From e47c8bc701fcdfb9f917d8e61ff4dcc3daffdf45 Mon Sep 17 00:00:00 2001
From: Vlad <site.github@mrcasual.com>
Date: Tue, 22 Aug 2017 21:16:38 -0400
Subject: [PATCH] Adds access control tests for Router

---
 .../Router/Endpoints/ViewInBrowserTest.php    | 18 +++-
 tests/unit/Router/RouterTest.php              | 90 ++++++++++++++++++-
 tests/unit/Router/RouterTestMockEndpoint.php  |  5 ++
 3 files changed, 105 insertions(+), 8 deletions(-)

diff --git a/tests/unit/Router/Endpoints/ViewInBrowserTest.php b/tests/unit/Router/Endpoints/ViewInBrowserTest.php
index 5727a9c863..6918c993b9 100644
--- a/tests/unit/Router/Endpoints/ViewInBrowserTest.php
+++ b/tests/unit/Router/Endpoints/ViewInBrowserTest.php
@@ -1,7 +1,9 @@
 <?php
+
 namespace MailPoet\Test\Router\Endpoints;
 
 use Codeception\Util\Stub;
+use MailPoet\Config\AccessControl;
 use MailPoet\Models\Newsletter;
 use MailPoet\Models\SendingQueue;
 use MailPoet\Models\Subscriber;
@@ -33,7 +35,7 @@ class ViewInBrowserTest extends \MailPoetTest {
       'preview' => false
     );
     // instantiate class
-    $this->view_in_browser = new ViewInBrowser($this->browser_preview_data);
+    $this->view_in_browser = new ViewInBrowser($this->browser_preview_data, new AccessControl());
   }
 
   function testItAbortsWhenBrowserPreviewDataIsMissing() {
@@ -123,6 +125,7 @@ class ViewInBrowserTest extends \MailPoetTest {
   }
 
   function testItDoesNotRequireWpAdministratorToBeOnProcessedListWhenPreviewIsEnabled() {
+    $view_in_browser = $this->view_in_browser;
     $data = (object)array_merge(
       $this->browser_preview_data,
       array(
@@ -132,19 +135,25 @@ class ViewInBrowserTest extends \MailPoetTest {
       )
     );
     $data->preview = true;
+
     // when WP user is not logged, false should be returned
-    expect($this->view_in_browser->_validateBrowserPreviewData($data))->false();
+    expect($view_in_browser->_validateBrowserPreviewData($data))->false();
+
     // when WP user is logged in but does not have 'manage options' permission, false should be returned
     wp_set_current_user(1);
     $wp_user = wp_get_current_user();
     $wp_user->remove_role('administrator');
+    $view_in_browser->access_control = new AccessControl();
     expect($this->view_in_browser->_validateBrowserPreviewData($data))->false();
+
     // when WP user is logged and has 'manage options' permission, data should be returned
     $wp_user->add_role('administrator');
-    expect($this->view_in_browser->_validateBrowserPreviewData($data))->equals($data);
+    $view_in_browser->access_control = new AccessControl();
+    expect($view_in_browser->_validateBrowserPreviewData($data))->equals($data);
   }
 
   function testItSetsSubscriberToLoggedInWPUserWhenPreviewIsEnabled() {
+    $view_in_browser = $this->view_in_browser;
     $data = (object)array_merge(
       $this->browser_preview_data,
       array(
@@ -155,7 +164,8 @@ class ViewInBrowserTest extends \MailPoetTest {
     );
     $data->preview = true;
     wp_set_current_user(1);
-    $result = $this->view_in_browser->_validateBrowserPreviewData($data);
+    $view_in_browser->access_control = new AccessControl();
+    $result = $view_in_browser->_validateBrowserPreviewData($data);
     expect($result->subscriber->id)->equals(1);
   }
 
diff --git a/tests/unit/Router/RouterTest.php b/tests/unit/Router/RouterTest.php
index 58d31d7603..2eca6d6649 100644
--- a/tests/unit/Router/RouterTest.php
+++ b/tests/unit/Router/RouterTest.php
@@ -1,7 +1,9 @@
 <?php
+
 namespace MailPoet\Test\Router;
 
 use Codeception\Util\Stub;
+use MailPoet\Config\AccessControl;
 use MailPoet\Router\Router;
 
 require_once('RouterTestMockEndpoint.php');
@@ -29,7 +31,7 @@ class RouterTest extends \MailPoetTest {
     $router = new Router();
     expect($router->api_request)->equals(true);
     expect($router->endpoint)->equals('viewInBrowser');
-    expect($router->action)->equals('view');
+    expect($router->endpoint_action)->equals('view');
     expect($router->data)->equals($data);
   }
 
@@ -92,6 +94,87 @@ class RouterTest extends \MailPoetTest {
     );
   }
 
+  function testItValidatesGlobalPermission() {
+    $access_control = new AccessControl();
+    $router = $this->router;
+
+    $permissions = array(
+      'global' => AccessControl::PERMISSION_MANAGE_SETTINGS,
+    );
+    $access_control->user_roles = array();
+    $router->access_control = $access_control;
+    expect($router->validatePermissions(null, $permissions))->false();
+
+    $access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
+    $router->access_control = $access_control;
+    expect($router->validatePermissions(null, $permissions))->true();
+  }
+
+  function testItValidatesEndpointActionPermission() {
+    $access_control = new AccessControl();
+    $router = $this->router;
+
+    $permissions = array(
+      'global' => null,
+      'actions' => array(
+        'test' => AccessControl::PERMISSION_MANAGE_SETTINGS
+      )
+    );
+
+    $access_control->user_roles = array();
+    $router->access_control = $access_control;
+    expect($router->validatePermissions('test', $permissions))->false();
+
+    $access_control->user_roles = $access_control->permissions[AccessControl::PERMISSION_MANAGE_SETTINGS];
+    $router->access_control = $access_control;
+    expect($router->validatePermissions('test', $permissions))->true();
+  }
+
+  function testItValidatesPermissionBeforeProcessingEndpointAction() {
+    $router = Stub::construct(
+      new Router(),
+      array($this->router_data),
+      array(
+        'validatePermissions' => function($action, $permissions) {
+          expect($action)->equals($this->router_data['action']);
+          expect($permissions)->equals(
+            array(
+              'global' => AccessControl::NO_ACCESS_RESTRICTION
+            )
+          );
+          return true;
+        }
+      )
+    );
+    $result = $router->init();
+    expect($result)->equals(
+      array('data' => 'dummy data')
+    );
+  }
+
+  function testItReturnsForbiddenResponseWhenPermissionFailsValidation() {
+    $router = Stub::construct(
+      new Router(),
+      array($this->router_data),
+      array(
+        'validatePermissions' => false,
+        'terminateRequest' => function($code, $error) {
+          return array(
+            $code,
+            $error
+          );
+        }
+      )
+    );
+    $result = $router->init();
+    expect($result)->equals(
+      array(
+        403,
+        'You do not have the required permissions.'
+      )
+    );
+  }
+
   function testItCallsEndpointAction() {
     $data = array('data' => 'dummy data');
     $result = $this->router->init();
@@ -99,8 +182,7 @@ class RouterTest extends \MailPoetTest {
   }
 
   function testItExecutesUrlParameterConflictResolverAction() {
-    $data = array('data' => 'dummy data');
-    $result = $this->router->init();
+    $this->router->init();
     expect((boolean)did_action('mailpoet_conflict_resolver_router_url_query_parameters'))->true();
   }
 
@@ -140,4 +222,4 @@ class RouterTest extends \MailPoetTest {
     );
     expect($result)->contains(Router::NAME . '&endpoint=router_test_mock_endpoint&action=test&data=' . $encoded_data);
   }
-}
+}
\ No newline at end of file
diff --git a/tests/unit/Router/RouterTestMockEndpoint.php b/tests/unit/Router/RouterTestMockEndpoint.php
index 24ab75f774..51c020f92a 100644
--- a/tests/unit/Router/RouterTestMockEndpoint.php
+++ b/tests/unit/Router/RouterTestMockEndpoint.php
@@ -2,12 +2,17 @@
 
 namespace MailPoet\Router\Endpoints;
 
+use MailPoet\Config\AccessControl;
+
 class RouterTestMockEndpoint {
   const ACTION_TEST = 'test';
   public $allowed_actions = array(
     self::ACTION_TEST
   );
   public $data;
+  public $permissions = array(
+    'global' => AccessControl::NO_ACCESS_RESTRICTION
+  );
 
   function __construct($data) {
     $this->data = $data;