mirror of
https://github.com/flarum/framework.git
synced 2024-12-12 06:03:39 +08:00
86d890d043
In flarum/core#1854, I changed the implementation of `assertCan()` to be
more aware of the user's log-in status. I came across this when unifying
our API's response status code when actors are not authenticated or not
authorized to do something.
@luceos rightfully had to tweak this again in ea84fc4, because the
behavior changed for one of the few API endpoints that checked for a
permission that even guests can have.
It turns out having this complex behavior in `assertCan()` is quite
misleading, because the name suggests a simple permission check and
nothing more.
Where we actually want to differ between HTTP 401 and 403, we can do
this using two method calls, and enforce it with our tests.
If this turns out to be problematic or extremely common, we can revisit
this and introduce a method with a different, better name in the future.
This commit restores the method's behavior in the last release, so we
also avoid another breaking change for extensions.
86 lines
1.9 KiB
PHP
86 lines
1.9 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of Flarum.
|
|
*
|
|
* For detailed copyright and license information, please view the
|
|
* LICENSE file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Flarum\Tests\integration\api\users;
|
|
|
|
use Flarum\Group\Permission;
|
|
use Flarum\Tests\integration\RetrievesAuthorizedUsers;
|
|
use Flarum\Tests\integration\TestCase;
|
|
|
|
class ListTest extends TestCase
|
|
{
|
|
use RetrievesAuthorizedUsers;
|
|
|
|
public function setUp()
|
|
{
|
|
parent::setUp();
|
|
|
|
$this->prepareDatabase([
|
|
'users' => [
|
|
$this->adminUser(),
|
|
],
|
|
'groups' => [
|
|
$this->adminGroup(),
|
|
$this->guestGroup(),
|
|
],
|
|
'group_permission' => [],
|
|
'group_user' => [
|
|
['user_id' => 1, 'group_id' => 1],
|
|
],
|
|
'access_tokens' => [
|
|
['token' => 'admintoken', 'user_id' => 1],
|
|
],
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
*/
|
|
public function disallows_index_for_guest()
|
|
{
|
|
$response = $this->send(
|
|
$this->request('GET', '/api/users')
|
|
);
|
|
|
|
$this->assertEquals(403, $response->getStatusCode());
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
*/
|
|
public function shows_index_for_guest_when_they_have_permission()
|
|
{
|
|
Permission::unguarded(function () {
|
|
Permission::create([
|
|
'permission' => 'viewUserList',
|
|
'group_id' => 2,
|
|
]);
|
|
});
|
|
|
|
$response = $this->send(
|
|
$this->request('GET', '/api/users')
|
|
);
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
}
|
|
|
|
/**
|
|
* @test
|
|
*/
|
|
public function shows_index_for_admin()
|
|
{
|
|
$response = $this->send(
|
|
$this->request('GET', '/api/users')
|
|
->withHeader('Authorization', 'Token admintoken')
|
|
);
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
}
|
|
}
|