Updates permission validation method on AccessControl

Adds/updates unit tests
2017-08-23 09:53:54 -04:00
parent 48f3ae4ea1
commit 28320cdbb6
4 changed files with 123 additions and 34 deletions
--- a/lib/API/JSON/API.php
+++ b/lib/API/JSON/API.php
@ -147,14 +147,10 @@ class API {
  }

  function validatePermissions($request_method, $permissions) {
-    // if method permission is defined, validate it
-    if (!empty($permissions['methods'][$request_method])) {
-      return ($permissions['methods'][$request_method] === AccessControl::NO_ACCESS_RESTRICTION) ?
-        true :
-        $this->access_control->validatePermission($permissions['methods'][$request_method]);
-    }
-    // use global permission
-    return $this->access_control->validatePermission($permissions['global']);
+    // validate method permission if defined, otherwise validate global permission
+    return(!empty($permissions['methods'][$request_method])) ?
+      $this->access_control->validatePermission($permissions['methods'][$request_method]) :
+      $this->access_control->validatePermission($permissions['global']);
  }

  function checkToken() {
--- a/tests/unit/API/JSON/APITest.php
+++ b/tests/unit/API/JSON/APITest.php
@ -1,13 +1,19 @@
 <?php
+
 namespace MailPoet\Test\API\JSON;

 use Codeception\Util\Stub;
-use MailPoet\API\JSON\API;
-use MailPoet\API\JSON\SuccessResponse;
+use Helper\WordPressHooks as WPHooksHelper;
+use MailPoet\API\API;
+use MailPoet\API\JSON\API as JSONAPI;
+use MailPoet\API\JSON\Response;
 use MailPoet\API\JSON\Response as APIResponse;
+use MailPoet\API\JSON\SuccessResponse;
+use MailPoet\Config\AccessControl;
+use MailPoet\WP\Hooks;

 // required to be able to use wp_delete_user()
-require_once(ABSPATH.'wp-admin/includes/user.php');
+require_once(ABSPATH . 'wp-admin/includes/user.php');
 require_once('APITestNamespacedEndpointStubV1.php');
 require_once('APITestNamespacedEndpointStubV2.php');

@ -22,30 +28,16 @@ class APITest extends \MailPoetTest {
    } else {
      $this->wp_user_id = $wp_user_id;
    }
-
-    $this->api = new API();
-  }
-
-  function testItChecksPermissions() {
-    // logged out user
-    expect($this->api->checkPermissions())->false();
-
-    // give administrator role to wp user
-    $wp_user = get_user_by('id', $this->wp_user_id);
-    $wp_user->add_role('administrator');
-    wp_set_current_user($wp_user->ID, $wp_user->user_login);
-
-    // administrator should have permission
-    expect($this->api->checkPermissions())->true();
+    $this->api = API::JSON();
  }

  function testItCallsAPISetupAction() {
    $called = false;
-    add_action(
+    Hooks::addAction(
      'mailpoet_api_setup',
-      function ($api) use (&$called) {
+      function($api) use (&$called) {
        $called = true;
-        expect($api instanceof API)->true();
+        expect($api instanceof JSONAPI)->true();
      }
    );
    $api = Stub::makeEmptyExcept(
@ -136,11 +128,101 @@ class APITest extends \MailPoetTest {
    );
    $this->api->setRequestData($data);
    $response = $this->api->processRoute();
-
    expect($response->getData()['data'])->equals($data['api_version']);
  }

+  function testItValidatesPermissionBeforeProcessingEndpointMethod() {
+    $namespace = array(
+      'name' => 'MailPoet\API\JSON\v1',
+      'version' => 'v1'
+    );
+    $data = array(
+      'endpoint' => 'a_p_i_test_namespaced_endpoint_stub_v1',
+      'method' => 'restricted',
+      'api_version' => 'v1',
+      'data' => array('test' => 'data')
+    );
+    $access_control = new AccessControl();
+    $access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
+    $api = Stub::make(
+      new \MailPoet\API\JSON\API($access_control),
+      array(
+        'validatePermissions' => function($method, $permissions) use ($data) {
+          expect($method)->equals($data['method']);
+          expect($permissions)->equals(
+            array(
+              'global' => AccessControl::NO_ACCESS_RESTRICTION,
+              'methods' => array(
+                'test' => AccessControl::NO_ACCESS_RESTRICTION,
+                'restricted' => AccessControl::PERMISSION_MANAGE_SETTINGS
+              )
+            )
+          );
+          return true;
+        }
+      )
+    );
+    $api->addEndpointNamespace($namespace['name'], $namespace['version']);
+    $api->setRequestData($data);
+    $response = $api->processRoute();
+    expect($response->getData()['data'])->equals($data['data']);
+  }
+
+  function testItReturnsForbiddenResponseWhenPermissionFailsValidation() {
+    $namespace = array(
+      'name' => 'MailPoet\API\JSON\v1',
+      'version' => 'v1'
+    );
+    $data = array(
+      'endpoint' => 'a_p_i_test_namespaced_endpoint_stub_v1',
+      'method' => 'restricted',
+      'api_version' => 'v1',
+      'data' => array('test' => 'data')
+    );
+    $access_control = new AccessControl();
+    $access_control->user_roles = array();
+    $api = new \MailPoet\API\JSON\API($access_control);
+    $api->addEndpointNamespace($namespace['name'], $namespace['version']);
+    $api->setRequestData($data);
+    $response = $api->processRoute();
+    expect($response->status)->equals(Response::STATUS_FORBIDDEN);
+  }
+
+  function testItValidatesGlobalPermission() {
+    $access_control = new AccessControl();
+    $permissions = array(
+      'global' => AccessControl::PERMISSION_MANAGE_SETTINGS,
+    );
+
+    $access_control->user_roles = array();
+    $api = new JSONAPI($access_control);
+    expect($api->validatePermissions(null, $permissions))->false();
+
+    $access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
+    $api = new JSONAPI($access_control);
+    expect($api->validatePermissions(null, $permissions))->true();
+  }
+
+  function testItValidatesEndpointMethodPermission() {
+    $access_control = new AccessControl();
+    $permissions = array(
+      'global' => null,
+      'methods' => array(
+        'test' => AccessControl::PERMISSION_MANAGE_SETTINGS
+      )
+    );
+
+    $access_control->user_roles = array();
+    $api = new JSONAPI($access_control);
+    expect($api->validatePermissions('test', $permissions))->false();
+
+    $access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
+    $api = new JSONAPI($access_control);
+    expect($api->validatePermissions('test', $permissions))->true();
+  }
+
  function _after() {
+    WPHooksHelper::releaseAllHooks();
    wp_delete_user($this->wp_user_id);
  }
 }
--- a/tests/unit/API/JSON/APITestNamespacedEndpointStubV1.php
+++ b/tests/unit/API/JSON/APITestNamespacedEndpointStubV1.php
@ -3,16 +3,24 @@
 namespace MailPoet\API\JSON\v1;

 use MailPoet\API\JSON\Endpoint as APIEndpoint;
-use MailPoet\API\JSON\Access as APIAccess;
+use MailPoet\Config\AccessControl;

 if(!defined('ABSPATH')) exit;

 class APITestNamespacedEndpointStubV1 extends APIEndpoint {
  public $permissions = array(
-    'test' => APIAccess::ALL
+    'global' => AccessControl::NO_ACCESS_RESTRICTION,
+    'methods' => array(
+      'test' => AccessControl::NO_ACCESS_RESTRICTION,
+      'restricted' => AccessControl::PERMISSION_MANAGE_SETTINGS
+    )
  );

  function test($data) {
    return $this->successResponse($data);
  }
+
+  function restricted($data) {
+    return $this->successResponse($data);
+  }
 }
--- a/tests/unit/API/JSON/APITestNamespacedEndpointStubV2.php
+++ b/tests/unit/API/JSON/APITestNamespacedEndpointStubV2.php
@ -2,14 +2,17 @@

 namespace MailPoet\API\JSON\v2;

-use MailPoet\API\JSON\Access as APIAccess;
 use MailPoet\API\JSON\Endpoint as APIEndpoint;
+use MailPoet\Config\AccessControl;

 if(!defined('ABSPATH')) exit;

 class APITestNamespacedEndpointStubV2 extends APIEndpoint {
  public $permissions = array(
-    'testVersion' => APIAccess::ALL
+    'global' => AccessControl::NO_ACCESS_RESTRICTION,
+    'methods' => array(
+      'test' => AccessControl::NO_ACCESS_RESTRICTION
+    )
  );

  function testVersion() {