framework/tests/integration/api/users/UpdateTest.php

663 lines
18 KiB
PHP
Raw Normal View History

<?php
/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/
namespace Flarum\Tests\integration\api\users;
use Carbon\Carbon;
use Flarum\Tests\integration\RetrievesAuthorizedUsers;
use Flarum\Tests\integration\TestCase;
class UpdateTest extends TestCase
{
use RetrievesAuthorizedUsers;
/**
* @inheritDoc
*/
2020-03-28 08:26:26 +08:00
protected function setUp(): void
{
parent::setUp();
$this->prepareDatabase([
'users' => [
$this->normalUser(),
[
'id' => 3,
'username' => 'normal2',
'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure"
'email' => 'normal2@machine.local',
'is_email_confirmed' => 1,
]
],
]);
}
protected function giveNormalUsersEditPerms()
{
$this->prepareDatabase([
'group_permission' => [
['permission' => 'user.edit', 'group_id' => 3],
['permission' => 'user.editCredentials', 'group_id' => 3],
['permission' => 'user.editGroups', 'group_id' => 3],
],
]);
}
/**
* @test
*/
public function users_can_see_their_private_information()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [],
])
);
// Test for successful response and that the email is included in the response
$this->assertEquals(200, $response->getStatusCode());
$this->assertStringContainsString('normal@machine.local', (string) $response->getBody());
}
/**
* @test
*/
public function users_can_not_see_other_users_private_information()
{
$response = $this->send(
$this->request('PATCH', '/api/users/1', [
'authenticatedAs' => 2,
'json' => [],
])
);
// Make sure sensitive information is not made public
$this->assertEquals(200, $response->getStatusCode());
$this->assertStringNotContainsString('admin@machine.local', (string) $response->getBody());
}
/**
* @test
*
* This tests the generic user.edit permission used for non-credential/group attributes
*/
public function users_can_update_own_avatar()
{
$response = $this->send(
$this->request('DELETE', '/api/users/2/avatar', [
'authenticatedAs' => 2,
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_own_email_if_password_wrong()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
],
'meta' => [
'password' => 'notTheRightPassword!'
]
]
],
])
);
$this->assertEquals(401, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_update_own_email()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
]
],
'meta' => [
'password' => 'too-obscure'
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_own_username()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'username' => 'iCantChangeThis',
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_update_own_preferences()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'preferences' => [
'something' => 'else'
]
],
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_own_groups()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => [
['id'=> 1, 'type' => 'group']
]
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_update_marked_all_as_read()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'markedAllAsReadAt' => Carbon::now()
],
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_activate_themselves()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'isEmailConfirmed' => true
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*
* This tests the generic user.edit permission used for non-credential/group attributes
*/
public function users_cant_update_others_avatars_without_permission()
{
$response = $this->send(
$this->request('DELETE', '/api/users/2/avatar', [
'authenticatedAs' => 3,
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_others_emails_without_permission()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
]
],
'meta' => [
'password' => 'too-obscure'
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_others_usernames_without_permission()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'username' => 'iCantChangeThis',
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_others_groups_without_permission()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => [
['id'=> 1, 'type' => 'group']
]
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_activate_others_without_permission()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'isEmailConfirmed' => true
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*
* This tests the generic user.edit permission used for non-credential/group attributes
*/
public function users_can_update_others_avatars_with_permissions()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('DELETE', '/api/users/2/avatar', [
'authenticatedAs' => 3,
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_update_others_emails_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
]
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_update_others_usernames_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'username' => 'iCanChangeThis',
],
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_admin_emails_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/1', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
]
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_update_admin_usernames_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/1', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'username' => 'iCanChangeThis',
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_update_others_groups_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => [
['id'=> 4, 'type' => 'group']
]
]
],
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function regular_users_cant_demote_admins_even_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/1', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => []
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function regular_users_cant_promote_others_to_admin_even_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => [
['id'=> 1, 'type' => 'group']
]
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function regular_users_cant_promote_self_to_admin_even_with_permission()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/3', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => [
['id'=> 1, 'type' => 'group']
]
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_activate_others_even_with_permissions()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 2,
'json' => [
'data' => [
'attributes' => [
'isEmailConfirmed' => true
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function admins_cant_update_others_preferences()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 1,
'json' => [
'data' => [
'attributes' => [
'preferences' => [
'something' => 'else'
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function admins_cant_update_marked_all_as_read()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 1,
'json' => [
'data' => [
'attributes' => [
'markedAllAsReadAt' => Carbon::now()
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
/**
* @test
*/
public function admins_can_activate_others()
{
$response = $this->send(
$this->request('PATCH', '/api/users/2', [
'authenticatedAs' => 1,
'json' => [
'data' => [
'attributes' => [
'isEmailConfirmed' => true
],
]
],
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function admins_cant_demote_self()
{
$this->giveNormalUsersEditPerms();
$response = $this->send(
$this->request('PATCH', '/api/users/1', [
'authenticatedAs' => 1,
'json' => [
'data' => [
'relationships' => [
'groups' => [
'data' => [
]
]
],
]
],
])
);
$this->assertEquals(403, $response->getStatusCode());
}
}