Commit Graph

29 Commits

Author SHA1 Message Date
Franz Liedke
10d6e653cb Apply fixes from StyleCI
[ci skip] [skip ci]
2020-02-04 22:59:05 +01:00
Daniel Klabbers
3b3459ad3d incorrect ability used, drop prefix discussion. 2020-02-04 22:59:04 +01:00
Daniel Klabbers
223f4d93d4 test only on the hidePosts policy ability 2020-02-04 22:59:04 +01:00
Daniël Klabbers
521834f5da [review] using orWhere to allow any where to follow in extensions 2020-02-04 22:59:04 +01:00
Daniël Klabbers
622e2a6644 fixes #1827
- set default statement to block access
- added tests to confirm all scenarios work as intended
2020-02-04 22:59:04 +01:00
David Sevilla Martin
3526083320 Add test for discussion posts being deleted on discussion delete from DB 2020-02-04 22:59:04 +01:00
David Sevilla Martin
82562294b7 Fix failing tests 2020-02-04 22:59:04 +01:00
Franz Liedke
f903487ef3 Revert search performance regression
We decided it is better to have a less intelligent search (that does not
match search terms in titles) for some people than a bad-performing
search for everyone.

We will revisit the search performance topic in the next release cycle,
possibly with larger changes around indexing.

Refs #1738, #1741, #1764.
2020-02-04 22:59:03 +01:00
Franz Liedke
86d890d043 Restore beta.9 behavior of assertCan()
In flarum/core#1854, I changed the implementation of `assertCan()` to be
more aware of the user's log-in status. I came across this when unifying
our API's response status code when actors are not authenticated or not
authorized to do something.

@luceos rightfully had to tweak this again in ea84fc4, because the
behavior changed for one of the few API endpoints that checked for a
permission that even guests can have.

It turns out having this complex behavior in `assertCan()` is quite
misleading, because the name suggests a simple permission check and
nothing more.

Where we actually want to differ between HTTP 401 and 403, we can do
this using two method calls, and enforce it with our tests.

If this turns out to be problematic or extremely common, we can revisit
this and introduce a method with a different, better name in the future.

This commit restores the method's behavior in the last release, so we
also avoid another breaking change for extensions.
2020-02-04 22:59:02 +01:00
Franz Liedke
ab0ba707e7 Add a test for viewUserList guest permission
This test would have failed without commit ea84fc4. Next, I will revert
that commit and most of my PR #1854, so we need this test to ensure the
API continues to behave as desired.
2020-02-04 22:59:02 +01:00
Franz Liedke
04b2cf4462 Apply fixes from StyleCI
[ci skip] [skip ci]
2020-02-04 22:59:02 +01:00
Franz Liedke
28e3ec4014 Convert more controller tests to feature tests 2020-02-04 22:59:02 +01:00
Franz Liedke
1e55361539 Send a HTTP 401 for incorrect login credentials
This fixes a regression from #1843 and #1854. Now, the frontend again
shows the proper "Incorrect login details" message instead of "You
do not have permission to do that".
2020-02-04 22:59:02 +01:00
Franz Liedke
e80f5429d0 Convert another controller test to feature test
Decouple from implementation, test closer to HTTP...
2020-02-04 22:59:02 +01:00
Franz Liedke
f779f4d092 Fix failing test 2020-02-04 22:58:48 +01:00
Franz Liedke
47a528305b Restore error details in JSON-API error formatter
Fixes #1865. Refs #1843.
2020-02-04 22:58:48 +01:00
Franz Liedke
6121229c6f Convert controller test to request test
This further decouples these tests from the implementation (i.e. which
controller are we calling?).
2020-02-04 22:58:48 +01:00
Franz Liedke
f7222d7e20 Fix inconsistent status codes
HTTP 401 should be used when logging in (i.e. authenticating) would make
a difference; HTTP 403 is reserved for requests that fail because the
already authenticated user is not authorized (i.e. lacking permissions)
to do something.
2020-02-04 22:58:28 +01:00
Franz Liedke
ddfb2c1ec1 API Client: Use new error handling mechanism 2020-02-04 22:37:25 +01:00
Franz Liedke
a737b98e7f Bypass CSRF token check when using access tokens
Fixes #1828.
2020-02-04 22:37:24 +01:00
Franz Liedke
970c0f5604 PHPUnit: Get rid of deprecated annotation
Refs #1795.
2020-02-04 22:37:24 +01:00
Franz Liedke
0a22a66189 Prevent MySQL search operators from taking effect
We do not want to inherit MySQL's fulltext query language, so let's
just drop all non-word characters from the search term.

Fixes #1498.
2020-02-04 22:37:24 +01:00
luceos
1948b7e6f4 Apply fixes from StyleCI
[ci skip] [skip ci]
2020-02-04 21:11:08 +00:00
Franz Liedke
d66d2aa26e
Convert more helpers in tests 2019-07-06 01:30:59 +02:00
Franz Liedke
8e86d38804 Merge pull request from GHSA-3wjh-93gr-chh6
* Integration tests: Memoize request handler as well

This is useful to send HTTP requests (or their PSR-7 equivalents)
through the entire application's middleware stack (instead of
talking to specific controllers, which should be considered
implementation detail).

* Add tests for CSRF token check

* Integration tests: Configure vendor path

Now that this is possible, make the easy change...

* Implement middleware for CSRF token verification

This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.

* Accept CSRF token in request body as well

* Refactor tests to shorten HTTP requests

Multiple tests now provide JSON request bodies, and others copy cookies
from previous responses, so let's provide convenient helpers for these.

* Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware

* Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set.
Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default.

* added custom view, now needs translation
2019-06-24 09:14:38 +02:00
Franz Liedke
d822a6f84c
Apply fixes from StyleCI (#1756)
[ci skip] [skip ci]
2019-03-07 00:22:15 +01:00
Franz Liedke
26c3bcdb74
Add regression test for #1738
This should ensure we can always search for search terms that appear
either only in the subject or only in the text of discussions.
2019-03-07 00:21:43 +01:00
Franz Liedke
cf746079ed
Make integration tests independent
This creates a dedicated test suite for integration tests. All of them
can be run independently, and there is no order dependency - previously,
all integration tests needed the installer test to run first, and they
would fail if installation failed.

Now, the developer will have to set up a Flarum database to be used by
these tests. A setup script to make this simple will be added in the
next commit.

Small tradeoff: the installer is NOT tested in our test suite anymore,
only implicitly through the setup script. If we decide that this is a
problem, we can still set up separate, dedicated installer tests which
should probably test the web installer.
2019-02-03 20:39:32 +01:00
Franz Liedke
4d10536d35
Move integration tests to separate directory
Again, we do all of this to prepare for creating "real" test suites for
each type of tests.
2019-02-01 19:01:12 +01:00