Updates permission validation method on AccessControl
Adds/updates unit tests
This commit is contained in:
Vlad
@ -147,14 +147,10 @@ class API {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function validatePermissions($request_method, $permissions) {
|
function validatePermissions($request_method, $permissions) {
|
||||||
// if method permission is defined, validate it
|
// validate method permission if defined, otherwise validate global permission
|
||||||
if (!empty($permissions['methods'][$request_method])) {
|
return(!empty($permissions['methods'][$request_method])) ?
|
||||||
return ($permissions['methods'][$request_method] === AccessControl::NO_ACCESS_RESTRICTION) ?
|
$this->access_control->validatePermission($permissions['methods'][$request_method]) :
|
||||||
true :
|
$this->access_control->validatePermission($permissions['global']);
|
||||||
$this->access_control->validatePermission($permissions['methods'][$request_method]);
|
|
||||||
}
|
|
||||||
// use global permission
|
|
||||||
return $this->access_control->validatePermission($permissions['global']);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function checkToken() {
|
function checkToken() {
|
||||||
|
|||||||
@ -1,13 +1,19 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
namespace MailPoet\Test\API\JSON;
|
namespace MailPoet\Test\API\JSON;
|
||||||
|
|
||||||
use Codeception\Util\Stub;
|
use Codeception\Util\Stub;
|
||||||
use MailPoet\API\JSON\API;
|
use Helper\WordPressHooks as WPHooksHelper;
|
||||||
use MailPoet\API\JSON\SuccessResponse;
|
use MailPoet\API\API;
|
||||||
|
use MailPoet\API\JSON\API as JSONAPI;
|
||||||
|
use MailPoet\API\JSON\Response;
|
||||||
use MailPoet\API\JSON\Response as APIResponse;
|
use MailPoet\API\JSON\Response as APIResponse;
|
||||||
|
use MailPoet\API\JSON\SuccessResponse;
|
||||||
|
use MailPoet\Config\AccessControl;
|
||||||
|
use MailPoet\WP\Hooks;
|
||||||
|
|
||||||
// required to be able to use wp_delete_user()
|
// required to be able to use wp_delete_user()
|
||||||
require_once(ABSPATH.'wp-admin/includes/user.php');
|
require_once(ABSPATH . 'wp-admin/includes/user.php');
|
||||||
require_once('APITestNamespacedEndpointStubV1.php');
|
require_once('APITestNamespacedEndpointStubV1.php');
|
||||||
require_once('APITestNamespacedEndpointStubV2.php');
|
require_once('APITestNamespacedEndpointStubV2.php');
|
||||||
|
|
||||||
@ -22,30 +28,16 @@ class APITest extends \MailPoetTest {
|
|||||||
} else {
|
} else {
|
||||||
$this->wp_user_id = $wp_user_id;
|
$this->wp_user_id = $wp_user_id;
|
||||||
}
|
}
|
||||||
|
$this->api = API::JSON();
|
||||||
$this->api = new API();
|
|
||||||
}
|
|
||||||
|
|
||||||
function testItChecksPermissions() {
|
|
||||||
// logged out user
|
|
||||||
expect($this->api->checkPermissions())->false();
|
|
||||||
|
|
||||||
// give administrator role to wp user
|
|
||||||
$wp_user = get_user_by('id', $this->wp_user_id);
|
|
||||||
$wp_user->add_role('administrator');
|
|
||||||
wp_set_current_user($wp_user->ID, $wp_user->user_login);
|
|
||||||
|
|
||||||
// administrator should have permission
|
|
||||||
expect($this->api->checkPermissions())->true();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function testItCallsAPISetupAction() {
|
function testItCallsAPISetupAction() {
|
||||||
$called = false;
|
$called = false;
|
||||||
add_action(
|
Hooks::addAction(
|
||||||
'mailpoet_api_setup',
|
'mailpoet_api_setup',
|
||||||
function ($api) use (&$called) {
|
function($api) use (&$called) {
|
||||||
$called = true;
|
$called = true;
|
||||||
expect($api instanceof API)->true();
|
expect($api instanceof JSONAPI)->true();
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
$api = Stub::makeEmptyExcept(
|
$api = Stub::makeEmptyExcept(
|
||||||
@ -136,11 +128,101 @@ class APITest extends \MailPoetTest {
|
|||||||
);
|
);
|
||||||
$this->api->setRequestData($data);
|
$this->api->setRequestData($data);
|
||||||
$response = $this->api->processRoute();
|
$response = $this->api->processRoute();
|
||||||
|
|
||||||
expect($response->getData()['data'])->equals($data['api_version']);
|
expect($response->getData()['data'])->equals($data['api_version']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testItValidatesPermissionBeforeProcessingEndpointMethod() {
|
||||||
|
$namespace = array(
|
||||||
|
'name' => 'MailPoet\API\JSON\v1',
|
||||||
|
'version' => 'v1'
|
||||||
|
);
|
||||||
|
$data = array(
|
||||||
|
'endpoint' => 'a_p_i_test_namespaced_endpoint_stub_v1',
|
||||||
|
'method' => 'restricted',
|
||||||
|
'api_version' => 'v1',
|
||||||
|
'data' => array('test' => 'data')
|
||||||
|
);
|
||||||
|
$access_control = new AccessControl();
|
||||||
|
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||||
|
$api = Stub::make(
|
||||||
|
new \MailPoet\API\JSON\API($access_control),
|
||||||
|
array(
|
||||||
|
'validatePermissions' => function($method, $permissions) use ($data) {
|
||||||
|
expect($method)->equals($data['method']);
|
||||||
|
expect($permissions)->equals(
|
||||||
|
array(
|
||||||
|
'global' => AccessControl::NO_ACCESS_RESTRICTION,
|
||||||
|
'methods' => array(
|
||||||
|
'test' => AccessControl::NO_ACCESS_RESTRICTION,
|
||||||
|
'restricted' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$api->addEndpointNamespace($namespace['name'], $namespace['version']);
|
||||||
|
$api->setRequestData($data);
|
||||||
|
$response = $api->processRoute();
|
||||||
|
expect($response->getData()['data'])->equals($data['data']);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testItReturnsForbiddenResponseWhenPermissionFailsValidation() {
|
||||||
|
$namespace = array(
|
||||||
|
'name' => 'MailPoet\API\JSON\v1',
|
||||||
|
'version' => 'v1'
|
||||||
|
);
|
||||||
|
$data = array(
|
||||||
|
'endpoint' => 'a_p_i_test_namespaced_endpoint_stub_v1',
|
||||||
|
'method' => 'restricted',
|
||||||
|
'api_version' => 'v1',
|
||||||
|
'data' => array('test' => 'data')
|
||||||
|
);
|
||||||
|
$access_control = new AccessControl();
|
||||||
|
$access_control->user_roles = array();
|
||||||
|
$api = new \MailPoet\API\JSON\API($access_control);
|
||||||
|
$api->addEndpointNamespace($namespace['name'], $namespace['version']);
|
||||||
|
$api->setRequestData($data);
|
||||||
|
$response = $api->processRoute();
|
||||||
|
expect($response->status)->equals(Response::STATUS_FORBIDDEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testItValidatesGlobalPermission() {
|
||||||
|
$access_control = new AccessControl();
|
||||||
|
$permissions = array(
|
||||||
|
'global' => AccessControl::PERMISSION_MANAGE_SETTINGS,
|
||||||
|
);
|
||||||
|
|
||||||
|
$access_control->user_roles = array();
|
||||||
|
$api = new JSONAPI($access_control);
|
||||||
|
expect($api->validatePermissions(null, $permissions))->false();
|
||||||
|
|
||||||
|
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||||
|
$api = new JSONAPI($access_control);
|
||||||
|
expect($api->validatePermissions(null, $permissions))->true();
|
||||||
|
}
|
||||||
|
|
||||||
|
function testItValidatesEndpointMethodPermission() {
|
||||||
|
$access_control = new AccessControl();
|
||||||
|
$permissions = array(
|
||||||
|
'global' => null,
|
||||||
|
'methods' => array(
|
||||||
|
'test' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
$access_control->user_roles = array();
|
||||||
|
$api = new JSONAPI($access_control);
|
||||||
|
expect($api->validatePermissions('test', $permissions))->false();
|
||||||
|
|
||||||
|
$access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
|
||||||
|
$api = new JSONAPI($access_control);
|
||||||
|
expect($api->validatePermissions('test', $permissions))->true();
|
||||||
|
}
|
||||||
|
|
||||||
function _after() {
|
function _after() {
|
||||||
|
WPHooksHelper::releaseAllHooks();
|
||||||
wp_delete_user($this->wp_user_id);
|
wp_delete_user($this->wp_user_id);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -3,16 +3,24 @@
|
|||||||
namespace MailPoet\API\JSON\v1;
|
namespace MailPoet\API\JSON\v1;
|
||||||
|
|
||||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||||
use MailPoet\API\JSON\Access as APIAccess;
|
use MailPoet\Config\AccessControl;
|
||||||
|
|
||||||
if(!defined('ABSPATH')) exit;
|
if(!defined('ABSPATH')) exit;
|
||||||
|
|
||||||
class APITestNamespacedEndpointStubV1 extends APIEndpoint {
|
class APITestNamespacedEndpointStubV1 extends APIEndpoint {
|
||||||
public $permissions = array(
|
public $permissions = array(
|
||||||
'test' => APIAccess::ALL
|
'global' => AccessControl::NO_ACCESS_RESTRICTION,
|
||||||
|
'methods' => array(
|
||||||
|
'test' => AccessControl::NO_ACCESS_RESTRICTION,
|
||||||
|
'restricted' => AccessControl::PERMISSION_MANAGE_SETTINGS
|
||||||
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
function test($data) {
|
function test($data) {
|
||||||
return $this->successResponse($data);
|
return $this->successResponse($data);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function restricted($data) {
|
||||||
|
return $this->successResponse($data);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,14 +2,17 @@
|
|||||||
|
|
||||||
namespace MailPoet\API\JSON\v2;
|
namespace MailPoet\API\JSON\v2;
|
||||||
|
|
||||||
use MailPoet\API\JSON\Access as APIAccess;
|
|
||||||
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
use MailPoet\API\JSON\Endpoint as APIEndpoint;
|
||||||
|
use MailPoet\Config\AccessControl;
|
||||||
|
|
||||||
if(!defined('ABSPATH')) exit;
|
if(!defined('ABSPATH')) exit;
|
||||||
|
|
||||||
class APITestNamespacedEndpointStubV2 extends APIEndpoint {
|
class APITestNamespacedEndpointStubV2 extends APIEndpoint {
|
||||||
public $permissions = array(
|
public $permissions = array(
|
||||||
'testVersion' => APIAccess::ALL
|
'global' => AccessControl::NO_ACCESS_RESTRICTION,
|
||||||
|
'methods' => array(
|
||||||
|
'test' => AccessControl::NO_ACCESS_RESTRICTION
|
||||||
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
function testVersion() {
|
function testVersion() {
|
||||||
|
|||||||
Reference in New Issue
Block a user