From 883c8f22893ef95d81eaadca4128525569553112 Mon Sep 17 00:00:00 2001 From: David Bomba Date: Fri, 20 Jan 2023 23:45:29 +1100 Subject: [PATCH] Tests for refactors of API permissions --- app/Http/Controllers/BaseController.php | 18 ++- tests/Feature/BaseApiTest.php | 178 ++++++++++++++++++++++++ 2 files changed, 193 insertions(+), 3 deletions(-) create mode 100644 tests/Feature/BaseApiTest.php diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php index 3403d0e2128c..5925ae8b3078 100644 --- a/app/Http/Controllers/BaseController.php +++ b/app/Http/Controllers/BaseController.php @@ -12,9 +12,20 @@ namespace App\Http\Controllers; use App\Models\Account; +use App\Models\BankIntegration; use App\Models\BankTransaction; +use App\Models\BankTransactionRule; +use App\Models\ClientGatewayToken; use App\Models\Company; +use App\Models\CompanyGateway; +use App\Models\Design; +use App\Models\ExpenseCategory; +use App\Models\GroupSetting; +use App\Models\PaymentTerm; +use App\Models\Scheduler; +use App\Models\TaxRate; use App\Models\User; +use App\Models\Webhook; use App\Transformers\ArraySerializer; use App\Transformers\EntityTransformer; use App\Utils\Ninja; @@ -858,12 +869,13 @@ class BaseController extends Controller // 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) { //06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users - if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user') + if(in_array($this->entity_type, [User::class])){ $query->where('id', auth()->user()->id); - elseif($this->entity_type == BankTransaction::class){ //table without assigned_user_id + } + elseif(in_array($this->entity_type, [BankTransactionRule::class,CompanyGateway::class, TaxRate::class, BankIntegration::class, Scheduler::class, BankTransaction::class, Webhook::class, ExpenseCategory::class])){ //table without assigned_user_id $query->where('user_id', '=', auth()->user()->id); } - elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){ + elseif(in_array($this->entity_type,[ ClientGatewayToken::class,Design::class,GroupSetting::class,PaymentTerm::class])){ //need to pass these back regardless nlog($this->entity_type); } diff --git a/tests/Feature/BaseApiTest.php b/tests/Feature/BaseApiTest.php new file mode 100644 index 000000000000..725d444c02c1 --- /dev/null +++ b/tests/Feature/BaseApiTest.php @@ -0,0 +1,178 @@ +makeTestData(); + + $this->withoutMiddleware( + ThrottleRequests::class + ); + + $lower_permission_user = User::factory()->create([ + 'account_id' => $this->account->id, + 'confirmation_code' => $this->createDbHash(config('database.default')), + 'email' => $this->faker->safeEmail(), + ]); + + $this->low_cu = CompanyUserFactory::create($lower_permission_user->id, $this->company->id, $this->account->id); + $this->low_cu->is_owner = false; + $this->low_cu->is_admin = false; + $this->low_cu->is_locked = false; + $this->low_cu->permissions = '["view_task"]'; + $this->low_cu->save(); + + $this->low_token = \Illuminate\Support\Str::random(64); + + $company_token = new CompanyToken; + $company_token->user_id = $lower_permission_user->id; + $company_token->company_id = $this->company->id; + $company_token->account_id = $this->account->id; + $company_token->name = 'test token'; + $company_token->token = $this->low_token; + $company_token->is_system = true; + $company_token->save(); + + } + + // public function testGeneratingClassName() + // { + + // $this->assertEquals('user', Str::snake(User::class)); + + // $this->assertEquals('user',lcfirst(class_basename(Str::snake(User::class)))); + + + // } + + public function testRestrictedRoute() + { + // $permissions = ["view_invoice","view_client","edit_client","edit_invoice","create_invoice","create_client"]; + + // $response = $this->withHeaders([ + // 'X-API-SECRET' => config('ninja.api_secret'), + // 'X-API-TOKEN' => $this->token, + // ])->get('/api/v1/clients/') + // ->assertStatus(200) + // ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc()); + + + $response = $this->withHeaders([ + 'X-API-SECRET' => config('ninja.api_secret'), + 'X-API-TOKEN' => $this->token, + ])->get('/api/v1/tasks/') + ->assertStatus(200) + ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc()); + + $response = $this->withHeaders([ + 'X-API-SECRET' => config('ninja.api_secret'), + 'X-API-TOKEN' => $this->token, + ])->get('/api/v1/group_settings/') + ->assertStatus(200) + ->assertJson(fn (AssertableJson $json) => $json->has('data',2)->etc()); + + $response = $this->withHeaders([ + 'X-API-SECRET' => config('ninja.api_secret'), + 'X-API-TOKEN' => $this->token, + ])->get('/api/v1/designs/') + ->assertStatus(200) + ->assertJson(fn (AssertableJson $json) => $json->has('data',11)->etc()); + + + $response = $this->withHeaders([ + 'X-API-SECRET' => config('ninja.api_secret'), + 'X-API-TOKEN' => $this->low_token, + ])->get('/api/v1/users/'); + + + $response->assertStatus(200) + ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc()); + + + collect($this->list_routes)->filter(function ($route){ + return !in_array($route, ['tasks','users','group_settings','designs']); + })->each(function($route){ + nlog($route); + $response = $this->withHeaders([ + 'X-API-SECRET' => config('ninja.api_secret'), + 'X-API-TOKEN' => $this->low_token, + ])->get("/api/v1/{$route}/") + ->assertJson(fn (AssertableJson $json) => + $json->has('meta') + ->has('data',0) + ); + + }); + + $response = $this->withHeaders([ + 'X-API-SECRET' => config('ninja.api_secret'), + 'X-API-TOKEN' => $this->low_token, + ])->get('/api/v1/companies/'.$this->company->hashed_id) + ->assertStatus(401); + + + + } +}