reivilibre/TaskBoard
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 2 Wiki Activity

Response filtering for comment endpoints

Browse Source
This commit is contained in:
Matthew Ross 2016-06-17 11:24:49 -07:00
parent 9d46b25bc8
commit 178332d871
4 changed files with 223 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/api/controllers/Comments.php
View File

@ -21,6 +21,13 @@ class Comments extends BaseController {
return $this->jsonResponse($response); return $this->jsonResponse($response);
} }
$task = new Task($this->container, $comment->task_id);
$column = new Column($this->container, $task->column_id);
if (!$this->checkBoardAccess($column->board_id, $request)) {
return $this->jsonResponse($response, 403);
}
$this->apiJson->setSuccess(); $this->apiJson->setSuccess();
$this->apiJson->addData($comment); $this->apiJson->addData($comment);
@ -37,7 +44,9 @@ class Comments extends BaseController {
$comment = new Comment($this->container); $comment = new Comment($this->container);
$comment->loadFromJson($request->getBody()); $comment->loadFromJson($request->getBody());
if (!$comment->save()) { $task = new Task($this->container, $comment->task_id);
if ($task->id === 0) {
$this->logger->addError('Add Comment: ', [$comment]); $this->logger->addError('Add Comment: ', [$comment]);
$this->apiJson->addAlert('error', 'Error adding comment. ' . $this->apiJson->addAlert('error', 'Error adding comment. ' .
'Please try again.'); 'Please try again.');
@ -45,7 +54,14 @@ class Comments extends BaseController {
return $this->jsonResponse($response); return $this->jsonResponse($response);
} }
if (!$this->checkBoardAccess($this->getBoardId($task->id), $request)) {
return $this->jsonResponse($response, 403);
}
$comment->save();
$actor = new User($this->container, Auth::GetUserId($request)); $actor = new User($this->container, Auth::GetUserId($request));
$this->dbLogger->logChange($this->container, $actor->id, $this->dbLogger->logChange($this->container, $actor->id,
$actor->username . ' added comment ' . $comment->id . '.', $actor->username . ' added comment ' . $comment->id . '.',
'', json_encode($comment), 'comment', $comment->id); '', json_encode($comment), 'comment', $comment->id);
@ -63,10 +79,23 @@ class Comments extends BaseController {
return $this->jsonResponse($response, $status); return $this->jsonResponse($response, $status);
} }
// TODO: If user, verify submitting user
$actor = new User($this->container, Auth::GetUserId($request)); $actor = new User($this->container, Auth::GetUserId($request));
$comment = new Comment($this->container, (int)$args['id']); $id = (int)$args['id'];
$comment = new Comment($this->container, $id);
// If User level, only the user that created the comment
// may update it. If higher level, update is allowed.
if ($actor->security_level->getValue() === SecurityLevel::User) {
if ($actor->id !== $comment->user_id) {
$this->apiJson->addAlert('error',
'You do not have sufficient permissions ' .
'to update this comment.');
return $this->jsonResponse($response);
}
} // @codeCoverageIgnore
$update = new Comment($this->container); $update = new Comment($this->container);
$update->loadFromJson($request->getBody()); $update->loadFromJson($request->getBody());
@ -78,6 +107,11 @@ class Comments extends BaseController {
return $this->jsonResponse($response); return $this->jsonResponse($response);
} }
if (!$this->checkBoardAccess($this->getBoardId($comment->task_id),
$request)) {
return $this->jsonResponse($response, 403);
}
$update->save(); $update->save();
$this->dbLogger->logChange($this->container, $actor->id, $this->dbLogger->logChange($this->container, $actor->id,
@ -98,12 +132,23 @@ class Comments extends BaseController {
return $this->jsonResponse($response, $status); return $this->jsonResponse($response, $status);
} }
// TODO: If user, verify submitting user
$actor = new User($this->container, Auth::GetUserId($request)); $actor = new User($this->container, Auth::GetUserId($request));
$id = (int)$args['id']; $id = (int)$args['id'];
$comment = new Comment($this->container, $id); $comment = new Comment($this->container, $id);
// If User level, only the user that created the comment
// may delete it. If higher level, delete is allowed.
if ($actor->security_level->getValue() === SecurityLevel::User) {
if ($actor->id !== $comment->user_id) {
$this->apiJson->addAlert('error',
'You do not have sufficient permissions ' .
'to remove this comment.');
return $this->jsonResponse($response);
}
} // @codeCoverageIgnore
if ($comment->id !== $id) { if ($comment->id !== $id) {
$this->logger->addError('Remove Comment: ', [$comment]); $this->logger->addError('Remove Comment: ', [$comment]);
$this->apiJson->addAlert('error', 'Error removing comment. ' . $this->apiJson->addAlert('error', 'Error removing comment. ' .
@ -112,6 +157,11 @@ class Comments extends BaseController {
return $this->jsonResponse($response); return $this->jsonResponse($response);
} }
if (!$this->checkBoardAccess($this->getBoardId($comment->task_id),
$request)) {
return $this->jsonResponse($response, 403);
}
$before = $comment; $before = $comment;
$comment->delete(); $comment->delete();
@ -124,5 +174,13 @@ class Comments extends BaseController {
return $this->jsonResponse($response); return $this->jsonResponse($response);
} }
private function getBoardId($taskId) {
$task = new Task($this->container, $taskId);
$column = new Column($this->container, $task->column_id);
return $column->board_id;
}
} }

3
test/api/controllers/AttachmentsTest.php
View File

@ -175,7 +175,7 @@ class AttachmentsTest extends PHPUnit_Framework_TestCase {
$args['id'] = 1; $args['id'] = 1;
$this->attachments = new Attachments(new ContainerMock()); $this->attachments = new Attachments(new ContainerMock());
$request =new RequestMock(); $request = new RequestMock();
$request->header = [DataMock::getJwt(2)]; $request->header = [DataMock::getJwt(2)];
$actual = $this->attachments->removeAttachment($request, $actual = $this->attachments->removeAttachment($request,
@ -183,7 +183,6 @@ class AttachmentsTest extends PHPUnit_Framework_TestCase {
$this->assertEquals('You do not have sufficient permissions to ' . $this->assertEquals('You do not have sufficient permissions to ' .
'remove this attachment.', $actual->alerts[0]['text']); 'remove this attachment.', $actual->alerts[0]['text']);
} }
public function testRemoveAttachmentForbidden() { public function testRemoveAttachmentForbidden() {

5
test/api/controllers/ColumnsTest.php
View File

@ -179,8 +179,10 @@ class ColumnsTest extends PHPUnit_Framework_TestCase {
$this->assertEquals('Access restricted.', $this->assertEquals('Access restricted.',
$actual->alerts[0]['text']); $actual->alerts[0]['text']);
} }
public function testUpdateColumn() { public function testUpdateColumn() {
$this->createColumn(); $this->createColumn();
$this->columns = new Columns(new ContainerMock());
$column = DataMock::getColumn(); $column = DataMock::getColumn();
$column->name = 'updated'; $column->name = 'updated';
@ -196,12 +198,13 @@ class ColumnsTest extends PHPUnit_Framework_TestCase {
new ResponseMock(), $args); new ResponseMock(), $args);
$this->assertEquals('success', $response->status); $this->assertEquals('success', $response->status);
$this->columns = new Columns(new ContainerMock());
$request->payload = new stdClass(); $request->payload = new stdClass();
$request->header = [DataMock::getJwt()]; $request->header = [DataMock::getJwt()];
$response = $this->columns->updateColumn($request, $response = $this->columns->updateColumn($request,
new ResponseMock(), $args); new ResponseMock(), $args);
$this->assertEquals('error', $response->alerts[2]['type']); $this->assertEquals('error', $response->alerts[0]['type']);
} }
public function testUpdateColumnUnprivileged() { public function testUpdateColumnUnprivileged() {

156
test/api/controllers/CommentsTest.php
View File

@ -1,6 +1,9 @@
<?php <?php
require_once __DIR__ . '/../Mocks.php'; require_once __DIR__ . '/../Mocks.php';
/**
* @group single
*/
class CommentsTest extends PHPUnit_Framework_TestCase { class CommentsTest extends PHPUnit_Framework_TestCase {
private $comments; private $comments;
@ -42,6 +45,25 @@ class CommentsTest extends PHPUnit_Framework_TestCase {
$this->assertEquals(2, count($actual->data)); $this->assertEquals(2, count($actual->data));
} }
public function testGetCommentForbidden() {
$this->createComment();
DataMock::createBoardAdminUser();
$args = [];
$args['id'] = 1;
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$this->comments = new Comments(new ContainerMock());
$actual = $this->comments->getComment($request,
new ResponseMock(), $args);
$this->assertEquals('Access restricted.',
$actual->alerts[0]['text']);
}
public function testGetCommentUnprivileged() { public function testGetCommentUnprivileged() {
$res = DataMock::createUnpriviligedUser(); $res = DataMock::createUnpriviligedUser();
$this->assertEquals('success', $res->status); $this->assertEquals('success', $res->status);
@ -124,6 +146,66 @@ class CommentsTest extends PHPUnit_Framework_TestCase {
$this->assertEquals('failure', $response->status); $this->assertEquals('failure', $response->status);
} }
public function testAddCommentForbidden() {
$this->createBoard();
$this->createTask();
DataMock::createBoardAdminUser();
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$comment = DataMock::getComment();
$comment->id = 0;
$request->payload = $comment;
$this->comments = new Comments(new ContainerMock());
$actual = $this->comments->addComment($request,
new ResponseMock(), null);
$this->assertEquals('Access restricted.',
$actual->alerts[0]['text']);
}
public function testRemoveCommentForbidden() {
$this->createComment();
DataMock::createBoardAdminUser();
$args = [];
$args['id'] = 1;
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$this->comments = new Comments(new ContainerMock());
$actual = $this->comments->removeComment($request,
new ResponseMock(), $args);
$this->assertEquals('Access restricted.',
$actual->alerts[0]['text']);
}
public function testRemoveCommentUserSecurity() {
$this->createComment();
DataMock::createStandardUser();
$args = [];
$args['id'] = 1;
$this->comments = new Comments(new ContainerMock());
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$actual = $this->comments->removeComment($request,
new ResponseMock(), $args);
$this->assertEquals('You do not have sufficient permissions to ' .
'remove this comment.', $actual->alerts[0]['text']);
}
public function testUpdateComment() { public function testUpdateComment() {
$this->createComment(); $this->createComment();
$this->comments = new Comments(new ContainerMock()); $this->comments = new Comments(new ContainerMock());
@ -174,7 +256,81 @@ class CommentsTest extends PHPUnit_Framework_TestCase {
$actual->alerts[0]['text']); $actual->alerts[0]['text']);
} }
public function testUpdateCommentForbidden() {
$this->createComment();
DataMock::createBoardAdminUser();
$comment = DataMock::getComment();
$comment->text = 'updated';
$args = [];
$args['id'] = $comment->id;
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$request->payload = $comment;
$this->comments = new Comments(new ContainerMock());
$actual = $this->comments->updateComment($request,
new ResponseMock(), $args);
$this->assertEquals('Access restricted.',
$actual->alerts[0]['text']);
}
public function testUpdateCommentUserSecurity() {
$this->createComment();
DataMock::createStandardUser();
$args = [];
$args['id'] = 1;
$comment = DataMock::getComment();
$comment->text = 'updated';
$this->comments = new Comments(new ContainerMock());
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$request->payload = $comment;
$actual = $this->comments->updateComment($request,
new ResponseMock(), $args);
$this->assertEquals('You do not have sufficient permissions to ' .
'update this comment.', $actual->alerts[0]['text']);
}
private function createBoard() {
$board = DataMock::getBoard();
$board->users = [];
$board->users[] = new User(new ContainerMock(), 1);
$board->auto_actions = [];
$request = new RequestMock();
$request->payload = $board;
$request->header = [DataMock::getJwt()];
$boards = new Boards(new ContainerMock());
$boards->addBoard($request, new ResponseMock(), null);
}
private function createTask() {
$task = DataMock::getTask();
$task->id = 0;
$request = new RequestMock();
$request->payload = $task;
$request->header = [DataMock::getJwt()];
$tasks = new Tasks(new ContainerMock());
$tasks->addTask($request, new ResponseMock(), null);
}
private function createComment() { private function createComment() {
$this->createBoard();
$this->createTask();
$request = new RequestMock(); $request = new RequestMock();
$comment = DataMock::getComment(); $comment = DataMock::getComment();
$comment->id = 0; $comment->id = 0;