/**
* Override to exclude modalSearchList and autoComplete
* since these are available to all users regardless
* of the access right on the users module.
* Excludes details, edit, changePassword, and securityDetails
* because these actions are checked using the
* resolveCanCurrentUserAccessAction method.
*/
public function filters()
{
$filters = array();
$filters[] = array(ZurmoBaseController::RIGHTS_FILTER_PATH . ' - modalList, autoComplete, details, profile, edit, auditEventsModalList, changePassword, configurationEdit, emailConfiguration, securityDetails, ' . 'autoCompleteForMultiSelectAutoComplete, confirmTimeZone, changeAvatar', 'moduleClassName' => 'UsersModule', 'rightName' => UsersModule::getAccessRight());
$filters[] = array(ZurmoBaseController::RIGHTS_FILTER_PATH . ' + create', 'moduleClassName' => 'UsersModule', 'rightName' => UsersModule::getCreateRight());
$filters[] = array(ZurmoBaseController::RIGHTS_FILTER_PATH . ' + massEdit, massEditProgressSave', 'moduleClassName' => 'ZurmoModule', 'rightName' => ZurmoModule::RIGHT_BULK_WRITE);
$filters[] = array(self::EMAIL_CONFIGURATION_FILTER_PATH . ' + emailConfiguration', 'controller' => $this);
return $filters;
}
public function filters()
{
$filters = parent::filters();
foreach ($filters as $key => $filter) {
if (is_array($filter) && isset($filter[0]) && $filter[0] == self::getRightsFilterPath() && isset($filter['moduleClassName']) && $filter['moduleClassName'] == 'UsersModule' && isset($filter['rightName']) && $filter['rightName'] == UsersModule::getAccessRight()) {
$filters[$key][0] = $filters[$key][0] . ' - getAuthenticatedUser, searchUsersByEmails';
}
}
return $filters;
}
protected function init()
{
if (RightsUtil::doesUserHaveAllowByRightName('UsersModule', UsersModule::getAccessRight(), Yii::app()->user->userModel)) {
$this->currentUserCanAccessUsers = true;
}
}
/**
* @depends testListUsers
*/
public function testUnprivilegedUserViewUpdateDeleteUsers()
{
Yii::app()->user->userModel = User::getByUsername('super');
$notAllowedUser = UserTestHelper::createBasicUser('Steven');
$notAllowedUser->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$saved = $notAllowedUser->save();
$authenticationData = $this->login('steven', 'steven');
$headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST');
$everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME);
$this->assertTrue($everyoneGroup->save());
$user = User::getByUsername('diggy011');
$data['firstName'] = "Sam";
// Test with unprivileged user to view, edit and delete account.
$authenticationData = $this->login('steven', 'steven');
$headers = array('Accept: application/json', 'ZURMO_SESSION_ID: ' . $authenticationData['sessionId'], 'ZURMO_TOKEN: ' . $authenticationData['token'], 'ZURMO_API_REQUEST_TYPE: REST');
$response = $this->createApiCallWithRelativeUrl('read/' . $user->id, 'GET', $headers);
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']);
$this->assertEquals('You do not have rights to perform this action.', $response['message']);
$response = $this->createApiCallWithRelativeUrl('update/' . $user->id, 'PUT', $headers, array('data' => $data));
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']);
$this->assertEquals('You do not have rights to perform this action.', $response['message']);
$response = $this->createApiCallWithRelativeUrl('delete/' . $user->id, 'DELETE', $headers);
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']);
$this->assertEquals('You do not have rights to perform this action.', $response['message']);
//now check if user have rights, but no permissions.
$notAllowedUser->setRight('UsersModule', UsersModule::getAccessRight());
$notAllowedUser->setRight('UsersModule', UsersModule::getCreateRight());
$saved = $notAllowedUser->save();
$this->assertTrue($saved);
$response = $this->createApiCallWithRelativeUrl('read/' . $user->id, 'GET', $headers);
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']);
$response = $this->createApiCallWithRelativeUrl('update/' . $user->id, 'PUT', $headers, array('data' => $data));
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']);
$this->assertEquals('Sam', $response['data']['firstName']);
$response = $this->createApiCallWithRelativeUrl('delete/' . $user->id, 'DELETE', $headers);
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_SUCCESS, $response['status']);
$response = $this->createApiCallWithRelativeUrl('read/' . $user->id, 'GET', $headers);
$response = json_decode($response, true);
$this->assertEquals(ApiResponse::STATUS_FAILURE, $response['status']);
}
