mirror of
https://github.com/invoiceninja/invoiceninja.git
synced 2025-07-09 03:14:30 -04:00
Tests for refactors of API permissions
This commit is contained in:
parent
0d11fc174a
commit
883c8f2289
@ -12,9 +12,20 @@
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Models\Account;
|
||||
use App\Models\BankIntegration;
|
||||
use App\Models\BankTransaction;
|
||||
use App\Models\BankTransactionRule;
|
||||
use App\Models\ClientGatewayToken;
|
||||
use App\Models\Company;
|
||||
use App\Models\CompanyGateway;
|
||||
use App\Models\Design;
|
||||
use App\Models\ExpenseCategory;
|
||||
use App\Models\GroupSetting;
|
||||
use App\Models\PaymentTerm;
|
||||
use App\Models\Scheduler;
|
||||
use App\Models\TaxRate;
|
||||
use App\Models\User;
|
||||
use App\Models\Webhook;
|
||||
use App\Transformers\ArraySerializer;
|
||||
use App\Transformers\EntityTransformer;
|
||||
use App\Utils\Ninja;
|
||||
@ -858,12 +869,13 @@ class BaseController extends Controller
|
||||
// 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
|
||||
if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
|
||||
//06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
|
||||
if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user')
|
||||
if(in_array($this->entity_type, [User::class])){
|
||||
$query->where('id', auth()->user()->id);
|
||||
elseif($this->entity_type == BankTransaction::class){ //table without assigned_user_id
|
||||
}
|
||||
elseif(in_array($this->entity_type, [BankTransactionRule::class,CompanyGateway::class, TaxRate::class, BankIntegration::class, Scheduler::class, BankTransaction::class, Webhook::class, ExpenseCategory::class])){ //table without assigned_user_id
|
||||
$query->where('user_id', '=', auth()->user()->id);
|
||||
}
|
||||
elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){
|
||||
elseif(in_array($this->entity_type,[ ClientGatewayToken::class,Design::class,GroupSetting::class,PaymentTerm::class])){
|
||||
//need to pass these back regardless
|
||||
nlog($this->entity_type);
|
||||
}
|
||||
|
178
tests/Feature/BaseApiTest.php
Normal file
178
tests/Feature/BaseApiTest.php
Normal file
@ -0,0 +1,178 @@
|
||||
<?php
|
||||
/**
|
||||
* Invoice Ninja (https://invoiceninja.com).
|
||||
*
|
||||
* @link https://github.com/invoiceninja/invoiceninja source repository
|
||||
*
|
||||
* @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
|
||||
*
|
||||
* @license https://www.elastic.co/licensing/elastic-license
|
||||
*/
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use App\Factory\CompanyUserFactory;
|
||||
use App\Models\CompanyToken;
|
||||
use App\Models\CompanyUser;
|
||||
use App\Models\User;
|
||||
use Illuminate\Routing\Middleware\ThrottleRequests;
|
||||
use Illuminate\Support\Str;
|
||||
use Illuminate\Testing\Fluent\AssertableJson;
|
||||
use Tests\MockAccountData;
|
||||
use Tests\TestCase;
|
||||
|
||||
/**
|
||||
* @test
|
||||
* @covers App\Http\Controllers\BaseController
|
||||
*/
|
||||
class BaseApiTest extends TestCase
|
||||
{
|
||||
use MockAccountData;
|
||||
|
||||
private $list_routes = [
|
||||
'products',
|
||||
'clients',
|
||||
'invoices',
|
||||
'recurring_invoices',
|
||||
'payments',
|
||||
'quotes',
|
||||
'credits',
|
||||
'projects',
|
||||
'tasks',
|
||||
'vendors',
|
||||
'purchase_orders',
|
||||
'expenses',
|
||||
'recurring_expenses',
|
||||
'task_schedulers',
|
||||
'bank_integrations',
|
||||
'bank_transactions',
|
||||
'tax_rates',
|
||||
'users',
|
||||
'payment_terms',
|
||||
'purchase_orders',
|
||||
'subscriptions',
|
||||
'webhooks',
|
||||
'group_settings',
|
||||
'designs',
|
||||
'expense_categories',
|
||||
'documents',
|
||||
'company_gateways',
|
||||
'client_gateway_tokens',
|
||||
'bank_transaction_rules',
|
||||
];
|
||||
|
||||
protected function setUp() :void
|
||||
{
|
||||
parent::setUp();
|
||||
|
||||
$this->makeTestData();
|
||||
|
||||
$this->withoutMiddleware(
|
||||
ThrottleRequests::class
|
||||
);
|
||||
|
||||
$lower_permission_user = User::factory()->create([
|
||||
'account_id' => $this->account->id,
|
||||
'confirmation_code' => $this->createDbHash(config('database.default')),
|
||||
'email' => $this->faker->safeEmail(),
|
||||
]);
|
||||
|
||||
$this->low_cu = CompanyUserFactory::create($lower_permission_user->id, $this->company->id, $this->account->id);
|
||||
$this->low_cu->is_owner = false;
|
||||
$this->low_cu->is_admin = false;
|
||||
$this->low_cu->is_locked = false;
|
||||
$this->low_cu->permissions = '["view_task"]';
|
||||
$this->low_cu->save();
|
||||
|
||||
$this->low_token = \Illuminate\Support\Str::random(64);
|
||||
|
||||
$company_token = new CompanyToken;
|
||||
$company_token->user_id = $lower_permission_user->id;
|
||||
$company_token->company_id = $this->company->id;
|
||||
$company_token->account_id = $this->account->id;
|
||||
$company_token->name = 'test token';
|
||||
$company_token->token = $this->low_token;
|
||||
$company_token->is_system = true;
|
||||
$company_token->save();
|
||||
|
||||
}
|
||||
|
||||
// public function testGeneratingClassName()
|
||||
// {
|
||||
|
||||
// $this->assertEquals('user', Str::snake(User::class));
|
||||
|
||||
// $this->assertEquals('user',lcfirst(class_basename(Str::snake(User::class))));
|
||||
|
||||
|
||||
// }
|
||||
|
||||
public function testRestrictedRoute()
|
||||
{
|
||||
// $permissions = ["view_invoice","view_client","edit_client","edit_invoice","create_invoice","create_client"];
|
||||
|
||||
// $response = $this->withHeaders([
|
||||
// 'X-API-SECRET' => config('ninja.api_secret'),
|
||||
// 'X-API-TOKEN' => $this->token,
|
||||
// ])->get('/api/v1/clients/')
|
||||
// ->assertStatus(200)
|
||||
// ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
|
||||
|
||||
|
||||
$response = $this->withHeaders([
|
||||
'X-API-SECRET' => config('ninja.api_secret'),
|
||||
'X-API-TOKEN' => $this->token,
|
||||
])->get('/api/v1/tasks/')
|
||||
->assertStatus(200)
|
||||
->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
|
||||
|
||||
$response = $this->withHeaders([
|
||||
'X-API-SECRET' => config('ninja.api_secret'),
|
||||
'X-API-TOKEN' => $this->token,
|
||||
])->get('/api/v1/group_settings/')
|
||||
->assertStatus(200)
|
||||
->assertJson(fn (AssertableJson $json) => $json->has('data',2)->etc());
|
||||
|
||||
$response = $this->withHeaders([
|
||||
'X-API-SECRET' => config('ninja.api_secret'),
|
||||
'X-API-TOKEN' => $this->token,
|
||||
])->get('/api/v1/designs/')
|
||||
->assertStatus(200)
|
||||
->assertJson(fn (AssertableJson $json) => $json->has('data',11)->etc());
|
||||
|
||||
|
||||
$response = $this->withHeaders([
|
||||
'X-API-SECRET' => config('ninja.api_secret'),
|
||||
'X-API-TOKEN' => $this->low_token,
|
||||
])->get('/api/v1/users/');
|
||||
|
||||
|
||||
$response->assertStatus(200)
|
||||
->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
|
||||
|
||||
|
||||
collect($this->list_routes)->filter(function ($route){
|
||||
return !in_array($route, ['tasks','users','group_settings','designs']);
|
||||
})->each(function($route){
|
||||
nlog($route);
|
||||
$response = $this->withHeaders([
|
||||
'X-API-SECRET' => config('ninja.api_secret'),
|
||||
'X-API-TOKEN' => $this->low_token,
|
||||
])->get("/api/v1/{$route}/")
|
||||
->assertJson(fn (AssertableJson $json) =>
|
||||
$json->has('meta')
|
||||
->has('data',0)
|
||||
);
|
||||
|
||||
});
|
||||
|
||||
$response = $this->withHeaders([
|
||||
'X-API-SECRET' => config('ninja.api_secret'),
|
||||
'X-API-TOKEN' => $this->low_token,
|
||||
])->get('/api/v1/companies/'.$this->company->hashed_id)
|
||||
->assertStatus(401);
|
||||
|
||||
|
||||
|
||||
}
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user