public static function setUpBeforeClass()
{
parent::setUpBeforeClass();
SecurityTestHelper::createSuperAdmin();
$super = User::getByUsername('super');
Yii::app()->user->userModel = $super;
ReadPermissionsOptimizationUtil::rebuild();
//Add the nobody user to an account, but only read only.
$nobody = User::getByUsername('nobody');
$account = AccountTestHelper::createAccountByNameForOwner('superAccountReadableByNobody', Yii::app()->user->userModel);
$account->addPermissions($nobody, Permission::READ, Permission::ALLOW);
assert($account->save());
// Not Coding Standard
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $nobody);
//Give the nobody user rights to the accounts module.
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_CREATE_ACCOUNTS);
assert($nobody->save());
// Not Coding Standard
$everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME);
assert($everyoneGroup->save());
// Not Coding Standard
$group1 = new Group();
$group1->name = 'Group1';
assert($group1->save());
// Not Coding Standard
}
public static function setUpBeforeClass()
{
parent::setUpBeforeClass();
SecurityTestHelper::createSuperAdmin();
Yii::app()->user->userModel = User::getByUsername('super');
ReadPermissionsOptimizationUtil::rebuild();
SecurityTestHelper::createUsers();
$billy = User::getByUsername('billy');
EmailMessageTestHelper::createEmailAccount($billy);
$billy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS);
$billy->setRight('ContactsModule', ContactsModule::RIGHT_CREATE_CONTACTS);
$billy->setRight('ContactsModule', ContactsModule::RIGHT_DELETE_CONTACTS);
assert($billy->save());
// Not Coding Standard
$contact = ContactTestHelper::createContactByNameForOwner('sally', Yii::app()->user->userModel);
$contact->primaryEmail = new Email();
$contact->primaryEmail->emailAddress = '*****@*****.**';
$contact->secondaryEmail->emailAddress = '*****@*****.**';
$contact->addPermissions($billy, Permission::READ);
$contact->addPermissions($billy, Permission::WRITE);
$contact->save();
$molly = ContactTestHelper::createContactByNameForOwner('molly', User::getByUsername('bobby'));
$molly->primaryEmail = new Email();
$molly->primaryEmail->emailAddress = '*****@*****.**';
$molly->secondaryEmail->emailAddress = '*****@*****.**';
$contact->save();
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contact, $billy);
}
/**
* Walkthrough test for synchronous download
*/
public function testDownloadDefaultControllerActions()
{
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$products = array();
for ($i = 0; $i < 2; $i++) {
$products[] = ProductTestHelper::createProductByNameForOwner('superProduct' . $i, $super);
}
// Check if access is denied if user doesn't have access privileges at all to export actions
Yii::app()->user->userModel = User::getByUsername('nobody');
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->runControllerShouldResultInAccessFailureAndGetContent('products/default/list');
$this->setGetArray(array('Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => ''));
$this->runControllerShouldResultInAccessFailureAndGetContent('products/default/export');
// Check if user have access to module action, but not to export action
// Now test peon with elevated rights to accounts
$nobody->setRight('ProductsModule', ProductsModule::RIGHT_ACCESS_PRODUCTS);
$nobody->setRight('ProductsModule', ProductsModule::RIGHT_CREATE_PRODUCTS);
$nobody->setRight('ProductsModule', ProductsModule::RIGHT_DELETE_PRODUCTS);
$nobody->setRight('ExportModule', ExportModule::RIGHT_ACCESS_EXPORT);
$this->assertTrue($nobody->save());
// Check if access is denied if user doesn't have access privileges at all to export actions
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
Yii::app()->user->userModel = User::getByUsername('nobody');
$this->runControllerWithNoExceptionsAndGetContent('products/default/list');
$this->setGetArray(array('Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => ''));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export');
$this->assertTrue(strstr($response, 'products/default/index') !== false);
$this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '1', 'selectedIds' => ''));
//TODO Need to ask jason
$response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export');
$this->assertTrue(strstr($response, 'products/default/index') !== false);
$this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => "{$products[0]->id}, {$products[1]->id}"));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export');
$this->assertTrue(strstr($response, 'products/default/index') !== false);
$this->assertContains('There is no data to export.', Yii::app()->user->getFlash('notification'));
//give nobody access to read and write
Yii::app()->user->userModel = $super;
foreach ($products as $product) {
$product->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($product, $nobody);
$this->assertTrue($product->save());
}
//Now the nobody user should be able to access the edit view and still the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '1', 'selectedIds' => ''));
//TODO Need to ask jason
$response = $this->runControllerWithExitExceptionAndGetContent('products/default/export');
$this->assertEquals('Testing download.', $response);
$this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => "{$products[0]->id}, {$products[1]->id}"));
$response = $this->runControllerWithExitExceptionAndGetContent('products/default/export');
$this->assertEquals('Testing download.', $response);
// No mathces
$this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'missingName'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '1', 'selectedIds' => ''));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export');
$this->assertTrue(strstr($response, 'products/default/index') !== false);
}
/**
* @param SecurableItem $securableItem
* @param User $user
*/
public static function securableItemGivenReadPermissionsForUser(SecurableItem $securableItem, User $user)
{
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $user);
AllPermissionsOptimizationCache::forgetSecurableItemForRead($securableItem);
}
/**
* Given a SecurableItem, add and remove permissions
* based on what the provided ExplicitReadWriteModelPermissions indicates should be done.
* Sets @see SecurableItem->setTreatCurrentUserAsOwnerForPermissions as true in order to ensure the current user
* can effectively add permissions even if the current user is no longer the owner.
* @param SecurableItem $securableItem
* @param ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions
* @return boolean
* @throws NotSupportedException()
*/
public static function resolveExplicitReadWriteModelPermissions(SecurableItem $securableItem, ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions)
{
assert('$securableItem->id > 0');
$securableItem->setTreatCurrentUserAsOwnerForPermissions(true);
$saveSecurableItem = false;
if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitables() as $permitable) {
$securableItem->addPermissions($permitable, Permission::READ);
if ($permitable instanceof Group) {
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable);
} elseif ($permitable instanceof User) {
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable);
} else {
throw new NotSupportedException();
}
}
}
if ($explicitReadWriteModelPermissions->getReadWritePermitablesCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadWritePermitables() as $permitable) {
$securableItem->addPermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER);
if ($permitable instanceof Group) {
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable);
} elseif ($permitable instanceof User) {
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable);
} else {
throw new NotSupportedException();
}
}
}
if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemoveCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemove() as $permitable) {
$securableItem->removePermissions($permitable, Permission::READ, Permission::ALLOW);
if ($permitable instanceof Group) {
ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable);
} elseif ($permitable instanceof User) {
ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable);
} else {
throw new NotSupportedException();
}
}
}
if ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemoveCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemove() as $permitable) {
$securableItem->removePermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER, Permission::ALLOW);
if ($permitable instanceof Group) {
ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable);
} elseif ($permitable instanceof User) {
ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable);
} else {
throw new NotSupportedException();
}
}
}
if ($saveSecurableItem) {
$setBackToProcess = false;
if ($securableItem->shouldProcessWorkflowOnSave()) {
$securableItem->setDoNotProcessWorkflowOnSave();
$setBackToProcess = true;
}
$saved = $securableItem->save();
if ($setBackToProcess) {
$securableItem->setProcessWorkflowOnSave();
}
$securableItem->setTreatCurrentUserAsOwnerForPermissions(false);
return $saved;
}
$securableItem->setTreatCurrentUserAsOwnerForPermissions(false);
return true;
}
/**
* @depends testGetGlobalSearchResultsByPartialTermUsingScope
*/
public function testGetGlobalSearchResultsByPartialTermWithRegularUserAndElevationStepsForRegularUser()
{
//Unfrozen, there are too many attributes that have to be columns in the database at this point, so
//now this is just a frozen test.
if (RedBeanDatabase::isFrozen()) {
$super = User::getByUsername('super');
$jimmy = User::getByUsername('jimmy');
Yii::app()->user->userModel = $super;
//Jimmy does not have read access, so he should not be able to see any results.
$this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS));
$this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS));
$this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES));
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(array(array('href' => '', 'label' => 'No Results Found', 'iconClass' => '')), $data);
//Give Jimmy access to the module, he still will not be able to see results.
Yii::app()->user->userModel = $super;
$jimmy->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$jimmy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS);
$jimmy->setRight('LeadsModule', LeadsModule::RIGHT_ACCESS_LEADS);
$jimmy->setRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES);
$this->assertTrue($jimmy->save());
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(array(array('href' => '', 'label' => 'No Results Found', 'iconClass' => '')), $data);
//Give Jimmy read on 1 model. The search then should pick up this model.
Yii::app()->user->userModel = $super;
$accounts = Account::getByName('The Zoo');
$this->assertEquals(1, count($accounts));
$account = $accounts[0];
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions($jimmy));
$account->addPermissions($jimmy, Permission::READ);
$this->assertTrue($account->save());
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $jimmy);
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(1, count($data));
$this->assertEquals('The Zoo', $data[0]['label']);
//Give Jimmy read on 2 more models. The search then should pick up these models.
Yii::app()->user->userModel = $super;
$contacts = Contact::getByName('Big Elephant');
$this->assertEquals(1, count($contacts));
$contact = $contacts[0];
$this->assertEquals(Permission::NONE, $contact->getEffectivePermissions($jimmy));
$contact->addPermissions($jimmy, Permission::READ);
$this->assertTrue($contact->save());
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contact, $jimmy);
$opportunities = Opportunity::getByName('Animal Crackers');
$this->assertEquals(1, count($opportunities));
$opportunity = $opportunities[0];
$this->assertEquals(Permission::NONE, $opportunity->getEffectivePermissions($jimmy));
$opportunity->addPermissions($jimmy, Permission::READ);
$this->assertTrue($opportunity->save());
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($opportunity, $jimmy);
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(3, count($data));
$this->assertEquals('The Zoo', $data[0]['label']);
$this->assertEquals('Big Elephant', $data[1]['label']);
$this->assertEquals('Animal Crackers', $data[2]['label']);
}
}
/**
* @depends testGroupDeleted_Slide15
*/
public function testUserDeleted_Slide16()
{
$u1 = User::getByUsername('u1.');
$u99 = User::getByUsername('u99.');
Yii::app()->user->userModel = $u99;
$g1 = Group::getByName('G1.');
$g2 = Group::getByName('G2.');
$g3 = Group::getByName('G3.');
$g1->users->add($u1);
$this->assertTrue($g1->save());
$g2->groups->add($g1);
$this->assertTrue($g2->save());
$g1->groups->add($g3);
$this->assertTrue($g1->save());
Yii::app()->user->userModel = $u1;
$a1 = new Account();
$a1->name = 'A1.';
$this->assertTrue($a1->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a1);
Yii::app()->user->userModel = $u99;
$a2 = new Account();
$a2->name = 'A2.';
$a2->addPermissions($u1, Permission::READ);
$this->assertTrue($a2->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a2);
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($a2, $u1);
$a3 = new Account();
$a3->name = 'A3.';
$a3->addPermissions($g1, Permission::READ);
$this->assertTrue($a3->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a3);
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($a3, $g1);
$this->assertEquals(array(array('A1', 'R2', 1), array('A1', 'R3', 1), array('A2', 'R2', 1), array('A2', 'R3', 1), array('A2', 'U1', 1), array('A3', 'G1', 1), array('A3', 'G3', 1), array('A3', 'R2', 1), array('A3', 'R3', 1)), self::getAccountMungeRows());
$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt());
$u1->testBeforeDelete();
//Called in User->beforeDelete();
//ReadPermissionsOptimizationUtil::userBeingDeleted($u1);
// $u1->delete(); // Not really deleting it, to avoid messing up the ids.
$this->assertEquals(array(array('A3', 'G1', 1), array('A3', 'G3', 1)), self::getAccountMungeRows());
//$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); // Can't do this because
// of not really deleting
Yii::app()->user->userModel = $u1;
// the group.
$a1->delete();
Yii::app()->user->userModel = $u99;
$a2->delete();
$a3->delete();
$g1->users->removeAll();
$g1->groups->removeAll();
$this->assertTrue($g1->save());
$g2->groups->removeall();
$this->assertTrue($g2->save());
}
public function testGettingWithPermissions()
{
$accounts = Account::getAll();
$this->assertTrue(count($accounts) >= 2);
$account1 = $accounts[0];
$account2 = $accounts[1];
$user = User::getByUsername('bobby');
$group = Group::getByName('Sales Staff');
$this->assertTrue($group->contains($user));
$this->assertEquals(Permission::NONE, $account1->getEffectivePermissions($user));
$this->assertEquals(Permission::NONE, $account1->getEffectivePermissions($group));
$this->assertEquals(Permission::NONE, $account2->getEffectivePermissions($user));
$this->assertEquals(Permission::NONE, $account2->getEffectivePermissions($group));
$account1->addPermissions($user, Permission::READ);
$account1->addPermissions($group, Permission::WRITE);
$this->assertTrue($account1->save());
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account1, $user);
$account2->addPermissions($user, Permission::WRITE);
$account2->addPermissions($group, Permission::CHANGE_OWNER);
$this->assertTrue($account2->save());
$this->assertEquals(Permission::READ | Permission::WRITE, $account1->getEffectivePermissions($user));
$this->assertEquals(Permission::WRITE, $account1->getEffectivePermissions($group));
$this->assertEquals(Permission::WRITE | Permission::CHANGE_OWNER, $account2->getEffectivePermissions($user));
$this->assertEquals(Permission::CHANGE_OWNER, $account2->getEffectivePermissions($group));
Yii::app()->user->userModel = $user;
$models = Account::getAll();
$this->assertEquals(1, count($models));
$this->assertTrue($models[0]->isSame($account1));
unset($account1);
unset($account2);
unset($user);
unset($group);
RedBeanModel::forgetAll();
Permission::removeAll();
}
