Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-05-24 02:14:21 -04:00
Code Issues Packages Projects Releases Wiki Activity

Permissions tests

Browse Source
This commit is contained in:
David Bomba 2023-01-21 16:52:24 +11:00
parent 29bab35ed1
commit c1563c571d
6 changed files with 206 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
app/Http/Controllers/BaseController.php
View File

@ -234,6 +234,7 @@ class BaseController extends Controller
}
$transformer = new $this->entity_transformer($this->serializer);
$updated_at = request()->has('updated_at') ? request()->input('updated_at') : 0;
if ($user->getCompany()->is_large && $updated_at == 0) {
@ -251,7 +252,6 @@ class BaseController extends Controller
$query->where('clients.updated_at', '>=', $updated_at)->with('contacts.company', 'gateway_tokens', 'documents');
if (! $user->hasPermission('view_client')) {
// $query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
@ -270,7 +270,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents');
if (! $user->hasPermission('view_credit')) {
// $query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
@ -291,7 +290,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('documents');
if (! $user->hasPermission('view_expense')) {
// $query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
@ -301,14 +299,11 @@ class BaseController extends Controller
'company.groups' => function ($query) use ($updated_at, $user) {
$query->whereNotNull('updated_at')->with('documents');
// if(!$user->isAdmin())
// $query->where('group_settings.user_id', $user->id);
},
'company.invoices'=> function ($query) use ($updated_at, $user) {
$query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents');
if (! $user->hasPermission('view_invoice')) {
// $query->where('invoices.user_id', $user->id)->orWhere('invoices.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
@ -321,7 +316,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('paymentables', 'documents');
if (! $user->hasPermission('view_payment')) {
// $query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
@ -340,13 +334,11 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('documents');
if (! $user->hasPermission('view_product')) {
// $query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
});
}
},
@ -354,7 +346,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('documents');
if (! $user->hasPermission('view_project')) {
// $query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
@ -366,8 +357,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('documents');
if (! $user->hasPermission('view_purchase_order')) {
// $query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
@ -379,8 +368,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents');
if (! $user->hasPermission('view_quote')) {
// $query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
@ -392,7 +379,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('invitations', 'documents', 'client.gateway_tokens', 'client.group_settings', 'client.company');
if (! $user->hasPermission('view_recurring_invoice')) {
// $query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
@ -404,7 +390,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('documents');
if (! $user->hasPermission('view_recurring_expense')) {
// $query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
@ -416,7 +401,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('documents');
if (! $user->hasPermission('view_task')) {
// $query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
@ -431,7 +415,6 @@ class BaseController extends Controller
$query->where('updated_at', '>=', $updated_at)->with('contacts', 'documents');
if (! $user->hasPermission('view_vendor')) {
// $query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
@ -622,7 +605,6 @@ class BaseController extends Controller
$query->where('clients.created_at', '>=', $created_at)->with('contacts.company', 'gateway_tokens', 'documents');
if (! $user->hasPermission('view_client')) {
// $query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('clients.user_id', $user->id)->orWhere('clients.assigned_user_id', $user->id);
@ -641,7 +623,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('invitations', 'documents');
if (! $user->hasPermission('view_credit')) {
// $query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('credits.user_id', $user->id)->orWhere('credits.assigned_user_id', $user->id);
@ -655,13 +636,10 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('documents');
if (! $user->hasPermission('view_expense')) {
// $query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('expenses.user_id', $user->id)->orWhere('expenses.assigned_user_id', $user->id);
});
}
},
'company.groups' => function ($query) use ($created_at, $user) {
@ -671,7 +649,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('invitations', 'documents');
if (! $user->hasPermission('view_invoice')) {
// $query->where('invoices.user_id', $user->id)->orWhere('invoices.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('invoices.user_id', $user->id)->orWhere('invoices.assigned_user_id', $user->id);
@ -683,7 +660,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('paymentables', 'documents');
if (! $user->hasPermission('view_payment')) {
// $query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('payments.user_id', $user->id)->orWhere('payments.assigned_user_id', $user->id);
@ -698,7 +674,7 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('documents');
if (! $user->hasPermission('view_product')) {
// $query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('products.user_id', $user->id)->orWhere('products.assigned_user_id', $user->id);
});
@ -708,7 +684,7 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('documents');
if (! $user->hasPermission('view_project')) {
// $query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('projects.user_id', $user->id)->orWhere('projects.assigned_user_id', $user->id);
});
@ -718,7 +694,7 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('documents');
if (! $user->hasPermission('view_purchase_order')) {
// $query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('purchase_orders.user_id', $user->id)->orWhere('purchase_orders.assigned_user_id', $user->id);
});
@ -729,7 +705,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('invitations', 'documents');
if (! $user->hasPermission('view_quote')) {
// $query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('quotes.user_id', $user->id)->orWhere('quotes.assigned_user_id', $user->id);
@ -741,7 +716,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('invitations', 'documents', 'client.gateway_tokens', 'client.group_settings', 'client.company');
if (! $user->hasPermission('view_recurring_invoice')) {
// $query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('recurring_invoices.user_id', $user->id)->orWhere('recurring_invoices.assigned_user_id', $user->id);
@ -753,7 +727,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('documents');
if (! $user->hasPermission('view_task')) {
// $query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('tasks.user_id', $user->id)->orWhere('tasks.assigned_user_id', $user->id);
@ -768,7 +741,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('contacts', 'documents');
if (! $user->hasPermission('view_vendor')) {
// $query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('vendors.user_id', $user->id)->orWhere('vendors.assigned_user_id', $user->id);
@ -807,7 +779,6 @@ class BaseController extends Controller
$query->where('created_at', '>=', $created_at)->with('documents');
if (! $user->hasPermission('view_recurring_expense')) {
// $query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
$query->whereNested(function($query) use ($user) {
$query->where('recurring_expenses.user_id', $user->id)->orWhere('recurring_expenses.assigned_user_id', $user->id);
@ -907,6 +878,7 @@ class BaseController extends Controller
}
/**/
// $query->exclude(['balance','credit_balance','paid_to_date']);
if (request()->has('updated_at') && request()->input('updated_at') > 0) {
$query->where('updated_at', '>=', date('Y-m-d H:i:s', intval(request()->input('updated_at'))));

12
app/Models/Client.php
View File

@ -21,12 +21,12 @@ use App\Models\Project;
use App\Models\Quote;
use App\Models\Task;
use App\Services\Client\ClientService;
use App\Models\Traits\Excludable;
use App\Utils\Traits\AppSetup;
use App\Utils\Traits\ClientGroupSettingsSaver;
use App\Utils\Traits\GeneratesCounter;
use App\Utils\Traits\MakesDates;
use App\Utils\Traits\MakesHash;
use Exception;
use Illuminate\Contracts\Translation\HasLocalePreference;
use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Support\Facades\Cache;
@ -42,6 +42,7 @@ class Client extends BaseModel implements HasLocalePreference
use GeneratesCounter;
use AppSetup;
use ClientGroupSettingsSaver;
use Excludable;
protected $presenter = ClientPresenter::class;
@ -132,6 +133,13 @@ class Client extends BaseModel implements HasLocalePreference
'phone',
];
// public function scopeExclude($query)
// {
// $query->makeHidden(['balance','paid_to_date']);
// return $query;
// }
public function getEntityType()
{
return self::class;
@ -417,7 +425,7 @@ class Client extends BaseModel implements HasLocalePreference
return $this->company;
}
throw new Exception('Could not find a settings object', 1);
throw new \Exception('Could not find a settings object', 1);
}
public function documents()

38
app/Models/Traits/Excludable.php Normal file
View File

@ -0,0 +1,38 @@
<?php
/**
* Invoice Ninja (https://invoiceninja.com).
*
* @link https://github.com/invoiceninja/invoiceninja source repository
*
* @copyright Copyright (c) 2022. Invoice Ninja LLC (https://invoiceninja.com)
*
* @license https://www.elastic.co/licensing/elastic-license
*/
namespace App\Models\Traits;
trait Excludable {
/**
* Get the array of columns
*
* @return mixed
*/
private function getTableColumns() {
return $this->getConnection()->getSchemaBuilder()->getColumnListing($this->getTable());
}
/**
* Exclude an array of elements from the result.
* @param $query
* @param $columns
*
* @return mixed
*/
public function scopeExclude($query, $columns)
{
return $query->select(array_diff($this->getTableColumns(), (array) $columns));
}
}

25
app/Models/User.php
View File

@ -372,6 +372,31 @@ class User extends Authenticatable implements MustVerifyEmail
}
/**
* Used when we need to match exactly what permission
* the user has, and not aggregate owner and admins.
*
* This method is used when we need to scope down the query
* and display a limited subset.
*
* @param string $permission '["view_all"]'
* @return boolean
*/
public function hasExactPermission(string $permission = ''): bool
{
$parts = explode('_', $permission);
$all_permission = '';
if (count($parts) > 1) {
$all_permission = $parts[0].'_all';
}
return (is_int(stripos($this->token()->cu->permissions, $all_permission))) ||
(is_int(stripos($this->token()->cu->permissions, $permission)));
}
public function documents()
{
return $this->morphMany(Document::class, 'documentable');

6
tests/Feature/BaseApiTest.php
View File

@ -413,7 +413,7 @@ class BaseApiTest extends TestCase
collect($this->list_routes)->filter(function ($route){
return !in_array($route, ['users','designs','payment_terms']);
})->each(function($route){
nlog($route);
// nlog($route);
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->owner_token,
@ -458,7 +458,7 @@ class BaseApiTest extends TestCase
collect($this->list_routes)->filter(function ($route){
return !in_array($route, ['users','designs','payment_terms']);
})->each(function($route){
nlog($route);
// nlog($route);
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->owner_token,
@ -501,7 +501,7 @@ class BaseApiTest extends TestCase
collect($this->list_routes)->filter(function ($route){
return !in_array($route, ['users','designs','payment_terms']);
})->each(function($route){
nlog($route);
// nlog($route);
$response = $this->withHeaders([
'X-API-SECRET' => config('ninja.api_secret'),
'X-API-TOKEN' => $this->owner_token,

125
tests/Unit/PermissionsTest.php Normal file
View File

@ -0,0 +1,125 @@
<?php
/**
* Invoice Ninja (https://invoiceninja.com).
*
* @link https://github.com/invoiceninja/invoiceninja source repository
*
* @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
*
* @license https://www.elastic.co/licensing/elastic-license
*/
namespace Tests\Unit;
use App\Factory\CompanyUserFactory;
use App\Models\Account;
use App\Models\Company;
use App\Models\CompanyToken;
use App\Models\CompanyUser;
use App\Models\Invoice;
use App\Models\User;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Tests\MockAccountData;
use Tests\TestCase;
/**
* @test
*/
class PermissionsTest extends TestCase
{
public User $user;
public CompanyUser $cu;
public Company $company;
protected function setUp() :void
{
parent::setUp();
$this->faker = \Faker\Factory::create();
$account = Account::factory()->create([
'hosted_client_count' => 1000,
'hosted_company_count' => 1000,
]);
$account->num_users = 3;
$account->save();
$this->company = Company::factory()->create([
'account_id' => $account->id,
]);
$this->user = User::factory()->create([
'account_id' => $account->id,
'confirmation_code' => '123',
'email' => $this->faker->safeEmail(),
]);
$this->cu = CompanyUserFactory::create($this->user->id, $this->company->id, $account->id);
$this->cu->is_owner = false;
$this->cu->is_admin = false;
$this->cu->is_locked = false;
$this->cu->permissions = '["view_client"]';
$this->cu->save();
$this->token = \Illuminate\Support\Str::random(64);
$company_token = new CompanyToken;
$company_token->user_id = $this->user->id;
$company_token->company_id = $this->company->id;
$company_token->account_id = $account->id;
$company_token->name = 'test token';
$company_token->token = $this->token;
$company_token->is_system = true;
$company_token->save();
}
public function testExactPermissions()
{
$this->assertTrue($this->user->hasExactPermission("view_client"));
$this->assertFalse($this->user->hasExactPermission("view_all"));
}
public function testMissingPermissions()
{
$low_cu = CompanyUser::where(['company_id' => $this->company->id, 'user_id' => $this->user->id])->first();
$low_cu->permissions = '[""]';
$low_cu->save();
$this->assertFalse($this->user->hasExactPermission("view_client"));
$this->assertFalse($this->user->hasExactPermission("view_all"));
}
public function testViewAllValidPermissions()
{
$low_cu = CompanyUser::where(['company_id' => $this->company->id, 'user_id' => $this->user->id])->first();
$low_cu->permissions = '["view_all"]';
$low_cu->save();
$this->assertTrue($this->user->hasExactPermission("view_client"));
$this->assertTrue($this->user->hasExactPermission("view_all"));
}
public function testViewClientPermission()
{
$low_cu = CompanyUser::where(['company_id' => $this->company->id, 'user_id' => $this->user->id])->first();
$low_cu->permissions = '["view_client"]';
$low_cu->save();
//this is aberrant
$this->assertTrue($this->user->hasPermission("viewclient"));
}
}