/** * Override to exclude modalSearchList and autoComplete * since these are available to all users regardless * of the access right on the users module. * Excludes details, edit, changePassword, and securityDetails * because these actions are checked using the * resolveCanCurrentUserAccessAction method. */ public function filters() { $filters = array(); $filters[] = array(ZurmoBaseController::RIGHTS_FILTER_PATH . ' - modalList, autoComplete, details, profile, edit, auditEventsModalList, changePassword, configurationEdit, emailConfiguration, securityDetails, ' . 'autoCompleteForMultiSelectAutoComplete, confirmTimeZone, changeAvatar', 'moduleClassName' => 'UsersModule', 'rightName' => UsersModule::getAccessRight()); $filters[] = array(ZurmoBaseController::RIGHTS_FILTER_PATH . ' + create', 'moduleClassName' => 'UsersModule', 'rightName' => UsersModule::getCreateRight()); $filters[] = array(ZurmoBaseController::RIGHTS_FILTER_PATH . ' + massEdit, massEditProgressSave', 'moduleClassName' => 'ZurmoModule', 'rightName' => ZurmoModule::RIGHT_BULK_WRITE); $filters[] = array(self::EMAIL_CONFIGURATION_FILTER_PATH . ' + emailConfiguration', 'controller' => $this); return $filters; }
/** * @depends testListUsers */ public function testUnprivilegedUserViewUpdateDeleteUsers() { Yii::app()->user->userModel = User::getByUsername('super'); $notAllowedUser = UserTestHelper::createBasicUser('Steven'); $notAllowedUser->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API); $saved = $notAllowedUser->save(); $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME); $this->assertTrue($everyoneGroup->save()); $user = User::getByUsername('diggy011'); $data['firstName'] = "Sam"; // Test with unprivileged user to view, edit and delete account. $authenticationData = $this->login('steven', 'steven'); $headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST'); $response = $this->createApiCallWithRelativeUrl('read/' . $user->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); $response = $this->createApiCallWithRelativeUrl('update/' . $user->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); $response = $this->createApiCallWithRelativeUrl('delete/' . $user->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); $this->assertEquals('You do not have rights to perform this action.', $response['message']); //now check if user have rights, but no permissions. $notAllowedUser->setRight('UsersModule', UsersModule::getAccessRight()); $notAllowedUser->setRight('UsersModule', UsersModule::getCreateRight()); $saved = $notAllowedUser->save(); $this->assertTrue($saved); $response = $this->createApiCallWithRelativeUrl('read/' . $user->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $response = $this->createApiCallWithRelativeUrl('update/' . $user->id, 'PUT', $headers, array('data' => $data)); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $this->assertEquals('Sam', $response['data']['firstName']); $response = $this->createApiCallWithRelativeUrl('delete/' . $user->id, 'DELETE', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']); $response = $this->createApiCallWithRelativeUrl('read/' . $user->id, 'GET', $headers); $response = json_decode($response, true); $this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']); }