Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-07-09 03:14:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Tests for refactors of API permissions

Browse Source
This commit is contained in:
David Bomba 2023-01-20 23:45:29 +11:00
parent 0d11fc174a
commit 883c8f2289
2 changed files with 193 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
app/Http/Controllers/BaseController.php
View File

@ -12,9 +12,20 @@
namespace App\Http\Controllers; namespace App\Http\Controllers;
use App\Models\Account; use App\Models\Account;
use App\Models\BankIntegration;
use App\Models\BankTransaction; use App\Models\BankTransaction;
use App\Models\BankTransactionRule;
use App\Models\ClientGatewayToken;
use App\Models\Company; use App\Models\Company;
use App\Models\CompanyGateway;
use App\Models\Design;
use App\Models\ExpenseCategory;
use App\Models\GroupSetting;
use App\Models\PaymentTerm;
use App\Models\Scheduler;
use App\Models\TaxRate;
use App\Models\User; use App\Models\User;
use App\Models\Webhook;
use App\Transformers\ArraySerializer; use App\Transformers\ArraySerializer;
use App\Transformers\EntityTransformer; use App\Transformers\EntityTransformer;
use App\Utils\Ninja; use App\Utils\Ninja;
@ -858,12 +869,13 @@ class BaseController extends Controller
// 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased // 28-03-2022 this is definitely correct here, do not append _ to the view, it resolved correctly when snake cased
if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) { if (auth()->user() && ! auth()->user()->hasPermission('view'.lcfirst(class_basename(Str::snake($this->entity_type))))) {
//06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users //06-10-2022 - some entities do not have assigned_user_id - this becomes an issue when we have a large company and low permission users
if(lcfirst(class_basename(Str::snake($this->entity_type))) == 'user') if(in_array($this->entity_type, [User::class])){
$query->where('id', auth()->user()->id); $query->where('id', auth()->user()->id);
elseif($this->entity_type == BankTransaction::class){ //table without assigned_user_id }
elseif(in_array($this->entity_type, [BankTransactionRule::class,CompanyGateway::class, TaxRate::class, BankIntegration::class, Scheduler::class, BankTransaction::class, Webhook::class, ExpenseCategory::class])){ //table without assigned_user_id
$query->where('user_id', '=', auth()->user()->id); $query->where('user_id', '=', auth()->user()->id);
} }
elseif(in_array(lcfirst(class_basename(Str::snake($this->entity_type))),['design','group_setting','payment_term'])){ elseif(in_array($this->entity_type,[ ClientGatewayToken::class,Design::class,GroupSetting::class,PaymentTerm::class])){
//need to pass these back regardless //need to pass these back regardless
nlog($this->entity_type); nlog($this->entity_type);
} }

178
tests/Feature/BaseApiTest.php Normal file
View File

@ -0,0 +1,178 @@
<?php
/**
* Invoice Ninja (https://invoiceninja.com).
*
* @link https://github.com/invoiceninja/invoiceninja source repository
*
* @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
*
* @license https://www.elastic.co/licensing/elastic-license
*/
namespace Tests\Feature;
use App\Factory\CompanyUserFactory;
use App\Models\CompanyToken;
use App\Models\CompanyUser;
use App\Models\User;
use Illuminate\Routing\Middleware\ThrottleRequests;
use Illuminate\Support\Str;
use Illuminate\Testing\Fluent\AssertableJson;
use Tests\MockAccountData;
use Tests\TestCase;
/**
* @test
* @covers App\Http\Controllers\BaseController
*/
class BaseApiTest extends TestCase
{
use MockAccountData;
private $list_routes = [
'products',
'clients',
'invoices',
'recurring_invoices',
'payments',
'quotes',
'credits',
'projects',
'tasks',
'vendors',
'purchase_orders',
'expenses',
'recurring_expenses',
'task_schedulers',
'bank_integrations',
'bank_transactions',
'tax_rates',
'users',
'payment_terms',
'purchase_orders',
'subscriptions',
'webhooks',
'group_settings',
'designs',
'expense_categories',
'documents',
'company_gateways',
'client_gateway_tokens',
'bank_transaction_rules',
];
protected function setUp() :void
{
parent::setUp();
$this->makeTestData();
$this->withoutMiddleware(
ThrottleRequests::class
);
$lower_permission_user = User::factory()->create([
'account_id' => $this->account->id,
'confirmation_code' => $this->createDbHash(config('database.default')),
'email' => $this->faker->safeEmail(),
]);
$this->low_cu = CompanyUserFactory::create($lower_permission_user->id, $this->company->id, $this->account->id);
$this->low_cu->is_owner = false;
$this->low_cu->is_admin = false;
$this->low_cu->is_locked = false;
$this->low_cu->permissions = '["view_task"]';
$this->low_cu->save();
$this->low_token = \Illuminate\Support\Str::random(64);
$company_token = new CompanyToken;
$company_token->user_id = $lower_permission_user->id;
$company_token->company_id = $this->company->id;
$company_token->account_id = $this->account->id;
$company_token->name = 'test token';
$company_token->token = $this->low_token;
$company_token->is_system = true;
$company_token->save();
}
// public function testGeneratingClassName()
// {
// $this->assertEquals('user', Str::snake(User::class));
// $this->assertEquals('user',lcfirst(class_basename(Str::snake(User::class))));
// }
public function testRestrictedRoute()
{
// $permissions = ["view_invoice","view_client","edit_client","edit_invoice","create_invoice","create_client"];
// $response = $this->withHeaders([
// 'X-API-SECRET' => config('ninja.api_secret'),
// 'X-API-TOKEN' => $this->token,
// ])->get('/api/v1/clients/')
// ->assertStatus(200)
// ->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->token,
])->get('/api/v1/tasks/')
->assertStatus(200)
->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->token,
])->get('/api/v1/group_settings/')
->assertStatus(200)
->assertJson(fn (AssertableJson $json) => $json->has('data',2)->etc());
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->token,
])->get('/api/v1/designs/')
->assertStatus(200)
->assertJson(fn (AssertableJson $json) => $json->has('data',11)->etc());
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->low_token,
])->get('/api/v1/users/');
$response->assertStatus(200)
->assertJson(fn (AssertableJson $json) => $json->has('data',1)->etc());
collect($this->list_routes)->filter(function ($route){
return !in_array($route, ['tasks','users','group_settings','designs']);
})->each(function($route){
nlog($route);
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->low_token,
])->get("/api/v1/{$route}/")
->assertJson(fn (AssertableJson $json) =>
$json->has('meta')
->has('data',0)
);
});
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->low_token,
])->get('/api/v1/companies/'.$this->company->hashed_id)
->assertStatus(401);
}
}