Tests for refactors of API permissions

2025-07-09 03:14:30 -04:00 · 2023-01-20 23:45:29 +11:00 · 2023-01-20 23:45:29 +11:00 · 883c8f2289
commit 883c8f2289
parent 0d11fc174a
2 changed files with 193 additions and 3 deletions
--- a/app/Http/Controllers/BaseController.php
+++ b/app/Http/Controllers/BaseController.php
@ -12,9 +12,20 @@
 namespace App\Http\Controllers;

 use App\Models\Account;
+use App\Models\BankIntegration;
 use App\Models\BankTransaction;
+use App\Models\BankTransactionRule;
+use App\Models\ClientGatewayToken;
 use App\Models\Company;
+use App\Models\CompanyGateway;
+use App\Models\Design;
+use App\Models\ExpenseCategory;
+use App\Models\GroupSetting;
+use App\Models\PaymentTerm;
+use App\Models\Scheduler;
+use App\Models\TaxRate;
 use App\Models\User;
+use App\Models\Webhook;
 use App\Transformers\ArraySerializer;
 use App\Transformers\EntityTransformer;
 use App\Utils\Ninja;
@ -858,12 +869,13 @@ class BaseController extends Controller
        // 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
        if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
            //06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
-            if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user')
+            if(in_array($this->entity_type, [User::class])){
                $query->where('id', auth()->user()->id);
-            elseif($this->entity_type == BankTransaction::class){ //table without assigned_user_id
+            }
+            elseif(in_array($this->entity_type, [BankTransactionRule::class,CompanyGateway::class, TaxRate::class, BankIntegration::class, Scheduler::class, BankTransaction::class, Webhook::class, ExpenseCategory::class])){ //table without assigned_user_id
                $query->where('user_id', '=', auth()->user()->id);
            }
-            elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){
+            elseif(in_array($this->entity_type,[ ClientGatewayToken::class,Design::class,GroupSetting::class,PaymentTerm::class])){
                //need to pass these back regardless 
                nlog($this->entity_type);
            }
--- a/tests/Feature/BaseApiTest.php
+++ b/tests/Feature/BaseApiTest.php
@ -0,0 +1,178 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com).
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://www.elastic.co/licensing/elastic-license
+ */
+
+namespace Tests\Feature;
+
+use App\Factory\CompanyUserFactory;
+use App\Models\CompanyToken;
+use App\Models\CompanyUser;
+use App\Models\User;
+use Illuminate\Routing\Middleware\ThrottleRequests;
+use Illuminate\Support\Str;
+use Illuminate\Testing\Fluent\AssertableJson;
+use Tests\MockAccountData;
+use Tests\TestCase;
+
+/**
+ * @test
+ * @covers App\Http\Controllers\BaseController
+ */
+class BaseApiTest extends TestCase
+{
+    use MockAccountData;
+
+    private $list_routes = [
+        'products',
+        'clients',
+        'invoices',
+        'recurring_invoices',
+        'payments',
+        'quotes',
+        'credits',
+        'projects',
+        'tasks',
+        'vendors',
+        'purchase_orders',
+        'expenses',
+        'recurring_expenses',
+        'task_schedulers',
+        'bank_integrations',
+        'bank_transactions',
+        'tax_rates',
+        'users',
+        'payment_terms',
+        'purchase_orders',
+        'subscriptions',
+        'webhooks',
+        'group_settings',
+        'designs',
+        'expense_categories',
+        'documents',
+        'company_gateways',
+        'client_gateway_tokens',
+        'bank_transaction_rules',
+    ];
+
+    protected function setUp() :void
+    {
+        parent::setUp();
+
+        $this->makeTestData();
+
+        $this->withoutMiddleware(
+            ThrottleRequests::class
+        );
+
+        $lower_permission_user = User::factory()->create([
+            'account_id' => $this->account->id,
+            'confirmation_code' => $this->createDbHash(config('database.default')),
+            'email' =>  $this->faker->safeEmail(),
+        ]);
+
+        $this->low_cu = CompanyUserFactory::create($lower_permission_user->id, $this->company->id, $this->account->id);
+        $this->low_cu->is_owner = false;
+        $this->low_cu->is_admin = false;
+        $this->low_cu->is_locked = false;
+        $this->low_cu->permissions = '["view_task"]';
+        $this->low_cu->save();
+
+        $this->low_token = \Illuminate\Support\Str::random(64);
+
+        $company_token = new CompanyToken;
+        $company_token->user_id = $lower_permission_user->id;
+        $company_token->company_id = $this->company->id;
+        $company_token->account_id = $this->account->id;
+        $company_token->name = 'test token';
+        $company_token->token = $this->low_token;
+        $company_token->is_system = true;
+        $company_token->save();
+
+    }
+
+    // public function testGeneratingClassName()
+    // {
+
+        // $this->assertEquals('user', Str::snake(User::class));
+
+        // $this->assertEquals('user',lcfirst(class_basename(Str::snake(User::class))));
+
+
+    // }
+
+    public function testRestrictedRoute()
+    {
+        // $permissions = ["view_invoice","view_client","edit_client","edit_invoice","create_invoice","create_client"];
+       
+        // $response = $this->withHeaders([
+        //     'X-API-SECRET' => config('ninja.api_secret'),
+        //     'X-API-TOKEN' => $this->token,
+        // ])->get('/api/v1/clients/')
+        //   ->assertStatus(200)
+        //   ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
+
+
+        $response = $this->withHeaders([
+            'X-API-SECRET' => config('ninja.api_secret'),
+            'X-API-TOKEN' => $this->token,
+        ])->get('/api/v1/tasks/')
+          ->assertStatus(200)
+          ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
+
+        $response = $this->withHeaders([
+            'X-API-SECRET' => config('ninja.api_secret'),
+            'X-API-TOKEN' => $this->token,
+        ])->get('/api/v1/group_settings/')
+          ->assertStatus(200)
+          ->assertJson(fn (AssertableJson $json) => $json->has('data',2)->etc());
+
+        $response = $this->withHeaders([
+            'X-API-SECRET' => config('ninja.api_secret'),
+            'X-API-TOKEN' => $this->token,
+        ])->get('/api/v1/designs/')
+          ->assertStatus(200)
+          ->assertJson(fn (AssertableJson $json) => $json->has('data',11)->etc());
+
+
+        $response = $this->withHeaders([
+            'X-API-SECRET' => config('ninja.api_secret'),
+            'X-API-TOKEN' => $this->low_token,
+        ])->get('/api/v1/users/');
+
+
+          $response->assertStatus(200)
+          ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
+
+
+        collect($this->list_routes)->filter(function ($route){
+            return !in_array($route, ['tasks','users','group_settings','designs']);
+        })->each(function($route){
+            nlog($route);
+            $response = $this->withHeaders([
+                'X-API-SECRET' => config('ninja.api_secret'),
+                'X-API-TOKEN' => $this->low_token,
+            ])->get("/api/v1/{$route}/")
+              ->assertJson(fn (AssertableJson $json) =>
+                $json->has('meta')
+                 ->has('data',0)
+                );
+
+        });
+
+       $response = $this->withHeaders([
+                'X-API-SECRET' => config('ninja.api_secret'),
+                'X-API-TOKEN' => $this->low_token,
+            ])->get('/api/v1/companies/'.$this->company->hashed_id)
+              ->assertStatus(401);
+
+           
+
+    }
+}