public function testDocsPermissions()
{
$auth = TestingAuxLib::loadAuthManagerMock();
TestingAuxLib::loadX2NonWebUser();
// user has docs update access
$user = $this->users('testUser');
$auth->setAccess('AdminIndex', $user->id, array(), false);
TestingAuxLib::suLogin('testuser');
$auth->setAccess('DocsAdmin', $user->id, array(), false);
$auth->setAccess('DocsUpdateAccess', $user->id, array('X2Model' => new Docs()), true);
// can't be edited since edit permissions list is empty
$doc = $this->docs('0');
$this->assertFalse((bool) $doc->checkEditPermissions());
// "testuser" is in the edit permissions list
$doc = $this->docs('1');
$this->assertTrue((bool) $doc->checkEditPermissions());
$doc = $this->docs('3');
$this->assertTrue((bool) $doc->checkEditPermissions());
// testuser created the the doc
$doc = $this->docs('2');
$this->assertTrue((bool) $doc->checkEditPermissions());
// user has docs private update access
$auth->clearCache();
$auth->setAccess('AdminIndex', $user->id, array(), false);
$auth->setAccess('DocsAdmin', $user->id, array(), false);
$auth->setAccess('DocsUpdateAccess', $user->id, array('X2Model' => new Docs()), false);
$auth->setAccess('DocsPrivateUpdateAccess', $user->id, array('X2Model' => new Docs()), true);
// can't be edited since edit permissions list is empty
$doc = $this->docs('0');
$this->assertFalse((bool) $doc->checkEditPermissions());
// "testuser" is in the edit permissions list but since testuser only has private update
// access, doc cannot be edited
$doc = $this->docs('1');
$this->assertFalse((bool) $doc->checkEditPermissions());
$doc = $this->docs('3');
$this->assertFalse((bool) $doc->checkEditPermissions());
// testuser created the the doc, so they can edit it
$doc = $this->docs('2');
$this->assertTrue((bool) $doc->checkEditPermissions());
// user has docs admin access
$auth->clearCache();
$auth->setAccess('AdminIndex', $user->id, array(), false);
$auth->setAccess('DocsAdmin', $user->id, array(), true);
$auth->setAccess('DocsUpdateAccess', $user->id, array('X2Model' => new Docs()), false);
$auth->setAccess('DocsPrivateUpdateAccess', $user->id, array('X2Model' => new Docs()), false);
// user is docs admin
$doc = $this->docs('0');
$this->assertTrue((bool) $doc->checkEditPermissions());
// user is docs admin
$doc = $this->docs('1');
$this->assertTrue((bool) $doc->checkEditPermissions());
// user is docs admin
$doc = $this->docs('2');
$this->assertTrue((bool) $doc->checkEditPermissions());
TestingAuxLib::restoreX2WebUser();
TestingAuxLib::restoreX2AuthManager();
}
/**
* Ensure that list of viewable calendars correctly reflects calendar permissions records
*/
public function testGetViewableUserCalendarNames()
{
TestingAuxLib::loadX2NonWebUser();
TestingAuxLib::suLogin('admin');
$viewable = array_keys(X2CalendarPermissions::getViewableUserCalendarNames());
$this->assertEquals(array_merge(array('Anyone'), Yii::app()->db->createCommand("\n SELECT username\n FROM x2_users\n ")->queryColumn()), ArrayUtil::sort($viewable));
$user = $this->users('testUser');
TestingAuxLib::suLogin('testuser');
$viewable = array_keys(X2CalendarPermissions::getViewableUserCalendarNames());
$grantedUsers = array_unique(array_merge(array('Anyone', 'testuser'), Yii::app()->db->createCommand("\n /**\n * get names of users who have granted view permission to testuser and names of\n * users who have not set up calendar permissions\n */\n SELECT distinct(username)\n FROM x2_users as t, x2_calendar_permissions\n WHERE other_user_id=:userId OR t.id NOT in (\n SELECT distinct(user_id)\n FROM x2_calendar_permissions\n )\n ")->queryColumn(array(':userId' => $user->id))));
$this->assertEquals(ArrayUtil::sort($grantedUsers), ArrayUtil::sort($viewable));
TestingAuxLib::restoreX2WebUser();
}
/**
* TODO: Remove hardcoded references to events in the fixture.
*/
public function testCheckPermissions()
{
TestingAuxLib::loadX2NonWebUser();
$event1 = $this->event(0);
// Admin can do anything
TestingAuxLib::suLogin('admin');
$this->assertTrue($event1->checkPermissions('view', true));
$this->assertTrue($event1->checkPermissions('edit', true));
$this->assertTrue($event1->checkPermissions('delete', true));
// Private and no shared group means testuser can't do anything
TestingAuxLib::suLogin('testuser');
$this->assertFalse($event1->checkPermissions('view', true));
$this->assertFalse($event1->checkPermissions('edit', true));
$this->assertFalse($event1->checkPermissions('delete', true));
// Associated with testuser2, so they can view and delete but not edit
TestingAuxLib::suLogin('testuser2');
$this->assertTrue($event1->checkPermissions('view', true));
$this->assertFalse($event1->checkPermissions('edit', true));
$this->assertTrue($event1->checkPermissions('delete', true));
// Created by testuser3, so they can do anything
TestingAuxLib::suLogin('testuser3');
$this->assertTrue($event1->checkPermissions('view', true));
$this->assertTrue($event1->checkPermissions('edit', true));
$this->assertTrue($event1->checkPermissions('delete', true));
$event2 = $this->event(6);
// Admin can do anything
TestingAuxLib::suLogin('admin');
$this->assertTrue($event2->checkPermissions('view', true));
$this->assertTrue($event2->checkPermissions('edit', true));
$this->assertTrue($event2->checkPermissions('delete', true));
// Public posts are visible but not editable or deletable by regular users
TestingAuxLib::suLogin('testuser');
$this->assertTrue($event2->checkPermissions('view', true));
$this->assertFalse($event2->checkPermissions('edit', true));
$this->assertFalse($event2->checkPermissions('delete', true));
// Public posts are visible but not editable or deletable by regular users
TestingAuxLib::suLogin('testuser2');
$this->assertTrue($event2->checkPermissions('view', true));
$this->assertFalse($event2->checkPermissions('edit', true));
$this->assertFalse($event2->checkPermissions('delete', true));
$event3 = $this->event(7);
// Admin can do anything
TestingAuxLib::suLogin('admin');
$this->assertTrue($event3->checkPermissions('view', true));
$this->assertTrue($event3->checkPermissions('edit', true));
$this->assertTrue($event3->checkPermissions('delete', true));
// Non-social post is visible to user it's assigned to but they can't edit or delete
TestingAuxLib::suLogin('testuser');
$this->assertTrue($event3->checkPermissions('view', true));
$this->assertFalse($event3->checkPermissions('edit', true));
$this->assertFalse($event3->checkPermissions('delete', true));
// Private, so testuser3 can't do anything
TestingAuxLib::suLogin('testuser3');
$this->assertFalse($event3->checkPermissions('view', true));
$this->assertFalse($event3->checkPermissions('edit', true));
$this->assertFalse($event3->checkPermissions('delete', true));
}
/**
* Attempts to ensure that isVisibleTo and getAccessCriteria check the same permissions
*/
public function testPermissionsCheckEquivalence()
{
TestingAuxLib::loadX2NonWebUser();
TestingAuxLib::suLogin('testuser2');
$allEvents = Events::model()->findAll();
$that = $this;
$checkEquivalence = function ($events) use($allEvents, $that) {
$ids = array_map(function ($event) {
return $event->id;
}, $events);
$that->assertTrue(count($events) > 1);
foreach ($events as $event) {
$that->assertTrue($event->isVisibleTo(Yii::app()->params->profile->user));
}
$found = false;
foreach ($allEvents as $event) {
if (!in_array($event->id, $ids)) {
$found = true;
$that->assertFalse($event->isVisibleTo(Yii::app()->params->profile->user));
}
}
$that->assertTrue($found);
};
Yii::app()->settings->historyPrivacy = null;
$accessCriteria = Events::model()->getAccessCriteria();
$events = Events::model()->findAll($accessCriteria);
$checkEquivalence($events);
Yii::app()->settings->historyPrivacy = 'group';
$accessCriteria = Events::model()->getAccessCriteria();
$events = Events::model()->findAll($accessCriteria);
$checkEquivalence($events);
Yii::app()->settings->historyPrivacy = 'user';
$accessCriteria = Events::model()->getAccessCriteria();
$events = Events::model()->findAll($accessCriteria);
$checkEquivalence($events);
}
public function testUpdateWithNotifications()
{
TestingAuxLib::loadX2NonWebUser();
TestingAuxLib::suLogin('admin');
// assigned to testuser
$action = $this->actions('action1');
$reminders = $action->getReminders(true);
foreach ($reminders as $reminder) {
$this->assertTrue($reminder->delete());
}
$this->assertEquals(0, count($action->getReminders(true)));
// ensure that we can create a reminder
$action->reminder = true;
$action->notificationUsers = 'assigned';
$action->notificationTime = 1234;
$this->assertSaves($action);
$this->assertEquals(1, count($action->getReminders(true)));
$reminders = $action->getReminders(true);
$assignees = array_map(function ($reminder) {
return $reminder->user;
}, $reminders);
$this->assertEquals(array('testuser'), $assignees);
// now ensure that we can create another reminder and that the old reminder was deleted
TestingAuxLib::suLogin('testuser');
$action->reminder = true;
$action->notificationUsers = 'assigned';
$action->notificationTime = 1234;
$this->assertSaves($action);
$this->assertEquals(1, count($action->getReminders(true)));
$reminders = $action->getReminders(true);
$assignees = array_map(function ($reminder) {
return $reminder->user;
}, $reminders);
$this->assertEquals(array('testuser'), $assignees);
}
public function testGetAccessCriteria()
{
TestingAuxLib::loadX2NonWebUser();
TestingAuxLib::suLogin('admin');
// admin privileges private profile
$accessCriteria = Events::model()->getAccessCriteria();
$this->assertEquals('TRUE', $accessCriteria->condition);
$this->assertEquals(array_map(function ($event) {
return $event->id;
}, Events::model()->findAll($accessCriteria)), array_map(function ($event) {
return $event->id;
}, Events::model()->findAll()));
// admin privileges public profile
$accessCriteria = Events::model()->getAccessCriteria(Profile::model()->findByAttributes(array('username' => 'testuser')));
$this->assertEquals(array_map(function ($event) {
return $event->id;
}, Events::model()->findAll($accessCriteria)), array_map(function ($event) {
return $event->id;
}, Events::model()->findAll('user="******"')));
// non-admin public profile
TestingAuxLib::suLogin('testuser2');
Yii::app()->settings->historyPrivacy = null;
$accessCriteria = Events::model()->getAccessCriteria(Profile::model()->findByAttributes(array('username' => 'testuser')));
$this->assertEquals(array_map(function ($event) {
return $event->id;
}, Events::model()->findAll($accessCriteria)), array_map(function ($event) {
return $event->id;
}, Events::model()->findAll('user="******" and visibility')));
// non-admin private profile
TestingAuxLib::suLogin('testuser2');
Yii::app()->settings->historyPrivacy = null;
$accessCriteria = Events::model()->getAccessCriteria();
$this->assertEquals(array_map(function ($event) {
return $event->id;
}, Events::model()->findAll($accessCriteria)), array_map(function ($event) {
return $event->id;
}, Events::model()->findAll('user="******" or visibility')));
// non-admin private profile, user history
TestingAuxLib::suLogin('testuser2');
Yii::app()->settings->historyPrivacy = 'user';
$accessCriteria = Events::model()->getAccessCriteria();
$this->assertEquals(array_map(function ($event) {
return $event->id;
}, Events::model()->findAll($accessCriteria)), array_map(function ($event) {
return $event->id;
}, Events::model()->findAll('user="******"')));
// non-admin private profile, group history
// assumes that testuser2 and testuser3 are groupmates
Yii::app()->settings->historyPrivacy = 'group';
$accessCriteria = Events::model()->getAccessCriteria();
$this->assertEquals(array_map(function ($event) {
return $event->id;
}, Events::model()->findAll($accessCriteria)), array_map(function ($event) {
return $event->id;
}, Events::model()->findAll('user="******" or user="******"')));
Yii::app()->settings->historyPrivacy = null;
TestingAuxLib::restoreX2WebUser();
}
