/** * @depends testListTasks */ public function testUnprivilegedUserViewUpdateDeleteTasks() { Yii::app()->user->userModel = User::getByUsername('super'); $notAllowedUser = UserTestHelper::createBasicUser('Steven'); $notAllowedUser->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API); $saved = $notAllowedUser->save(); $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME); $this->assertTrue($everyoneGroup->save()); $tasks = Task::getByName('Check bills'); $this->assertEquals(1, count($tasks)); $data['completed'] = 1; // Test with unprivileged user to view, edit and delete account. $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/read/' . $tasks[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/read/' . $tasks[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/read/' . $tasks[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); //now check if user have rights, but no permissions. $notAllowedUser->setRight('TasksModule', TasksModule::getAccessRight()); $notAllowedUser->setRight('TasksModule', TasksModule::getCreateRight()); $notAllowedUser->setRight('TasksModule', TasksModule::getDeleteRight()); $saved = $notAllowedUser->save(); $this->assertTrue($saved); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/read/' . $tasks[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/update/' . $tasks[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/delete/' . $tasks[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); // Allow everyone group to read/write task $authenticationData = $this->login(); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); unset($data); $data['explicitReadWriteModelPermissions'] = array('type' => ExplicitReadWriteModelPermissionsUtil::MIXED_TYPE_EVERYONE_GROUP); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/update/' . $tasks[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/read/' . $tasks[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); unset($data); $data['completed'] = 1; $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/update/' . $tasks[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $this->assertEquals(1, $response['data']['completed']); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/delete/' . $tasks[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); // Test with privileged user $authenticationData = $this->login(); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); //Test Delete $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/delete/' . $tasks[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $response = ApiRestTestHelper::createApiCall($this->serverUrl . '/test.php/tasks/task/api/read/' . $tasks[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); }
/** * Test if all newly created items was pulled from read permission tables via API. * Please note that here we do not test if data are inserted in read permission tables correctly, that is * part of read permission subscription tests * @throws NotFoundException * @throws NotImplementedException * @throws NotSupportedException */ public function testGetCreatedTasks() { $timestamp = time(); sleep(1); $super = User::getByUsername('super'); Yii::app()->user->userModel = $super; $lisa = UserTestHelper::createBasicUser('Lisa'); $lisa->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API); $lisa->setRight('TasksModule', TasksModule::getAccessRight()); $this->assertTrue($lisa->save()); $this->deleteAllModelsAndRecordsFromReadPermissionTable('Task'); $job = new ReadPermissionSubscriptionUpdateJob(); ReadPermissionsOptimizationUtil::rebuild(); $task1 = TaskTestHelper::createTaskByNameForOwner('Task1', $super); sleep(1); $task2 = TaskTestHelper::createTaskByNameForOwner('Task2', $super); sleep(1); $task3 = TaskTestHelper::createTaskByNameForOwner('Task3', $super); sleep(1); $this->assertTrue($job->run()); $authenticationData = $this->login(); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $data = array('sinceTimestamp' => $timestamp, 'pagination' => array('pageSize' => 2, 'page' => 1)); $response = $this->createApiCallWithRelativeUrl('getCreatedItems/', 'POST', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(3, $response['data']['totalCount']); $this->assertEquals(2, $response['data']['pageSize']); $this->assertEquals(1, $response['data']['currentPage']); $this->assertEquals($task1->id, $response['data']['items'][0]['id']); $this->assertEquals($super->id, $response['data']['items'][0]['owner']['id']); $this->assertEquals($task1->name, $response['data']['items'][0]['name']); $this->assertEquals($task2->id, $response['data']['items'][1]['id']); $this->assertEquals($super->id, $response['data']['items'][1]['owner']['id']); $this->assertEquals($task2->name, $response['data']['items'][1]['name']); $data = array('sinceTimestamp' => 0, 'pagination' => array('pageSize' => 2, 'page' => 2)); $response = $this->createApiCallWithRelativeUrl('getCreatedItems/', 'POST', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(3, $response['data']['totalCount']); $this->assertEquals(2, $response['data']['pageSize']); $this->assertEquals(2, $response['data']['currentPage']); $this->assertEquals($task3->id, $response['data']['items'][0]['id']); $this->assertEquals($super->id, $response['data']['items'][0]['owner']['id']); $this->assertEquals($task3->name, $response['data']['items'][0]['name']); // Change owner of $contact1, it should appear in Lisa's created contacts $task1->owner = $lisa; $this->assertTrue($task1->save()); sleep(1); $this->assertTrue($job->run()); $data = array('sinceTimestamp' => $timestamp, 'pagination' => array('pageSize' => 2, 'page' => 1)); $response = $this->createApiCallWithRelativeUrl('getCreatedItems/', 'POST', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(2, $response['data']['totalCount']); $this->assertEquals(2, $response['data']['pageSize']); $this->assertEquals(1, $response['data']['currentPage']); $this->assertEquals($task2->id, $response['data']['items'][0]['id']); $this->assertEquals($super->id, $response['data']['items'][0]['owner']['id']); $this->assertEquals($task2->name, $response['data']['items'][0]['name']); $this->assertEquals($task3->id, $response['data']['items'][1]['id']); $this->assertEquals($super->id, $response['data']['items'][1]['owner']['id']); $this->assertEquals($task3->name, $response['data']['items'][1]['name']); $authenticationData = $this->login('lisa', 'lisa'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $data = array('sinceTimestamp' => $timestamp, 'pagination' => array('pageSize' => 2, 'page' => 1)); $response = $this->createApiCallWithRelativeUrl('getCreatedItems/', 'POST', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(1, $response['data']['totalCount']); $this->assertEquals(2, $response['data']['pageSize']); $this->assertEquals(1, $response['data']['currentPage']); $this->assertEquals($task1->id, $response['data']['items'][0]['id']); $this->assertEquals($lisa->id, $response['data']['items'][0]['owner']['id']); $this->assertEquals($task1->name, $response['data']['items'][0]['name']); }