());
-    }
-
-    public function testCommentSorting()
-    {
-        $us = new UserSession($this->container);
-        $this->assertEquals('ASC', $us->getCommentSorting());
-
-        $us->setCommentSorting('DESC');
-        $this->assertEquals('DESC', $us->getCommentSorting());
-    }
-
-    public function testBoardCollapseMode()
-    {
-        $us = new UserSession($this->container);
-        $this->assertFalse($us->isBoardCollapsed(2));
-
-        $us->setBoardDisplayMode(3, false);
-        $this->assertFalse($us->isBoardCollapsed(3));
-
-        $us->setBoardDisplayMode(3, true);
-        $this->assertTrue($us->isBoardCollapsed(3));
-    }
-
-    public function testFilters()
-    {
-        $us = new UserSession($this->container);
-        $this->assertEquals('status:open', $us->getFilters(1));
-
-        $us->setFilters(1, 'assignee:me');
-        $this->assertEquals('assignee:me', $us->getFilters(1));
-
-        $this->assertEquals('status:open', $us->getFilters(2));
-
-        $us->setFilters(2, 'assignee:bob');
-        $this->assertEquals('assignee:bob', $us->getFilters(2));
-    }
-
-    public function test2FA()
-    {
-        $us = new UserSession($this->container);
-
-        $this->assertFalse($us->check2FA());
-
-        $this->container['sessionStorage']->postAuth = array('validated' => false);
-        $this->assertFalse($us->check2FA());
-
-        $this->container['sessionStorage']->postAuth = array('validated' => true);
-        $this->assertTrue($us->check2FA());
-
-        $this->container['sessionStorage']->user = array();
-        $this->assertFalse($us->has2FA());
-
-        $this->container['sessionStorage']->user = array('twofactor_activated' => false);
-        $this->assertFalse($us->has2FA());
-
-        $this->container['sessionStorage']->user = array('twofactor_activated' => true);
-        $this->assertTrue($us->has2FA());
-
-        $us->disable2FA();
-        $this->assertFalse($us->has2FA());
-    }
-}
diff --git a/tests/units/Model/UserTest.php b/tests/units/Model/UserTest.php
index 90a80954..1d381006 100644
--- a/tests/units/Model/UserTest.php
+++ b/tests/units/Model/UserTest.php
@@ -9,34 +9,10 @@ use Kanboard\Model\Task;
 use Kanboard\Model\TaskCreation;
 use Kanboard\Model\TaskFinder;
 use Kanboard\Model\Project;
+use Kanboard\Core\Security\Role;
 
 class UserTest extends Base
 {
-    public function testFailedLogin()
-    {
-        $u = new User($this->container);
-
-        $this->assertEquals(0, $u->getFailedLogin('admin'));
-        $this->assertEquals(0, $u->getFailedLogin('not_found'));
-
-        $this->assertTrue($u->incrementFailedLogin('admin'));
-        $this->assertTrue($u->incrementFailedLogin('admin'));
-
-        $this->assertEquals(2, $u->getFailedLogin('admin'));
-        $this->assertTrue($u->resetFailedLogin('admin'));
-        $this->assertEquals(0, $u->getFailedLogin('admin'));
-    }
-
-    public function testLocking()
-    {
-        $u = new User($this->container);
-
-        $this->assertFalse($u->isLocked('admin'));
-        $this->assertFalse($u->isLocked('not_found'));
-        $this->assertTrue($u->lock('admin', 1));
-        $this->assertTrue($u->isLocked('admin'));
-    }
-
     public function testGetByEmail()
     {
         $u = new User($this->container);
@@ -47,33 +23,27 @@ class UserTest extends Base
         $this->assertEmpty($u->getByEmail(''));
     }
 
-    public function testGetByGitlabId()
+    public function testGetByExternalId()
     {
         $u = new User($this->container);
         $this->assertNotFalse($u->create(array('username' => 'user1', 'password' => '123456', 'gitlab_id' => '1234')));
 
-        $this->assertNotEmpty($u->getByGitlabId('1234'));
-        $this->assertEmpty($u->getByGitlabId(''));
-    }
+        $this->assertNotEmpty($u->getByExternalId('gitlab_id', '1234'));
+        $this->assertEmpty($u->getByExternalId('gitlab_id', ''));
 
-    public function testGetByGithubId()
-    {
         $u = new User($this->container);
-        $this->assertNotFalse($u->create(array('username' => 'user1', 'password' => '123456', 'github_id' => 'plop')));
-        $this->assertNotFalse($u->create(array('username' => 'user2', 'password' => '123456', 'github_id' => '')));
+        $this->assertNotFalse($u->create(array('username' => 'user2', 'password' => '123456', 'github_id' => 'plop')));
+        $this->assertNotFalse($u->create(array('username' => 'user3', 'password' => '123456', 'github_id' => '')));
 
-        $this->assertNotEmpty($u->getByGithubId('plop'));
-        $this->assertEmpty($u->getByGithubId(''));
-    }
+        $this->assertNotEmpty($u->getByExternalId('github_id', 'plop'));
+        $this->assertEmpty($u->getByExternalId('github_id', ''));
 
-    public function testGetByGoogleId()
-    {
         $u = new User($this->container);
-        $this->assertNotFalse($u->create(array('username' => 'user1', 'password' => '123456', 'google_id' => '1234')));
-        $this->assertNotFalse($u->create(array('username' => 'user2', 'password' => '123456', 'google_id' => '')));
+        $this->assertNotFalse($u->create(array('username' => 'user4', 'password' => '123456', 'google_id' => '1234')));
+        $this->assertNotFalse($u->create(array('username' => 'user5', 'password' => '123456', 'google_id' => '')));
 
-        $this->assertNotEmpty($u->getByGoogleId('1234'));
-        $this->assertEmpty($u->getByGoogleId(''));
+        $this->assertNotEmpty($u->getByExternalId('google_id', '1234'));
+        $this->assertEmpty($u->getByExternalId('google_id', ''));
     }
 
     public function testGetByToken()
@@ -197,7 +167,7 @@ class UserTest extends Base
             'password' => '1234',
             'confirmation' => '1234',
             'name' => 'me',
-            'is_admin' => '',
+            'role' => Role::APP_ADMIN,
         );
 
         $u->prepare($input);
@@ -207,9 +177,6 @@ class UserTest extends Base
         $this->assertNotEquals('1234', $input['password']);
         $this->assertNotEmpty($input['password']);
 
-        $this->assertArrayHasKey('is_admin', $input);
-        $this->assertInternalType('integer', $input['is_admin']);
-
         $input = array(
             'username' => 'user1',
             'password' => '1234',
@@ -273,8 +240,8 @@ class UserTest extends Base
         $u = new User($this->container);
         $this->assertEquals(2, $u->create(array('username' => 'user #1', 'password' => '123456', 'name' => 'User')));
         $this->assertEquals(3, $u->create(array('username' => 'user #2', 'is_ldap_user' => 1)));
-        $this->assertEquals(4, $u->create(array('username' => 'user #3', 'is_project_admin' => 1)));
-        $this->assertEquals(5, $u->create(array('username' => 'user #4', 'gitlab_id' => '')));
+        $this->assertEquals(4, $u->create(array('username' => 'user #3', 'role' => Role::APP_MANAGER)));
+        $this->assertEquals(5, $u->create(array('username' => 'user #4', 'gitlab_id' => '', 'role' => Role::APP_ADMIN)));
         $this->assertEquals(6, $u->create(array('username' => 'user #5', 'gitlab_id' => '1234')));
         $this->assertFalse($u->create(array('username' => 'user #1')));
 
@@ -283,7 +250,7 @@ class UserTest extends Base
         $this->assertTrue(is_array($user));
         $this->assertEquals('admin', $user['username']);
         $this->assertEquals('', $user['name']);
-        $this->assertEquals(1, $user['is_admin']);
+        $this->assertEquals(Role::APP_ADMIN, $user['role']);
         $this->assertEquals(0, $user['is_ldap_user']);
 
         $user = $u->getById(2);
@@ -291,7 +258,7 @@ class UserTest extends Base
         $this->assertTrue(is_array($user));
         $this->assertEquals('user #1', $user['username']);
         $this->assertEquals('User', $user['name']);
-        $this->assertEquals(0, $user['is_admin']);
+        $this->assertEquals(Role::APP_USER, $user['role']);
         $this->assertEquals(0, $user['is_ldap_user']);
 
         $user = $u->getById(3);
@@ -299,27 +266,28 @@ class UserTest extends Base
         $this->assertTrue(is_array($user));
         $this->assertEquals('user #2', $user['username']);
         $this->assertEquals('', $user['name']);
-        $this->assertEquals(0, $user['is_admin']);
+        $this->assertEquals(Role::APP_USER, $user['role']);
         $this->assertEquals(1, $user['is_ldap_user']);
 
         $user = $u->getById(4);
         $this->assertNotFalse($user);
         $this->assertTrue(is_array($user));
         $this->assertEquals('user #3', $user['username']);
-        $this->assertEquals(0, $user['is_admin']);
-        $this->assertEquals(1, $user['is_project_admin']);
+        $this->assertEquals(Role::APP_MANAGER, $user['role']);
 
         $user = $u->getById(5);
         $this->assertNotFalse($user);
         $this->assertTrue(is_array($user));
         $this->assertEquals('user #4', $user['username']);
         $this->assertEquals('', $user['gitlab_id']);
+        $this->assertEquals(Role::APP_ADMIN, $user['role']);
 
         $user = $u->getById(6);
         $this->assertNotFalse($user);
         $this->assertTrue(is_array($user));
         $this->assertEquals('user #5', $user['username']);
         $this->assertEquals('1234', $user['gitlab_id']);
+        $this->assertEquals(Role::APP_USER, $user['role']);
     }
 
     public function testUpdate()
@@ -336,7 +304,7 @@ class UserTest extends Base
         $this->assertTrue(is_array($user));
         $this->assertEquals('biloute', $user['username']);
         $this->assertEquals('Toto', $user['name']);
-        $this->assertEquals(0, $user['is_admin']);
+        $this->assertEquals(Role::APP_USER, $user['role']);
         $this->assertEquals(0, $user['is_ldap_user']);
 
         $user = $u->getById(3);
@@ -423,4 +391,36 @@ class UserTest extends Base
         $this->assertEquals('toto', $user['username']);
         $this->assertEmpty($user['token']);
     }
+
+    public function testValidatePasswordModification()
+    {
+        $u = new User($this->container);
+
+        $this->container['sessionStorage']->user = array(
+            'id' => 1,
+            'role' => Role::APP_ADMIN,
+            'username' => 'admin',
+        );
+
+        $result = $u->validatePasswordModification(array());
+        $this->assertFalse($result[0]);
+
+        $result = $u->validatePasswordModification(array('id' => 1));
+        $this->assertFalse($result[0]);
+
+        $result = $u->validatePasswordModification(array('id' => 1, 'password' => '123456'));
+        $this->assertFalse($result[0]);
+
+        $result = $u->validatePasswordModification(array('id' => 1, 'password' => '123456', 'confirmation' => 'wrong'));
+        $this->assertFalse($result[0]);
+
+        $result = $u->validatePasswordModification(array('id' => 1, 'password' => '123456', 'confirmation' => '123456'));
+        $this->assertFalse($result[0]);
+
+        $result = $u->validatePasswordModification(array('id' => 1, 'password' => '123456', 'confirmation' => '123456', 'current_password' => 'wrong'));
+        $this->assertFalse($result[0]);
+
+        $result = $u->validatePasswordModification(array('id' => 1, 'password' => '123456', 'confirmation' => '123456', 'current_password' => 'admin'));
+        $this->assertTrue($result[0]);
+    }
 }
diff --git a/tests/units/Notification/MailTest.php b/tests/units/Notification/MailTest.php
index 3aa1a39c..8f343ba3 100644
--- a/tests/units/Notification/MailTest.php
+++ b/tests/units/Notification/MailTest.php
@@ -10,7 +10,6 @@ use Kanboard\Model\User;
 use Kanboard\Model\File;
 use Kanboard\Model\Project;
 use Kanboard\Model\Task;
-use Kanboard\Model\ProjectPermission;
 use Kanboard\Notification\Mail;
 use Kanboard\Subscriber\NotificationSubscriber;
 
diff --git a/tests/units/User/DatabaseUserProviderTest.php b/tests/units/User/DatabaseUserProviderTest.php
new file mode 100644
index 00000000..96c03667
--- /dev/null
+++ b/tests/units/User/DatabaseUserProviderTest.php
@@ -0,0 +1,14 @@
+<?php
+
+require_once __DIR__.'/../Base.php';
+
+use Kanboard\User\DatabaseUserProvider;
+
+class DatabaseUserProviderTest extends Base
+{
+    public function testGetInternalId()
+    {
+        $provider = new DatabaseUserProvider(array('id' => 123));
+        $this->assertEquals(123, $provider->getInternalId());
+    }
+}
-- 
cgit v1.2.3