public function testDocsPermissions() { $auth = TestingAuxLib::loadAuthManagerMock(); TestingAuxLib::loadX2NonWebUser(); // user has docs update access $user = $this->users('testUser'); $auth->setAccess('AdminIndex', $user->id, array(), false); TestingAuxLib::suLogin('testuser'); $auth->setAccess('DocsAdmin', $user->id, array(), false); $auth->setAccess('DocsUpdateAccess', $user->id, array('X2Model' => new Docs()), true); // can't be edited since edit permissions list is empty $doc = $this->docs('0'); $this->assertFalse((bool) $doc->checkEditPermissions()); // "testuser" is in the edit permissions list $doc = $this->docs('1'); $this->assertTrue((bool) $doc->checkEditPermissions()); $doc = $this->docs('3'); $this->assertTrue((bool) $doc->checkEditPermissions()); // testuser created the the doc $doc = $this->docs('2'); $this->assertTrue((bool) $doc->checkEditPermissions()); // user has docs private update access $auth->clearCache(); $auth->setAccess('AdminIndex', $user->id, array(), false); $auth->setAccess('DocsAdmin', $user->id, array(), false); $auth->setAccess('DocsUpdateAccess', $user->id, array('X2Model' => new Docs()), false); $auth->setAccess('DocsPrivateUpdateAccess', $user->id, array('X2Model' => new Docs()), true); // can't be edited since edit permissions list is empty $doc = $this->docs('0'); $this->assertFalse((bool) $doc->checkEditPermissions()); // "testuser" is in the edit permissions list but since testuser only has private update // access, doc cannot be edited $doc = $this->docs('1'); $this->assertFalse((bool) $doc->checkEditPermissions()); $doc = $this->docs('3'); $this->assertFalse((bool) $doc->checkEditPermissions()); // testuser created the the doc, so they can edit it $doc = $this->docs('2'); $this->assertTrue((bool) $doc->checkEditPermissions()); // user has docs admin access $auth->clearCache(); $auth->setAccess('AdminIndex', $user->id, array(), false); $auth->setAccess('DocsAdmin', $user->id, array(), true); $auth->setAccess('DocsUpdateAccess', $user->id, array('X2Model' => new Docs()), false); $auth->setAccess('DocsPrivateUpdateAccess', $user->id, array('X2Model' => new Docs()), false); // user is docs admin $doc = $this->docs('0'); $this->assertTrue((bool) $doc->checkEditPermissions()); // user is docs admin $doc = $this->docs('1'); $this->assertTrue((bool) $doc->checkEditPermissions()); // user is docs admin $doc = $this->docs('2'); $this->assertTrue((bool) $doc->checkEditPermissions()); TestingAuxLib::restoreX2WebUser(); TestingAuxLib::restoreX2AuthManager(); }
/** * Ensure that list of viewable calendars correctly reflects calendar permissions records */ public function testGetViewableUserCalendarNames() { TestingAuxLib::loadX2NonWebUser(); TestingAuxLib::suLogin('admin'); $viewable = array_keys(X2CalendarPermissions::getViewableUserCalendarNames()); $this->assertEquals(array_merge(array('Anyone'), Yii::app()->db->createCommand("\n SELECT username\n FROM x2_users\n ")->queryColumn()), ArrayUtil::sort($viewable)); $user = $this->users('testUser'); TestingAuxLib::suLogin('testuser'); $viewable = array_keys(X2CalendarPermissions::getViewableUserCalendarNames()); $grantedUsers = array_unique(array_merge(array('Anyone', 'testuser'), Yii::app()->db->createCommand("\n /**\n * get names of users who have granted view permission to testuser and names of\n * users who have not set up calendar permissions\n */\n SELECT distinct(username)\n FROM x2_users as t, x2_calendar_permissions\n WHERE other_user_id=:userId OR t.id NOT in (\n SELECT distinct(user_id)\n FROM x2_calendar_permissions\n )\n ")->queryColumn(array(':userId' => $user->id)))); $this->assertEquals(ArrayUtil::sort($grantedUsers), ArrayUtil::sort($viewable)); TestingAuxLib::restoreX2WebUser(); }
/** * TODO: Remove hardcoded references to events in the fixture. */ public function testCheckPermissions() { TestingAuxLib::loadX2NonWebUser(); $event1 = $this->event(0); // Admin can do anything TestingAuxLib::suLogin('admin'); $this->assertTrue($event1->checkPermissions('view', true)); $this->assertTrue($event1->checkPermissions('edit', true)); $this->assertTrue($event1->checkPermissions('delete', true)); // Private and no shared group means testuser can't do anything TestingAuxLib::suLogin('testuser'); $this->assertFalse($event1->checkPermissions('view', true)); $this->assertFalse($event1->checkPermissions('edit', true)); $this->assertFalse($event1->checkPermissions('delete', true)); // Associated with testuser2, so they can view and delete but not edit TestingAuxLib::suLogin('testuser2'); $this->assertTrue($event1->checkPermissions('view', true)); $this->assertFalse($event1->checkPermissions('edit', true)); $this->assertTrue($event1->checkPermissions('delete', true)); // Created by testuser3, so they can do anything TestingAuxLib::suLogin('testuser3'); $this->assertTrue($event1->checkPermissions('view', true)); $this->assertTrue($event1->checkPermissions('edit', true)); $this->assertTrue($event1->checkPermissions('delete', true)); $event2 = $this->event(6); // Admin can do anything TestingAuxLib::suLogin('admin'); $this->assertTrue($event2->checkPermissions('view', true)); $this->assertTrue($event2->checkPermissions('edit', true)); $this->assertTrue($event2->checkPermissions('delete', true)); // Public posts are visible but not editable or deletable by regular users TestingAuxLib::suLogin('testuser'); $this->assertTrue($event2->checkPermissions('view', true)); $this->assertFalse($event2->checkPermissions('edit', true)); $this->assertFalse($event2->checkPermissions('delete', true)); // Public posts are visible but not editable or deletable by regular users TestingAuxLib::suLogin('testuser2'); $this->assertTrue($event2->checkPermissions('view', true)); $this->assertFalse($event2->checkPermissions('edit', true)); $this->assertFalse($event2->checkPermissions('delete', true)); $event3 = $this->event(7); // Admin can do anything TestingAuxLib::suLogin('admin'); $this->assertTrue($event3->checkPermissions('view', true)); $this->assertTrue($event3->checkPermissions('edit', true)); $this->assertTrue($event3->checkPermissions('delete', true)); // Non-social post is visible to user it's assigned to but they can't edit or delete TestingAuxLib::suLogin('testuser'); $this->assertTrue($event3->checkPermissions('view', true)); $this->assertFalse($event3->checkPermissions('edit', true)); $this->assertFalse($event3->checkPermissions('delete', true)); // Private, so testuser3 can't do anything TestingAuxLib::suLogin('testuser3'); $this->assertFalse($event3->checkPermissions('view', true)); $this->assertFalse($event3->checkPermissions('edit', true)); $this->assertFalse($event3->checkPermissions('delete', true)); }
/** * Attempts to ensure that isVisibleTo and getAccessCriteria check the same permissions */ public function testPermissionsCheckEquivalence() { TestingAuxLib::loadX2NonWebUser(); TestingAuxLib::suLogin('testuser2'); $allEvents = Events::model()->findAll(); $that = $this; $checkEquivalence = function ($events) use($allEvents, $that) { $ids = array_map(function ($event) { return $event->id; }, $events); $that->assertTrue(count($events) > 1); foreach ($events as $event) { $that->assertTrue($event->isVisibleTo(Yii::app()->params->profile->user)); } $found = false; foreach ($allEvents as $event) { if (!in_array($event->id, $ids)) { $found = true; $that->assertFalse($event->isVisibleTo(Yii::app()->params->profile->user)); } } $that->assertTrue($found); }; Yii::app()->settings->historyPrivacy = null; $accessCriteria = Events::model()->getAccessCriteria(); $events = Events::model()->findAll($accessCriteria); $checkEquivalence($events); Yii::app()->settings->historyPrivacy = 'group'; $accessCriteria = Events::model()->getAccessCriteria(); $events = Events::model()->findAll($accessCriteria); $checkEquivalence($events); Yii::app()->settings->historyPrivacy = 'user'; $accessCriteria = Events::model()->getAccessCriteria(); $events = Events::model()->findAll($accessCriteria); $checkEquivalence($events); }
public function testUpdateWithNotifications() { TestingAuxLib::loadX2NonWebUser(); TestingAuxLib::suLogin('admin'); // assigned to testuser $action = $this->actions('action1'); $reminders = $action->getReminders(true); foreach ($reminders as $reminder) { $this->assertTrue($reminder->delete()); } $this->assertEquals(0, count($action->getReminders(true))); // ensure that we can create a reminder $action->reminder = true; $action->notificationUsers = 'assigned'; $action->notificationTime = 1234; $this->assertSaves($action); $this->assertEquals(1, count($action->getReminders(true))); $reminders = $action->getReminders(true); $assignees = array_map(function ($reminder) { return $reminder->user; }, $reminders); $this->assertEquals(array('testuser'), $assignees); // now ensure that we can create another reminder and that the old reminder was deleted TestingAuxLib::suLogin('testuser'); $action->reminder = true; $action->notificationUsers = 'assigned'; $action->notificationTime = 1234; $this->assertSaves($action); $this->assertEquals(1, count($action->getReminders(true))); $reminders = $action->getReminders(true); $assignees = array_map(function ($reminder) { return $reminder->user; }, $reminders); $this->assertEquals(array('testuser'), $assignees); }
public function testGetAccessCriteria() { TestingAuxLib::loadX2NonWebUser(); TestingAuxLib::suLogin('admin'); // admin privileges private profile $accessCriteria = Events::model()->getAccessCriteria(); $this->assertEquals('TRUE', $accessCriteria->condition); $this->assertEquals(array_map(function ($event) { return $event->id; }, Events::model()->findAll($accessCriteria)), array_map(function ($event) { return $event->id; }, Events::model()->findAll())); // admin privileges public profile $accessCriteria = Events::model()->getAccessCriteria(Profile::model()->findByAttributes(array('username' => 'testuser'))); $this->assertEquals(array_map(function ($event) { return $event->id; }, Events::model()->findAll($accessCriteria)), array_map(function ($event) { return $event->id; }, Events::model()->findAll('user="******"'))); // non-admin public profile TestingAuxLib::suLogin('testuser2'); Yii::app()->settings->historyPrivacy = null; $accessCriteria = Events::model()->getAccessCriteria(Profile::model()->findByAttributes(array('username' => 'testuser'))); $this->assertEquals(array_map(function ($event) { return $event->id; }, Events::model()->findAll($accessCriteria)), array_map(function ($event) { return $event->id; }, Events::model()->findAll('user="******" and visibility'))); // non-admin private profile TestingAuxLib::suLogin('testuser2'); Yii::app()->settings->historyPrivacy = null; $accessCriteria = Events::model()->getAccessCriteria(); $this->assertEquals(array_map(function ($event) { return $event->id; }, Events::model()->findAll($accessCriteria)), array_map(function ($event) { return $event->id; }, Events::model()->findAll('user="******" or visibility'))); // non-admin private profile, user history TestingAuxLib::suLogin('testuser2'); Yii::app()->settings->historyPrivacy = 'user'; $accessCriteria = Events::model()->getAccessCriteria(); $this->assertEquals(array_map(function ($event) { return $event->id; }, Events::model()->findAll($accessCriteria)), array_map(function ($event) { return $event->id; }, Events::model()->findAll('user="******"'))); // non-admin private profile, group history // assumes that testuser2 and testuser3 are groupmates Yii::app()->settings->historyPrivacy = 'group'; $accessCriteria = Events::model()->getAccessCriteria(); $this->assertEquals(array_map(function ($event) { return $event->id; }, Events::model()->findAll($accessCriteria)), array_map(function ($event) { return $event->id; }, Events::model()->findAll('user="******" or user="******"'))); Yii::app()->settings->historyPrivacy = null; TestingAuxLib::restoreX2WebUser(); }