public function resolveRecordSharingPerformanceTime($count) { $groupMembers = array(); // create group $this->resetGetArray(); $this->setPostArray(array('Group' => array('name' => "Group {$count}"))); $this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/group/create'); $group = Group::getByName("Group {$count}"); $this->assertNotNull($group); $this->assertEquals("Group {$count}", strval($group)); $group->setRight('ContactsModule', ContactsModule::getAccessRight()); $group->setRight('ContactsModule', ContactsModule::getCreateRight()); $group->setRight('ContactsModule', ContactsModule::getDeleteRight()); $this->assertTrue($group->save()); $groupId = $group->id; $group->forgetAll(); $group = Group::getById($groupId); $this->resetGetArray(); for ($i = 0; $i < $count; $i++) { $username = static::$baseUsername . "_{$i}_of_{$count}"; // Populate group $this->setPostArray(array('UserPasswordForm' => array('firstName' => 'Some', 'lastName' => 'Body', 'username' => $username, 'newPassword' => 'myPassword123', 'newPassword_repeat' => 'myPassword123', 'officePhone' => '456765421', 'userStatus' => 'Active'))); $this->runControllerWithRedirectExceptionAndGetContent('/users/default/create'); $user = User::getByUsername($username); $this->assertNotNull($user); $groupMembers['usernames'][] = $user->username; $groupMembers['ids'][] = $user->id; } $this->assertCount($count, $groupMembers['ids']); // set user's group $this->setGetArray(array('id' => $groupId)); $this->setPostArray(array('GroupUserMembershipForm' => array('userMembershipData' => $groupMembers['ids']))); $this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/group/editUserMembership'); $group->forgetAll(); $group = Group::getById($groupId); $this->assertCount($count, $group->users); foreach ($groupMembers['ids'] as $userId) { $user = User::getById($userId); $this->assertEquals($group->id, $user->groups[0]->id); $this->assertTrue(RightsUtil::doesUserHaveAllowByRightName('ContactsModule', ContactsModule::getAccessRight(), $user)); $this->assertTrue(RightsUtil::doesUserHaveAllowByRightName('ContactsModule', ContactsModule::getCreateRight(), $user)); $this->assertTrue(RightsUtil::doesUserHaveAllowByRightName('ContactsModule', ContactsModule::getDeleteRight(), $user)); } $this->clearAllCaches(); // go ahead and create contact with group given readwrite, use group's first member to confirm he has create access $this->logoutCurrentUserLoginNewUserAndGetByUsername($groupMembers['usernames'][0]); $this->resetGetArray(); $startingState = ContactsUtil::getStartingState(); $this->setPostArray(array('Contact' => array('firstName' => 'John', 'lastName' => 'Doe', 'officePhone' => '456765421', 'state' => array('id' => $startingState->id), 'explicitReadWriteModelPermissions' => array('type' => ExplicitReadWriteModelPermissionsUtil::MIXED_TYPE_NONEVERYONE_GROUP, 'nonEveryoneGroup' => $groupId)))); $startTime = microtime(true); $url = $this->runControllerWithRedirectExceptionAndGetUrl('/contacts/default/create'); $timeTakenForSave = microtime(true) - $startTime; $johnDoeContactId = intval(substr($url, strpos($url, 'id=') + 3)); $johnDoeContact = Contact::getById($johnDoeContactId); $this->assertNotNull($johnDoeContact); $this->resetPostArray(); $this->setGetArray(array('id' => $johnDoeContactId)); $content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details'); $this->assertContains('Who can read and write ' . strval($group), $content); $this->clearAllCaches(); $this->resetPostArray(); // ensure group members have access foreach ($groupMembers['usernames'] as $member) { $user = $this->logoutCurrentUserLoginNewUserAndGetByUsername($member); $this->assertNotNull($user); $this->setGetArray(array('id' => $johnDoeContactId)); $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details'); $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit'); } return $timeTakenForSave; }
/** * @depends testListContacts */ public function testUnprivilegedUserViewUpdateDeleteContacts() { Yii::app()->user->userModel = User::getByUsername('super'); $notAllowedUser = UserTestHelper::createBasicUser('Steven'); $notAllowedUser->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API); $saved = $notAllowedUser->save(); $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME); $this->assertTrue($everyoneGroup->save()); $contacts = Contact::getByName('Michael Smith with just owner'); $this->assertEquals(1, count($contacts)); $data['department'] = "Support"; // Test with unprivileged user to view, edit and delete account. $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $response = $this->createApiCallWithRelativeUrl('read/' . $contacts[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); $response = $this->createApiCallWithRelativeUrl('update/' . $contacts[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); $response = $this->createApiCallWithRelativeUrl('delete/' . $contacts[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); //now check if user have rights, but no permissions. $notAllowedUser->setRight('ContactsModule', ContactsModule::getAccessRight()); $notAllowedUser->setRight('ContactsModule', ContactsModule::getCreateRight()); $notAllowedUser->setRight('ContactsModule', ContactsModule::getDeleteRight()); $saved = $notAllowedUser->save(); $this->assertTrue($saved); $response = $this->createApiCallWithRelativeUrl('read/' . $contacts[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); $response = $this->createApiCallWithRelativeUrl('update/' . $contacts[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); $response = $this->createApiCallWithRelativeUrl('delete/' . $contacts[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have permissions for this action.', $response['message']); // Allow everyone group to read/write contact $authenticationData = $this->login(); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); unset($data); $data['explicitReadWriteModelPermissions'] = array('type' => ExplicitReadWriteModelPermissionsUtil::MIXED_TYPE_EVERYONE_GROUP); $response = $this->createApiCallWithRelativeUrl('update/' . $contacts[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $response = $this->createApiCallWithRelativeUrl('read/' . $contacts[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); unset($data); $data['department'] = "Support"; $response = $this->createApiCallWithRelativeUrl('update/' . $contacts[0]->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $this->assertEquals('Support', $response['data']['department']); // Test with privileged user $authenticationData = $this->login(); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); //Test Delete $response = $this->createApiCallWithRelativeUrl('delete/' . $contacts[0]->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $response = $this->createApiCallWithRelativeUrl('read/' . $contacts[0]->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); }