framework/tests/integration/api/Controller/UpdateUserControllerTest.php

<?php

/*
 * This file is part of Flarum.
 *
 * (c) Toby Zerner <toby.zerner@gmail.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Flarum\Tests\integration\api\Controller;

use Flarum\Api\Controller\UpdateUserController;
use Flarum\User\User;

class UpdateUserControllerTest extends ApiControllerTestCase
{
    protected $controller = UpdateUserController::class;

    protected $data = [
        'email' => 'newemail@machine.local',
    ];

    public function setUp()
    {
        parent::setUp();

        $this->prepareDatabase([
            'users' => [
                $this->adminUser(),
                $this->normalUser(),
            ],
            'groups' => [
                $this->adminGroup(),
                $this->memberGroup(),
            ],
            'group_user' => [
                ['user_id' => 1, 'group_id' => 1],
                ['user_id' => 2, 'group_id' => 3],
            ],
            'group_permission' => [
                ['permission' => 'viewUserList', 'group_id' => 3],
            ]
        ]);
    }

    /**
     * @test
     */
    public function users_can_see_their_private_information()
    {
        $this->actor = User::find(2);

        $response = $this->callWith([], ['id' => 2]);

        // Test for successful response and that the email is included in the response
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertContains('normal@machine.local', (string) $response->getBody());
    }

    /**
     * @test
     */
    public function users_can_not_see_other_users_private_information()
    {
        $this->actor = User::find(2);

        $response = $this->callWith([], ['id' => 1]);

        // Make sure sensitive information is not made public
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertNotContains('admin@machine.local', (string) $response->getBody());
    }
}
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00			`<?php`

			`/*`
			`* This file is part of Flarum.`
			`*`
			`* (c) Toby Zerner <toby.zerner@gmail.com>`
			`*`
			`* For the full copyright and license information, please view the LICENSE`
			`* file that was distributed with this source code.`
			`*/`

Move integration tests to separate directory Again, we do all of this to prepare for creating "real" test suites for each type of tests. 2019-01-02 05:17:09 +08:00			`namespace Flarum\Tests\integration\api\Controller;`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00
			`use Flarum\Api\Controller\UpdateUserController;`
Make integration tests independent This creates a dedicated test suite for integration tests. All of them can be run independently, and there is no order dependency - previously, all integration tests needed the installer test to run first, and they would fail if installation failed. Now, the developer will have to set up a Flarum database to be used by these tests. A setup script to make this simple will be added in the next commit. Small tradeoff: the installer is NOT tested in our test suite anymore, only implicitly through the setup script. If we decide that this is a problem, we can still set up separate, dedicated installer tests which should probably test the web installer. 2019-01-31 04:15:27 +08:00			`use Flarum\User\User;`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00
			`class UpdateUserControllerTest extends ApiControllerTestCase`
			`{`
			`protected $controller = UpdateUserController::class;`

			`protected $data = [`
			`'email' => 'newemail@machine.local',`
			`];`

Make integration tests independent This creates a dedicated test suite for integration tests. All of them can be run independently, and there is no order dependency - previously, all integration tests needed the installer test to run first, and they would fail if installation failed. Now, the developer will have to set up a Flarum database to be used by these tests. A setup script to make this simple will be added in the next commit. Small tradeoff: the installer is NOT tested in our test suite anymore, only implicitly through the setup script. If we decide that this is a problem, we can still set up separate, dedicated installer tests which should probably test the web installer. 2019-01-31 04:15:27 +08:00			`public function setUp()`
			`{`
			`parent::setUp();`

			`$this->prepareDatabase([`
			`'users' => [`
			`$this->adminUser(),`
			`$this->normalUser(),`
			`],`
			`'groups' => [`
			`$this->adminGroup(),`
			`$this->memberGroup(),`
			`],`
			`'group_user' => [`
			`['user_id' => 1, 'group_id' => 1],`
			`['user_id' => 2, 'group_id' => 3],`
			`],`
			`'group_permission' => [`
			`['permission' => 'viewUserList', 'group_id' => 3],`
			`]`
			`]);`
			`}`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00
			`/**`
			`* @test`
			`*/`
			`public function users_can_see_their_private_information()`
			`{`
Make integration tests independent This creates a dedicated test suite for integration tests. All of them can be run independently, and there is no order dependency - previously, all integration tests needed the installer test to run first, and they would fail if installation failed. Now, the developer will have to set up a Flarum database to be used by these tests. A setup script to make this simple will be added in the next commit. Small tradeoff: the installer is NOT tested in our test suite anymore, only implicitly through the setup script. If we decide that this is a problem, we can still set up separate, dedicated installer tests which should probably test the web installer. 2019-01-31 04:15:27 +08:00			`$this->actor = User::find(2);`

			`$response = $this->callWith([], ['id' => 2]);`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00
			`// Test for successful response and that the email is included in the response`
			`$this->assertEquals(200, $response->getStatusCode());`
Make integration tests independent This creates a dedicated test suite for integration tests. All of them can be run independently, and there is no order dependency - previously, all integration tests needed the installer test to run first, and they would fail if installation failed. Now, the developer will have to set up a Flarum database to be used by these tests. A setup script to make this simple will be added in the next commit. Small tradeoff: the installer is NOT tested in our test suite anymore, only implicitly through the setup script. If we decide that this is a problem, we can still set up separate, dedicated installer tests which should probably test the web installer. 2019-01-31 04:15:27 +08:00			`$this->assertContains('normal@machine.local', (string) $response->getBody());`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00			`}`

			`/**`
			`* @test`
			`*/`
			`public function users_can_not_see_other_users_private_information()`
			`{`
Make integration tests independent This creates a dedicated test suite for integration tests. All of them can be run independently, and there is no order dependency - previously, all integration tests needed the installer test to run first, and they would fail if installation failed. Now, the developer will have to set up a Flarum database to be used by these tests. A setup script to make this simple will be added in the next commit. Small tradeoff: the installer is NOT tested in our test suite anymore, only implicitly through the setup script. If we decide that this is a problem, we can still set up separate, dedicated installer tests which should probably test the web installer. 2019-01-31 04:15:27 +08:00			`$this->actor = User::find(2);`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00
			`$response = $this->callWith([], ['id' => 1]);`

			`// Make sure sensitive information is not made public`
			`$this->assertEquals(200, $response->getStatusCode());`
Make integration tests independent This creates a dedicated test suite for integration tests. All of them can be run independently, and there is no order dependency - previously, all integration tests needed the installer test to run first, and they would fail if installation failed. Now, the developer will have to set up a Flarum database to be used by these tests. A setup script to make this simple will be added in the next commit. Small tradeoff: the installer is NOT tested in our test suite anymore, only implicitly through the setup script. If we decide that this is a problem, we can still set up separate, dedicated installer tests which should probably test the web installer. 2019-01-31 04:15:27 +08:00			`$this->assertNotContains('admin@machine.local', (string) $response->getBody());`
Add regression test for email crawling vulnerability Refs #1628. 2018-11-09 18:22:43 +08:00			`}`
			`}`