mirror of
https://github.com/invoiceninja/invoiceninja.git
synced 2025-07-09 03:14:30 -04:00
Tests for refactors of API permissions
This commit is contained in:
parent
0d11fc174a
commit
883c8f2289
@ -12,9 +12,20 @@
|
|||||||
namespace App\Http\Controllers;
|
namespace App\Http\Controllers;
|
||||||
|
|
||||||
use App\Models\Account;
|
use App\Models\Account;
|
||||||
|
use App\Models\BankIntegration;
|
||||||
use App\Models\BankTransaction;
|
use App\Models\BankTransaction;
|
||||||
|
use App\Models\BankTransactionRule;
|
||||||
|
use App\Models\ClientGatewayToken;
|
||||||
use App\Models\Company;
|
use App\Models\Company;
|
||||||
|
use App\Models\CompanyGateway;
|
||||||
|
use App\Models\Design;
|
||||||
|
use App\Models\ExpenseCategory;
|
||||||
|
use App\Models\GroupSetting;
|
||||||
|
use App\Models\PaymentTerm;
|
||||||
|
use App\Models\Scheduler;
|
||||||
|
use App\Models\TaxRate;
|
||||||
use App\Models\User;
|
use App\Models\User;
|
||||||
|
use App\Models\Webhook;
|
||||||
use App\Transformers\ArraySerializer;
|
use App\Transformers\ArraySerializer;
|
||||||
use App\Transformers\EntityTransformer;
|
use App\Transformers\EntityTransformer;
|
||||||
use App\Utils\Ninja;
|
use App\Utils\Ninja;
|
||||||
@ -858,12 +869,13 @@ class BaseController extends Controller
|
|||||||
// 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
|
// 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
|
||||||
if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
|
if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
|
||||||
//06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
|
//06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
|
||||||
if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user')
|
if(in_array($this->entity_type, [User::class])){
|
||||||
$query->where('id', auth()->user()->id);
|
$query->where('id', auth()->user()->id);
|
||||||
elseif($this->entity_type == BankTransaction::class){ //table without assigned_user_id
|
}
|
||||||
|
elseif(in_array($this->entity_type, [BankTransactionRule::class,CompanyGateway::class, TaxRate::class, BankIntegration::class, Scheduler::class, BankTransaction::class, Webhook::class, ExpenseCategory::class])){ //table without assigned_user_id
|
||||||
$query->where('user_id', '=', auth()->user()->id);
|
$query->where('user_id', '=', auth()->user()->id);
|
||||||
}
|
}
|
||||||
elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){
|
elseif(in_array($this->entity_type,[ ClientGatewayToken::class,Design::class,GroupSetting::class,PaymentTerm::class])){
|
||||||
//need to pass these back regardless
|
//need to pass these back regardless
|
||||||
nlog($this->entity_type);
|
nlog($this->entity_type);
|
||||||
}
|
}
|
||||||
|
178
tests/Feature/BaseApiTest.php
Normal file
178
tests/Feature/BaseApiTest.php
Normal file
@ -0,0 +1,178 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Invoice Ninja (https://invoiceninja.com).
|
||||||
|
*
|
||||||
|
* @link https://github.com/invoiceninja/invoiceninja source repository
|
||||||
|
*
|
||||||
|
* @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
|
||||||
|
*
|
||||||
|
* @license https://www.elastic.co/licensing/elastic-license
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use App\Factory\CompanyUserFactory;
|
||||||
|
use App\Models\CompanyToken;
|
||||||
|
use App\Models\CompanyUser;
|
||||||
|
use App\Models\User;
|
||||||
|
use Illuminate\Routing\Middleware\ThrottleRequests;
|
||||||
|
use Illuminate\Support\Str;
|
||||||
|
use Illuminate\Testing\Fluent\AssertableJson;
|
||||||
|
use Tests\MockAccountData;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @test
|
||||||
|
* @covers App\Http\Controllers\BaseController
|
||||||
|
*/
|
||||||
|
class BaseApiTest extends TestCase
|
||||||
|
{
|
||||||
|
use MockAccountData;
|
||||||
|
|
||||||
|
private $list_routes = [
|
||||||
|
'products',
|
||||||
|
'clients',
|
||||||
|
'invoices',
|
||||||
|
'recurring_invoices',
|
||||||
|
'payments',
|
||||||
|
'quotes',
|
||||||
|
'credits',
|
||||||
|
'projects',
|
||||||
|
'tasks',
|
||||||
|
'vendors',
|
||||||
|
'purchase_orders',
|
||||||
|
'expenses',
|
||||||
|
'recurring_expenses',
|
||||||
|
'task_schedulers',
|
||||||
|
'bank_integrations',
|
||||||
|
'bank_transactions',
|
||||||
|
'tax_rates',
|
||||||
|
'users',
|
||||||
|
'payment_terms',
|
||||||
|
'purchase_orders',
|
||||||
|
'subscriptions',
|
||||||
|
'webhooks',
|
||||||
|
'group_settings',
|
||||||
|
'designs',
|
||||||
|
'expense_categories',
|
||||||
|
'documents',
|
||||||
|
'company_gateways',
|
||||||
|
'client_gateway_tokens',
|
||||||
|
'bank_transaction_rules',
|
||||||
|
];
|
||||||
|
|
||||||
|
protected function setUp() :void
|
||||||
|
{
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
$this->makeTestData();
|
||||||
|
|
||||||
|
$this->withoutMiddleware(
|
||||||
|
ThrottleRequests::class
|
||||||
|
);
|
||||||
|
|
||||||
|
$lower_permission_user = User::factory()->create([
|
||||||
|
'account_id' => $this->account->id,
|
||||||
|
'confirmation_code' => $this->createDbHash(config('database.default')),
|
||||||
|
'email' => $this->faker->safeEmail(),
|
||||||
|
]);
|
||||||
|
|
||||||
|
$this->low_cu = CompanyUserFactory::create($lower_permission_user->id, $this->company->id, $this->account->id);
|
||||||
|
$this->low_cu->is_owner = false;
|
||||||
|
$this->low_cu->is_admin = false;
|
||||||
|
$this->low_cu->is_locked = false;
|
||||||
|
$this->low_cu->permissions = '["view_task"]';
|
||||||
|
$this->low_cu->save();
|
||||||
|
|
||||||
|
$this->low_token = \Illuminate\Support\Str::random(64);
|
||||||
|
|
||||||
|
$company_token = new CompanyToken;
|
||||||
|
$company_token->user_id = $lower_permission_user->id;
|
||||||
|
$company_token->company_id = $this->company->id;
|
||||||
|
$company_token->account_id = $this->account->id;
|
||||||
|
$company_token->name = 'test token';
|
||||||
|
$company_token->token = $this->low_token;
|
||||||
|
$company_token->is_system = true;
|
||||||
|
$company_token->save();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// public function testGeneratingClassName()
|
||||||
|
// {
|
||||||
|
|
||||||
|
// $this->assertEquals('user', Str::snake(User::class));
|
||||||
|
|
||||||
|
// $this->assertEquals('user',lcfirst(class_basename(Str::snake(User::class))));
|
||||||
|
|
||||||
|
|
||||||
|
// }
|
||||||
|
|
||||||
|
public function testRestrictedRoute()
|
||||||
|
{
|
||||||
|
// $permissions = ["view_invoice","view_client","edit_client","edit_invoice","create_invoice","create_client"];
|
||||||
|
|
||||||
|
// $response = $this->withHeaders([
|
||||||
|
// 'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
// 'X-API-TOKEN' => $this->token,
|
||||||
|
// ])->get('/api/v1/clients/')
|
||||||
|
// ->assertStatus(200)
|
||||||
|
// ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
|
||||||
|
|
||||||
|
|
||||||
|
$response = $this->withHeaders([
|
||||||
|
'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
'X-API-TOKEN' => $this->token,
|
||||||
|
])->get('/api/v1/tasks/')
|
||||||
|
->assertStatus(200)
|
||||||
|
->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
|
||||||
|
|
||||||
|
$response = $this->withHeaders([
|
||||||
|
'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
'X-API-TOKEN' => $this->token,
|
||||||
|
])->get('/api/v1/group_settings/')
|
||||||
|
->assertStatus(200)
|
||||||
|
->assertJson(fn (AssertableJson $json) => $json->has('data',2)->etc());
|
||||||
|
|
||||||
|
$response = $this->withHeaders([
|
||||||
|
'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
'X-API-TOKEN' => $this->token,
|
||||||
|
])->get('/api/v1/designs/')
|
||||||
|
->assertStatus(200)
|
||||||
|
->assertJson(fn (AssertableJson $json) => $json->has('data',11)->etc());
|
||||||
|
|
||||||
|
|
||||||
|
$response = $this->withHeaders([
|
||||||
|
'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
'X-API-TOKEN' => $this->low_token,
|
||||||
|
])->get('/api/v1/users/');
|
||||||
|
|
||||||
|
|
||||||
|
$response->assertStatus(200)
|
||||||
|
->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
|
||||||
|
|
||||||
|
|
||||||
|
collect($this->list_routes)->filter(function ($route){
|
||||||
|
return !in_array($route, ['tasks','users','group_settings','designs']);
|
||||||
|
})->each(function($route){
|
||||||
|
nlog($route);
|
||||||
|
$response = $this->withHeaders([
|
||||||
|
'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
'X-API-TOKEN' => $this->low_token,
|
||||||
|
])->get("/api/v1/{$route}/")
|
||||||
|
->assertJson(fn (AssertableJson $json) =>
|
||||||
|
$json->has('meta')
|
||||||
|
->has('data',0)
|
||||||
|
);
|
||||||
|
|
||||||
|
});
|
||||||
|
|
||||||
|
$response = $this->withHeaders([
|
||||||
|
'X-API-SECRET' => config('ninja.api_secret'),
|
||||||
|
'X-API-TOKEN' => $this->low_token,
|
||||||
|
])->get('/api/v1/companies/'.$this->company->hashed_id)
|
||||||
|
->assertStatus(401);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
Loading…
x
Reference in New Issue
Block a user