public static function setUpBeforeClass()
{
parent::setUpBeforeClass();
SecurityTestHelper::createSuperAdmin();
$super = User::getByUsername('super');
Yii::app()->user->userModel = $super;
AllPermissionsOptimizationUtil::rebuild();
//Add the nobody user to an account, but only read only.
$nobody = User::getByUsername('nobody');
$account = AccountTestHelper::createAccountByNameForOwner('superAccountReadableByNobody', Yii::app()->user->userModel);
$account->addPermissions($nobody, Permission::READ, Permission::ALLOW);
assert($account->save());
// Not Coding Standard
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $nobody);
//Give the nobody user rights to the accounts module.
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_CREATE_ACCOUNTS);
assert($nobody->save());
// Not Coding Standard
$everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME);
assert($everyoneGroup->save());
// Not Coding Standard
$group1 = new Group();
$group1->name = 'Group1';
assert($group1->save());
// Not Coding Standard
}
public static function setUpBeforeClass()
{
parent::setUpBeforeClass();
SecurityTestHelper::createSuperAdmin();
Yii::app()->user->userModel = User::getByUsername('super');
AllPermissionsOptimizationUtil::rebuild();
SecurityTestHelper::createUsers();
$billy = User::getByUsername('billy');
EmailMessageTestHelper::createEmailAccount($billy);
$billy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS);
$billy->setRight('ContactsModule', ContactsModule::RIGHT_CREATE_CONTACTS);
$billy->setRight('ContactsModule', ContactsModule::RIGHT_DELETE_CONTACTS);
assert($billy->save());
// Not Coding Standard
$contact = ContactTestHelper::createContactByNameForOwner('sally', Yii::app()->user->userModel);
$contact->primaryEmail = new Email();
$contact->primaryEmail->emailAddress = '*****@*****.**';
$contact->secondaryEmail->emailAddress = '*****@*****.**';
$contact->addPermissions($billy, Permission::READ);
$contact->addPermissions($billy, Permission::WRITE);
$contact->save();
$molly = ContactTestHelper::createContactByNameForOwner('molly', User::getByUsername('bobby'));
$molly->primaryEmail = new Email();
$molly->primaryEmail->emailAddress = '*****@*****.**';
$molly->secondaryEmail->emailAddress = '*****@*****.**';
$molly->save();
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contact, $billy);
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create superAccount owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$superAccount = AccountTestHelper::createAccountByNameForOwner('AccountsForElevationToModelTest', $super);
//Test nobody, access to details of superAccount should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->setGetArray(array('id' => $superAccount->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//give nobody access to read
Yii::app()->user->userModel = $super;
$superAccount->addPermissions($nobody, Permission::READ);
$this->assertTrue($superAccount->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($superAccount, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $superAccount->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//create meeting for an superAccount using the super user
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$meeting = MeetingTestHelper::createMeetingWithOwnerAndRelatedAccount('meetingCreatedByNobody', $super, $superAccount);
//Test nobody, access to edit, details and delete of meeting should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give nobody access to details view only
Yii::app()->user->userModel = $super;
$meeting->addPermissions($nobody, Permission::READ);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($meeting, $nobody);
//Now access to meetings view by Nobody should not fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Now access to meetings edit and delete by Nobody should fail
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give nobody access to both details and edit view
Yii::app()->user->userModel = $super;
$meeting->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($meeting, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting, $nobody);
//Now access to meetings view and edit by Nobody should not fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Now access to meetings delete by Nobody should fail
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//revoke the permission from the nobody user to access the meeting
Yii::app()->user->userModel = $super;
$meeting->removePermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($meeting, $nobody);
//Now nobodys, access to edit, details and delete of meetings should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give nobody access to both details and edit view
Yii::app()->user->userModel = $super;
$meeting->addPermissions($nobody, Permission::READ_WRITE_DELETE);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting, $nobody);
//Now nobodys, access to delete of meetings should not fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('meetings/default/delete');
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create account owned by super
$account2 = AccountTestHelper::createAccountByNameForOwner('AccountsParentRolePermission', $super);
//Test userInParentRole, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $account2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$account2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($account2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($account2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $account2->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $account2->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//create a meeting owned by super
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$meeting2 = MeetingTestHelper::createMeetingWithOwnerAndRelatedAccount('meetingCreatedBySuperForRole', $super, $account2);
//Test userInChildRole, access to meetings details, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to meetings details, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give userInChildRole access to READ permision for meetings
Yii::app()->user->userModel = $super;
$meeting2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($meeting2, $userInChildRole);
//Test userInChildRole, access to meetings details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInChildRole, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to meetings details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInParentRole, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give userInChildRole access to read and write for the meetings
Yii::app()->user->userModel = $super;
$meeting2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($meeting2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting2, $userInChildRole);
//Test userInChildRole, access to meetings edit should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInChildRole, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to meetings edit should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInParentRole, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//revoke userInChildRole access to read and write meetings
Yii::app()->user->userModel = $super;
$meeting2->removePermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($meeting2, $userInChildRole);
//Test userInChildRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give userInChildRole access to read and write for the meetings
Yii::app()->user->userModel = $super;
$meeting2->addPermissions($userInChildRole, Permission::READ_WRITE_DELETE);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting2, $userInChildRole);
//Test userInParentRole, access to delete should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('meetings/default/delete');
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to accounts and creation of accounts.
$userInChildGroup->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$this->assertTrue($userInChildGroup->save());
//create account owned by super
$account3 = AccountTestHelper::createAccountByNameForOwner('testingAccountsParentGroupPermission', $super);
//Test userInParentGroup, access to details should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//Test userInChildGroup, access to details should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$account3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($account3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($account3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//Test userInChildGroup, access to details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//create a meeting owned by super
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$meeting3 = MeetingTestHelper::createMeetingWithOwnerAndRelatedAccount('mettingCreatedBySuperForGroup', $super, $account3);
//Add access for the confused user to accounts and creation of accounts.
$userInChildGroup->setRight('MeetingsModule', MeetingsModule::RIGHT_ACCESS_MEETINGS);
$userInChildGroup->setRight('MeetingsModule', MeetingsModule::RIGHT_CREATE_MEETINGS);
$userInChildGroup->setRight('MeetingsModule', MeetingsModule::RIGHT_DELETE_MEETINGS);
$this->assertTrue($userInChildGroup->save());
//Test userInParentGroup, access to meetings details and edit should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInChildGroup, access to meetings details and edit should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$meeting3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($meeting3, $parentGroup);
//Test userInParentGroup, access to meetings details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInParentGroup, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInChildGroup, access to meetings details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInChildGroup, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$meeting3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($meeting3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($meeting3, $parentGroup);
//Test userInParentGroup, access to edit meetings should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInParentGroup, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInChildGroup, access to edit meetings should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInChildGroup, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//revoke parentGroup access to meetings read and write
Yii::app()->user->userModel = $super;
$meeting3->removePermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($meeting3, $parentGroup);
//Test userInChildGroup, access to meetings detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentGroup, access to meetings detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$meeting3->addPermissions($parentGroup, Permission::READ_WRITE_DELETE);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($meeting3, $parentGroup);
//Test userInChildGroup, access to meetings delete should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('meetings/default/delete');
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create project owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$project = ProjectTestHelper::createProjectByNameForOwner('projectForElevationToModelTest', $super);
//Test nobody, access to edit and details should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->runControllerWithNoExceptionsAndGetContent('projects/default/dashboardDetails');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/delete');
//give nobody access to read
Yii::app()->user->userModel = $super;
$project->addPermissions($nobody, Permission::READ);
$this->assertTrue($project->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($project, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $project->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
//Test nobody, access to edit should fail.
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/delete');
$projectId = $project->id;
$project->forget();
$project = Project::getById($projectId);
//give nobody access to read and write
Yii::app()->user->userModel = $super;
$project->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
//TODO :Its wierd that giving opportunity errors
$this->assertTrue($project->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($project, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($project, $nobody);
//Now the nobody user should be able to access the edit view and still the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $project->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
$projectId = $project->id;
$project->forget();
$project = Project::getById($projectId);
//revoke nobody access to read
Yii::app()->user->userModel = $super;
$project->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS, Permission::DENY);
$this->assertTrue($project->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($project, $nobody);
//Test nobody, access to detail should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create project owned by super
$project2 = ProjectTestHelper::createProjectByNameForOwner('testingParentRolePermission', $super);
//Test userInParentRole, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$project2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($project2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($project2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
$projectId = $project2->id;
$project2->forget();
$project2 = Project::getById($projectId);
//give userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$project2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($project2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($project2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($project2, $userInChildRole);
//Test userInChildRole, access to edit should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
//Test userInParentRole, access to edit should not fail.
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInParentRole->username);
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
$projectId = $project2->id;
$project2->forget();
$project2 = Project::getById($projectId);
//revoke userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$project2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS, Permission::DENY);
$this->assertTrue($project2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($project2, $userInChildRole);
//Test userInChildRole, access to detail should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//Test userInParentRole, access to detail should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to Products and creation of Products.
$userInChildGroup->setRight('ProjectsModule', ProjectsModule::RIGHT_ACCESS_PROJECTS);
$userInChildGroup->setRight('ProjectsModule', ProjectsModule::RIGHT_CREATE_PROJECTS);
$this->assertTrue($userInChildGroup->save());
//create project owned by super
$project3 = ProjectTestHelper::createProjectByNameForOwner('testingParentGroupPermission', $super);
//Test userInParentGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//Test userInChildGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$project3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($project3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($project3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
//Test userInChildGroup, access to details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
$projectId = $project3->id;
$project3->forget();
$project3 = Project::getById($projectId);
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$project3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($project3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($project3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($project3, $parentGroup);
//Test userInParentGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
//Test userInChildGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
$projectId = $project3->id;
$project3->forget();
$project3 = Project::getById($projectId);
//revoke parentGroup access to read and write
Yii::app()->user->userModel = $super;
$project3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS, Permission::DENY);
$this->assertTrue($project3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($project3, $parentGroup);
//Test userInChildGroup, access to detail should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//Test userInParentGroup, access to detail should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
//clear up the role relationships between users so not to effect next assertions
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create contact web form owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$contactWebForm = ContactWebFormTestHelper::createContactWebFormByName('contactWebFormForElevationToModelTest', $super);
//Test nobody, access to edit and details should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
//give nobody access to read
Yii::app()->user->userModel = $super;
$contactWebForm->addPermissions($nobody, Permission::READ);
$this->assertTrue($contactWebForm->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($contactWebForm, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
//Test nobody, access to edit should fail.
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm->id;
$contactWebForm->forget();
$contactWebForm = ContactWebForm::getById($contactWebFormId);
//give nobody access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($contactWebForm, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contactWebForm, $nobody);
//Now the nobody user should be able to access the edit view and still the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm->id;
$contactWebForm->forget();
$contactWebForm = ContactWebForm::getById($contactWebFormId);
//revoke nobody access to read
Yii::app()->user->userModel = $super;
$contactWebForm->removePermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($contactWebForm, $nobody);
//Test nobody, access to detail should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create web form owned by super
$contactWebForm2 = ContactWebFormTestHelper::createContactWebFormByName('testingParentRolePermission', $super);
//Test userInParentRole, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$contactWebForm2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($contactWebForm2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($contactWebForm2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
$contactWebFormId = $contactWebForm2->id;
$contactWebForm2->forget();
$contactWebForm2 = ContactWebForm::getById($contactWebFormId);
//give userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($contactWebForm2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contactWebForm2, $userInChildRole);
//Test userInChildRole, access to edit should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
//Test userInParentRole, access to edit should not fail.
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInParentRole->username);
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm2->id;
$contactWebForm2->forget();
$contactWebForm2 = ContactWebForm::getById($contactWebFormId);
//revoke userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm2->removePermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($contactWebForm2, $userInChildRole);
//Test userInChildRole, access to detail should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//Test userInParentRole, access to detail should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to ContactWebForms and creation of ContactWebForms.
$userInChildGroup->setRight('ContactWebFormsModule', ContactWebFormsModule::RIGHT_ACCESS_CONTACT_WEB_FORMS);
$userInChildGroup->setRight('ContactWebFormsModule', ContactWebFormsModule::RIGHT_CREATE_CONTACT_WEB_FORMS);
$this->assertTrue($userInChildGroup->save());
//create web form owned by super
$contactWebForm3 = ContactWebFormTestHelper::createContactWebFormByName('testingParentGroupPermission', $super);
//Test userInParentGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//Test userInChildGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$contactWebForm3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($contactWebForm3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($contactWebForm3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
//Test userInChildGroup, access to details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
$contactWebFormId = $contactWebForm3->id;
$contactWebForm3->forget();
$contactWebForm3 = ContactWebForm::getById($contactWebFormId);
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($contactWebForm3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($contactWebForm3, $parentGroup);
//Test userInParentGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
//Test userInChildGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm3->id;
$contactWebForm3->forget();
$contactWebForm3 = ContactWebForm::getById($contactWebFormId);
//revoke parentGroup access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm3->removePermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($contactWebForm3, $parentGroup);
//Test userInChildGroup, access to detail should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//Test userInParentGroup, access to detail should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
//clear up the role relationships between users so not to effect next assertions
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
/**
* @depends testResolveElementForEditableRender
*/
public function testResolveElementForNonEditableRender()
{
$betty = User::getByUsername('betty');
$billy = User::getByUsername('billy');
$contactForBetty = ContactTestHelper::createContactByNameForOwner("betty's contact2", $betty);
$contactForBetty->account = AccountTestHelper::createAccountByNameForOwner('BillyCompany', $billy);
$this->assertTrue($contactForBetty->save());
$accountId = $contactForBetty->account->id;
$nullElementInformation = array('attributeName' => null, 'type' => 'Null');
//test non ModelElement, should pass through without modification.
$elementInformation = array('attributeName' => 'something', 'type' => 'Text');
$referenceElementInformation = $elementInformation;
FormLayoutSecurityUtil::resolveElementForNonEditableRender($contactForBetty, $referenceElementInformation, $betty);
$this->assertEquals($elementInformation, $referenceElementInformation);
//test Acc ModelElement
//Betty will see a nullified Element because Betty cannot access read the related account
$elementInformation = array('attributeName' => 'account', 'type' => 'Account');
$noLinkElementInformation = array('attributeName' => 'account', 'type' => 'Account', 'noLink' => true);
$referenceElementInformation = $elementInformation;
FormLayoutSecurityUtil::resolveElementForNonEditableRender($contactForBetty, $referenceElementInformation, $betty);
$this->assertEquals($nullElementInformation, $referenceElementInformation);
$this->assertEquals(Right::ALLOW, $betty->getEffectiveRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS));
//Betty can see the account with a link, because she has been added for Permission::READ on the account.
//and she has access to the accounts tab.
$account = Account::getById($accountId);
$account->addPermissions($betty, Permission::READ);
$this->assertTrue($account->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $betty);
$referenceElementInformation = $elementInformation;
FormLayoutSecurityUtil::resolveElementForNonEditableRender($contactForBetty, $referenceElementInformation, $betty);
$this->assertEquals($elementInformation, $referenceElementInformation);
//Removing Betty's access to the accounts tab means she will see the element, but without a link
$betty->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS, Right::DENY);
$this->assertTrue($betty->save());
$referenceElementInformation = $elementInformation;
FormLayoutSecurityUtil::resolveElementForNonEditableRender($contactForBetty, $referenceElementInformation, $betty);
$this->assertEquals($noLinkElementInformation, $referenceElementInformation);
//Testing UserElement
$elementInformation = array('attributeName' => 'owner', 'type' => 'User');
$noLinkElementInformation = array('attributeName' => 'owner', 'type' => 'User', 'noLink' => true);
//Super can see related user picker link without a problem.
$referenceElementInformation = $elementInformation;
FormLayoutSecurityUtil::resolveElementForNonEditableRender($contactForBetty, $referenceElementInformation, User::getByUsername('super'));
$this->assertEquals($elementInformation, $referenceElementInformation);
//Betty can also see related user name, but not a link.
$referenceElementInformation = $elementInformation;
$this->assertEquals(Right::DENY, $betty->getEffectiveRight('UsersModule', UsersModule::RIGHT_ACCESS_USERS));
FormLayoutSecurityUtil::resolveElementForNonEditableRender($contactForBetty, $referenceElementInformation, $betty);
$this->assertEquals($noLinkElementInformation, $referenceElementInformation);
}
public function testResolveContactAndMetricsSummary()
{
//Test with super
$content = CampaignItemSummaryListViewColumnAdapter::resolveContactAndMetricsSummary($this->campaignItem);
$this->assertContains('test testson', $content);
//Betty dont have access to contact
$betty = User::getByUsername('betty');
Yii::app()->user->userModel = $betty;
$content = CampaignItemSummaryListViewColumnAdapter::resolveContactAndMetricsSummary($this->campaignItem);
$this->assertContains('You cannot see this contact due to limited access', $content);
//Giving betty access to contact
Yii::app()->user->userModel = User::getByUsername('super');
$this->contact->addPermissions($betty, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER);
$this->assertTrue($this->contact->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($this->contact, $betty);
//Forgetting campaignItem is needed because of commit - aeedffa06467
//Not entirely sure why this is the case though. It only affects tests when securityOptimization is false
$this->campaignItem->forgetAll();
$campaigns = Campaign::getAll();
$this->campaignItem = $campaigns[0]->campaignItems[0];
//Betty has now access to contact but not the emailMessage
Yii::app()->user->userModel = $betty;
$content = CampaignItemSummaryListViewColumnAdapter::resolveContactAndMetricsSummary($this->campaignItem);
$this->assertContains('You cannot see the performance metrics due to limited access', $content);
//Giving betty access to emailMessage
Yii::app()->user->userModel = User::getByUsername('super');
$emailMessage = $this->campaignItem->emailMessage;
$emailMessage->addPermissions($betty, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER);
$this->assertTrue($emailMessage->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($emailMessage, $betty);
//Betty has now access to contact and emailMessage
Yii::app()->user->userModel = $betty;
$content = CampaignItemSummaryListViewColumnAdapter::resolveContactAndMetricsSummary($this->campaignItem);
$this->assertContains('test testson', $content);
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create lead owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$lead = LeadTestHelper::createLeadByNameForOwner('leadForElevationToModelTest', $super);
//Test nobody, access to edit, details and delete should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give nobody access to read
Yii::app()->user->userModel = $super;
$lead->addPermissions($nobody, Permission::READ);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($lead, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test nobody, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give nobody access to read and write
Yii::app()->user->userModel = $super;
$lead->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($lead, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead, $nobody);
//Now the nobody user should be able to access the edit view and still the details view
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test nobody, access to delete should fail.
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//revoke nobody access to read
Yii::app()->user->userModel = $super;
$lead->removePermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($lead, $nobody);
//Test nobody, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give nobody access to read, write and delete
Yii::app()->user->userModel = $super;
$lead->addPermissions($nobody, Permission::READ_WRITE_DELETE);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead, $nobody);
//now nobody should be able to delete a lead
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('leads/default/delete', Yii::app()->createUrl('leads/default/index'));
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create lead owned by super
$lead2 = LeadTestHelper::createLeadByNameForOwner('leadsParentRolePermission', $super);
//Test userInChildRole, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$lead2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($lead2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInChildRole, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInParentRole, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$lead2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($lead2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead2, $userInChildRole);
//Test userInChildRole, access to edit and delete should not fail and also detaisl view must be accessible.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInChildRole, access to delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to edit should not fail.
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInParentRole->username);
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInParentRole, access to delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//revoke userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$lead2->removePermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($lead2, $userInChildRole);
//Test userInChildRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give userInChildRole access to read, write and delete
Yii::app()->user->userModel = $super;
$lead2->addPermissions($userInChildRole, Permission::READ_WRITE_DELETE);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead2, $userInChildRole);
//Test userInParentRole, access to delete should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('leads/default/delete', Yii::app()->createUrl('leads/default/index'));
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to leads and creation of leads.
$userInChildGroup->setRight('LeadsModule', LeadsModule::RIGHT_ACCESS_LEADS);
$userInChildGroup->setRight('LeadsModule', LeadsModule::RIGHT_CREATE_LEADS);
$userInChildGroup->setRight('LeadsModule', LeadsModule::RIGHT_DELETE_LEADS);
$this->assertTrue($userInChildGroup->save());
//create lead owned by super
$lead3 = LeadTestHelper::createLeadByNameForOwner('leadsParentGroupPermission', $super);
//Test userInParentGroup, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInChildGroup, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$lead3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($lead3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInParentGroup, access to delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInChildGroup, access to edit and details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInChildGroup, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$lead3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($lead3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($lead3, $parentGroup);
//Test userInParentGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInParentGroup, access to delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInChildGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInChildGroup, access to delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//revoke parentGroup access to read and write
Yii::app()->user->userModel = $super;
$lead3->removePermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($lead3, $parentGroup);
//Test userInChildGroup, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentGroup, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give parentGroup access to read, write and delete
Yii::app()->user->userModel = $super;
$lead3->addPermissions($parentGroup, Permission::READ_WRITE_DELETE);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($lead3, $parentGroup);
//Test userInChildGroup, access to delete should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithRedirectExceptionAndGetContent('leads/default/delete', Yii::app()->createUrl('leads/default/index'));
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
/**
* Walkthrough test for synchronous download
*/
public function testDownloadDefaultControllerActions()
{
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$accounts = array();
for ($i = 0; $i < 2; $i++) {
$accounts[] = AccountTestHelper::createAccountByNameForOwner('superAccount' . $i, $super);
}
// Check if access is denied if user doesn't have access privileges at all to export actions
Yii::app()->user->userModel = User::getByUsername('nobody');
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
// Provide no ids and without selectALl options.
// This should be result with error and redirect to module page.
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/list');
$this->setGetArray(array('Account_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => ''));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/export');
// Check if user have access to module action, but not to export action
//Now test peon with elevated rights to accounts
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_CREATE_ACCOUNTS);
$nobody->setRight('AccountsModule', AccountsModule::RIGHT_DELETE_ACCOUNTS);
$nobody->setRight('ExportModule', ExportModule::RIGHT_ACCESS_EXPORT);
$this->assertTrue($nobody->save());
// Check if access is denied if user doesn't have access privileges at all to export actions
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
Yii::app()->user->userModel = User::getByUsername('nobody');
// Provide no ids and without selectALl options.
// This should be result with error and redirect to module page.
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/list');
$this->setGetArray(array('Account_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => ''));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('accounts/default/export');
$this->assertTrue(strstr($response, 'accounts/default/index') !== false);
$this->setGetArray(array('AccountsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superAccount', 'officePhone' => ''), 'multiselect_AccountsSearchForm_anyMixedAttributesScope' => 'All', 'selectAll' => '1', 'selectedIds' => '', 'Account_page' => '1', 'export' => '', 'ajax' => ''));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('accounts/default/export');
$this->assertTrue(strstr($response, 'accounts/default/index') !== false);
$this->setGetArray(array('AccountsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => '', 'officePhone' => ''), 'multiselect_AccountsSearchForm_anyMixedAttributesScope' => 'All', 'selectAll' => '', 'selectedIds' => "{$accounts[0]->id}, {$accounts[1]->id}", 'Account_page' => '1', 'export' => '', 'ajax' => ''));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('accounts/default/export');
$this->assertTrue(strstr($response, 'accounts/default/index') !== false);
$this->assertContains('There is no data to export.', Yii::app()->user->getFlash('notification'));
//give nobody access to read and write
Yii::app()->user->userModel = $super;
foreach ($accounts as $account) {
$account->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $nobody);
$this->assertTrue($account->save());
}
//Now the nobody user should be able to access the edit view and still the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('AccountsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => '', 'officePhone' => ''), 'multiselect_AccountsSearchForm_anyMixedAttributesScope' => 'All', 'selectAll' => '1', 'selectedIds' => '', 'Account_page' => '1', 'export' => '', 'ajax' => ''));
$response = $this->runControllerWithExitExceptionAndGetContent('accounts/default/export');
$this->assertEquals('Testing download.', $response);
$this->setGetArray(array('AccountsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => '', 'officePhone' => ''), 'multiselect_AccountsSearchForm_anyMixedAttributesScope' => 'All', 'selectAll' => '', 'selectedIds' => "{$accounts[0]->id}, {$accounts[1]->id}", 'Account_page' => '1', 'export' => '', 'ajax' => ''));
$response = $this->runControllerWithExitExceptionAndGetContent('accounts/default/export');
$this->assertEquals('Testing download.', $response);
// No matches
$this->setGetArray(array('AccountsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'missingName', 'officePhone' => ''), 'multiselect_AccountsSearchForm_anyMixedAttributesScope' => 'All', 'Account_page' => '1', 'selectAll' => '1', 'selectedIds' => '', 'export' => '', 'ajax' => ''));
$response = $this->runControllerWithRedirectExceptionAndGetUrl('accounts/default/export');
$this->assertTrue(strstr($response, 'accounts/default/index') !== false);
}
/**
* @depends testGetGlobalSearchResultsByPartialTermUsingScope
*/
public function testGetGlobalSearchResultsByPartialTermWithRegularUserAndElevationStepsForRegularUser()
{
$super = User::getByUsername('super');
$jimmy = User::getByUsername('jimmy');
Yii::app()->user->userModel = $super;
//Jimmy does not have read access, so he should not be able to see any results.
$this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS));
$this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS));
$this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES));
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(array(array('href' => '', 'label' => 'No Results Found', 'iconClass' => '')), $data);
//Give Jimmy access to the module, he still will not be able to see results.
Yii::app()->user->userModel = $super;
$jimmy->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$jimmy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS);
$jimmy->setRight('LeadsModule', LeadsModule::RIGHT_ACCESS_LEADS);
$jimmy->setRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES);
$this->assertTrue($jimmy->save());
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(array(array('href' => '', 'label' => 'No Results Found', 'iconClass' => '')), $data);
//Give Jimmy read on 1 model. The search then should pick up this model.
Yii::app()->user->userModel = $super;
$accounts = Account::getByName('The Zoo');
$this->assertEquals(1, count($accounts));
$account = $accounts[0];
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions($jimmy));
$account->addPermissions($jimmy, Permission::READ);
$this->assertTrue($account->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $jimmy);
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(1, count($data));
$this->assertEquals('The Zoo', $data[0]['label']);
//Give Jimmy read on 2 more models. The search then should pick up these models.
Yii::app()->user->userModel = $super;
$contacts = Contact::getByName('Big Elephant');
$this->assertEquals(1, count($contacts));
$contact = $contacts[0];
$this->assertEquals(Permission::NONE, $contact->getEffectivePermissions($jimmy));
$contact->addPermissions($jimmy, Permission::READ);
$this->assertTrue($contact->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contact, $jimmy);
$opportunities = Opportunity::getByName('Animal Crackers');
$this->assertEquals(1, count($opportunities));
$opportunity = $opportunities[0];
$this->assertEquals(Permission::NONE, $opportunity->getEffectivePermissions($jimmy));
$opportunity->addPermissions($jimmy, Permission::READ);
$this->assertTrue($opportunity->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($opportunity, $jimmy);
Yii::app()->user->userModel = $jimmy;
$data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel);
$this->assertEquals(3, count($data));
$this->assertEquals('The Zoo', $data[0]['label']);
$this->assertEquals('Big Elephant', $data[1]['label']);
$this->assertEquals('Animal Crackers', $data[2]['label']);
}
public function testAddAndRemoveKanbanSubscriberViaAjaxWithNormalUser()
{
//Adk Jason as why permission error is coming up here
$myuser = $this->logoutCurrentUserLoginNewUserAndGetByUsername('myuser');
$task = new Task();
$task->name = 'NewKanbanSubscriberTask';
$task->owner = $myuser;
$task->requestedByUser = self::$sally;
$this->assertTrue($task->save());
$this->setGetArray(array('id' => $task->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('tasks/default/removeKanbanSubscriber');
$this->setGetArray(array('id' => $task->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('tasks/default/addKanbanSubscriber');
//Now test peon with elevated rights to accounts
$myuser->setRight('TasksModule', TasksModule::RIGHT_ACCESS_TASKS);
$myuser->setRight('TasksModule', TasksModule::RIGHT_CREATE_TASKS);
$myuser->setRight('TasksModule', TasksModule::RIGHT_DELETE_TASKS);
$this->assertTrue($myuser->save());
$task->addPermissions($myuser, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($task->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($task, $myuser);
//Test nobody with elevated rights.
Yii::app()->user->userModel = User::getByUsername('myuser');
$this->setGetArray(array('id' => $task->id));
$content = $this->runControllerWithNoExceptionsAndGetContent('tasks/default/removeKanbanSubscriber', false);
$this->assertContains($myuser->getFullName(), $content);
$this->assertEquals(2, $task->notificationSubscribers->count());
//Now super user would be added as a subscriber as he becomes the owner
$task->owner = self::$super;
$this->assertTrue($task->save());
$content = $this->runControllerWithNoExceptionsAndGetContent('tasks/default/removeKanbanSubscriber', false);
$this->assertNotContains($myuser->getFullName(), $content);
$this->assertEquals(2, $task->notificationSubscribers->count());
$isMyUserFound = $this->checkIfUserFoundInSubscribersList($task, $myuser->id);
$this->assertFalse($isMyUserFound);
$content = $this->runControllerWithNoExceptionsAndGetContent('tasks/default/addKanbanSubscriber', false);
$this->assertContains($myuser->getFullName(), $content);
$this->assertEquals(3, $task->notificationSubscribers->count());
$isMyUserFound = $this->checkIfUserFoundInSubscribersList($task, $myuser->id);
$this->assertTrue($isMyUserFound);
}
/**
* Given a SecurableItem, add and remove permissions
* based on what the provided ExplicitReadWriteModelPermissions indicates should be done.
* Sets @see SecurableItem->setTreatCurrentUserAsOwnerForPermissions as true in order to ensure the current user
* can effectively add permissions even if the current user is no longer the owner.
* @param SecurableItem $securableItem
* @param ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions
* @param bool $validate
* @return bool|void
* @throws NotSupportedException
*/
public static function resolveExplicitReadWriteModelPermissions(SecurableItem $securableItem, ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions, $validate = false)
{
assert('$securableItem->id > 0');
$optimizeReadPermissions = $securableItem::hasReadPermissionsOptimization();
$securableItem->setTreatCurrentUserAsOwnerForPermissions(true);
$saveSecurableItem = false;
if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitables() as $permitable) {
if ($securableItem->addPermissions($permitable, Permission::READ) && $optimizeReadPermissions) {
if ($permitable instanceof Group) {
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemGivenPermissionsForGroup($securableItem);
} elseif ($permitable instanceof User) {
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemGivenPermissionsForUser($securableItem);
} else {
throw new NotSupportedException();
}
}
}
}
if ($explicitReadWriteModelPermissions->getReadWritePermitablesCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadWritePermitables() as $permitable) {
if ($securableItem->addPermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER) && $optimizeReadPermissions) {
if ($permitable instanceof Group) {
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemGivenPermissionsForGroup($securableItem);
} elseif ($permitable instanceof User) {
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemGivenPermissionsForUser($securableItem);
} else {
throw new NotSupportedException();
}
}
}
}
if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemoveCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemove() as $permitable) {
$securableItem->removePermissions($permitable, Permission::READ, Permission::ALLOW);
if ($optimizeReadPermissions) {
if ($permitable instanceof Group) {
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemLostPermissionsForGroup($securableItem);
} elseif ($permitable instanceof User) {
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemLostPermissionsForUser($securableItem);
} else {
throw new NotSupportedException();
}
}
}
}
if ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemoveCount() > 0) {
$saveSecurableItem = true;
foreach ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemove() as $permitable) {
$securableItem->removePermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER, Permission::ALLOW);
if ($optimizeReadPermissions) {
if ($permitable instanceof Group) {
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemLostPermissionsForGroup($securableItem);
} elseif ($permitable instanceof User) {
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable);
ReadPermissionsSubscriptionUtil::securableItemLostPermissionsForUser($securableItem);
} else {
throw new NotSupportedException();
}
}
}
}
if ($saveSecurableItem) {
$setBackToProcess = false;
if ($securableItem->shouldProcessWorkflowOnSave()) {
$securableItem->setDoNotProcessWorkflowOnSave();
$setBackToProcess = true;
}
$saved = $securableItem->save($validate);
if ($setBackToProcess) {
$securableItem->setProcessWorkflowOnSave();
}
$securableItem->setTreatCurrentUserAsOwnerForPermissions(false);
return $saved;
}
$securableItem->setTreatCurrentUserAsOwnerForPermissions(false);
return true;
}
/**
* @depends testNobodyCanReadWriteDeleteAndStrValOfNoteFunctionsCorrectly
*/
public function testAUserCanDeleteANoteNotOwnedButHasExplicitDeletePermission()
{
//Create superAccount owned by user super.
$super = User::getByUsername('super');
Yii::app()->user->userModel = $super;
$superAccount = AccountTestHelper::createAccountByNameForOwner('AccountTest', $super);
//create a nobody user
$nobody = User::getByUsername('nobody');
//create note for an superAccount using the super user
$note = NoteTestHelper::createNoteWithOwnerAndRelatedAccount('noteCreatedBySuper', $super, $superAccount);
//give nobody access to both details, edit and delete view in order to check the delete of a note
Yii::app()->user->userModel = User::getByUsername('super');
$nobody->forget();
$nobody = User::getByUsername('nobody');
$note->addPermissions($nobody, Permission::READ_WRITE_DELETE);
$this->assertTrue($note->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($note, $nobody);
Yii::app()->user->userModel = User::getByUsername('nobody');
$noteId = $note->id;
$note->forget();
$note = Note::getById($noteId);
$note->delete();
}
public function testSecurityExceptions()
{
try {
$superAdmin = User::getByUsername('super');
$originalOwner = User::getByUsername('betty');
$buddy = User::getByUsername('bernice');
$pleb = User::getByUsername('brian');
Yii::app()->user->userModel = $superAdmin;
$account = new Account();
$account->name = 'Dooble & Co';
$account->owner = $originalOwner;
$this->assertTrue($account->save());
// READ - owner can read, pleb can't.
Yii::app()->user->userModel = $originalOwner;
$this->assertEquals(Permission::ALL, $account->getEffectivePermissions());
$this->assertEquals('Dooble & Co', $account->name);
Yii::app()->user->userModel = $pleb;
try {
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions());
$name = $account->name;
$this->fail();
} catch (AccessDeniedSecurityException $e) {
$this->assertTrue($e->user->isSame($pleb));
$this->assertEquals(Permission::READ, $e->requiredPermissions);
$this->assertEquals(Permission::NONE, $e->effectivePermissions);
}
// WRITE - owner can write, pleb can't.
Yii::app()->user->userModel = $originalOwner;
$this->assertEquals(Permission::ALL, $account->getEffectivePermissions());
$account->name = 'Booble & Sons';
$this->assertTrue($account->save());
$this->assertEquals('Booble & Sons', $account->name);
Yii::app()->user->userModel = $pleb;
try {
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions());
$account->name = 'Google & Mums';
$this->fail();
} catch (AccessDeniedSecurityException $e) {
$this->assertTrue($e->user->isSame($pleb));
$this->assertEquals(Permission::WRITE, $e->requiredPermissions);
$this->assertEquals(Permission::NONE, $e->effectivePermissions);
}
// PERMISSIONS - owner can give permissions to and remove
// permissions from buddy, pleb can't change permissions.
Yii::app()->user->userModel = $originalOwner;
$this->assertEquals(Permission::ALL, $account->getEffectivePermissions());
$account->addPermissions($buddy, Permission::READ);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $buddy);
$this->assertTrue($account->save());
Yii::app()->user->userModel = $buddy;
$this->assertEquals(Permission::READ, $account->getEffectivePermissions());
$this->assertEquals('Booble & Sons', $account->name);
Yii::app()->user->userModel = $pleb;
try {
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions());
$account->addPermissions($pleb, Permission::ALL);
$this->fail();
} catch (AccessDeniedSecurityException $e) {
$this->assertTrue($e->user->isSame($pleb));
$this->assertEquals(Permission::CHANGE_PERMISSIONS, $e->requiredPermissions);
$this->assertEquals(Permission::NONE, $e->effectivePermissions);
}
Yii::app()->user->userModel = $originalOwner;
$account->removePermissions($buddy, Permission::READ, Permission::ALLOW_DENY);
$this->assertTrue($account->save());
// CHANGE_OWNER - owner gives the account to his buddy,
// pleb can't change the owner.
Yii::app()->user->userModel = $originalOwner;
$this->assertEquals(Permission::ALL, $account->getEffectivePermissions());
$account->owner = $buddy;
$this->assertTrue($account->save());
Yii::app()->user->userModel = $pleb;
try {
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions());
$account->owner = $pleb;
$this->fail();
} catch (AccessDeniedSecurityException $e) {
$this->assertTrue($e->user->isSame($pleb));
$this->assertEquals(Permission::CHANGE_OWNER, $e->requiredPermissions);
$this->assertEquals(Permission::NONE, $e->effectivePermissions);
}
// DELETE - pleb can't delete, the original
// owner can't either, the new owner deletes it.
Yii::app()->user->userModel = $pleb;
try {
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions());
$account->delete();
$this->fail();
} catch (AccessDeniedSecurityException $e) {
$this->assertTrue($e->user->isSame($pleb));
$this->assertEquals(Permission::DELETE, $e->requiredPermissions);
$this->assertEquals(Permission::NONE, $e->effectivePermissions);
}
Yii::app()->user->userModel = $originalOwner;
try {
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions());
$account->delete();
$this->fail();
} catch (AccessDeniedSecurityException $e) {
$this->assertTrue($e->user->isSame($originalOwner));
$this->assertEquals(Permission::DELETE, $e->requiredPermissions);
$this->assertEquals(Permission::NONE, $e->effectivePermissions);
}
Yii::app()->user->userModel = $buddy;
$account->delete();
unset($account);
unset($originalOwner);
unset($buddy);
unset($pleb);
RedBeanModel::forgetAll();
Permission::deleteAll();
} catch (AccessDeniedSecurityException $e) {
echo 'Access denied security exception details - ';
echo "current user: {$e->user}, ";
echo 'required:' . Permission::permissionsToString($e->requiredPermissions) . ', ';
echo 'effective:' . Permission::permissionsToString($e->effectivePermissions) . "\n";
throw $e;
}
}
