Response filtering for column endpoints

2016-06-16 16:53:31 -04:00 · 2016-06-16 16:53:31 -04:00 · 9d46b25bc8
commit 9d46b25bc8
parent 9d38df9043
3 changed files with 127 additions and 14 deletions
--- a/src/api/controllers/Columns.php
+++ b/src/api/controllers/Columns.php
@ -11,7 +11,6 @@ class Columns extends BaseController {
        }

        $column = new Column($this->container, (int)$args['id']);
-        // TODO: Verify user has board access

        if ($column->id === 0) {
            $this->logger->addError('Attempt to load column ' .
@ -22,6 +21,10 @@ class Columns extends BaseController {
            return $this->jsonResponse($response);
        }

+        if (!$this->checkBoardAccess($column->board_id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
+
        $this->apiJson->setSuccess();
        $this->apiJson->addData($column);

@ -35,13 +38,12 @@ class Columns extends BaseController {
            return $this->jsonResponse($response, $status);
        }

-        // TODO: Verify user has board access
-        $actor = new User($this->container, Auth::GetUserId($request));
-
        $column = new Column($this->container);
        $column->loadFromJson($request->getBody());

-        if (!$column->save()) {
+        $board = new Board($this->container, $column->board_id);
+
+        if ($board->id === 0) {
            $this->logger->addError('Add Column: ', [$column]);
            $this->apiJson->addAlert('error', 'Error adding column. ' .
                'Please try again.');
@ -49,6 +51,14 @@ class Columns extends BaseController {
            return $this->jsonResponse($response);
        }

+        if (!$this->checkBoardAccess($column->board_id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
+
+        $column->save();
+
+        $actor = new User($this->container, Auth::GetUserId($request));
+
        $this->dbLogger->logChange($this->container, $actor->id,
            $actor->username . ' added column ' . $column->name . '.',
            '', json_encode($column), 'column', $column->id);
@ -67,10 +77,12 @@ class Columns extends BaseController {
            return $this->jsonResponse($response, $status);
        }

-        // TODO: Verify user has board access
-        $actor = new User($this->container, Auth::GetUserId($request));
-
        $column = new Column($this->container, (int)$args['id']);
+
+        if (!$this->checkBoardAccess($column->board_id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
+
        $update = new Column($this->container);
        $update->loadFromJson($request->getBody());

@ -84,6 +96,7 @@ class Columns extends BaseController {

        $update->save();

+        $actor = new User($this->container, Auth::GetUserId($request));
        $this->dbLogger->logChange($this->container, $actor->id,
            $actor->username . ' updated column ' . $update->name,
            json_encode($column), json_encode($update),
@ -103,9 +116,6 @@ class Columns extends BaseController {
            return $this->jsonResponse($response, $status);
        }

-        // TODO: Verify user has board access
-        $actor = new User($this->container, Auth::GetUserId($request));
-
        $id = (int)$args['id'];
        $column = new Column($this->container, $id);

@ -117,9 +127,14 @@ class Columns extends BaseController {
            return $this->jsonResponse($response);
        }

+        if (!$this->checkBoardAccess($column->board_id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
+
        $before = $column;
        $column->delete();

+        $actor = new User($this->container, Auth::GetUserId($request));
        $this->dbLogger->logChange($this->container, $actor->id,
            $actor->username . ' removed column ' . $before->name,
            json_encode($before), '', 'column', $id);
--- a/test/api/controllers/BoardsTest.php
+++ b/test/api/controllers/BoardsTest.php
@ -1,9 +1,6 @@
 <?php
 require_once __DIR__ . '/../Mocks.php';

-    /**
-     * @group single
-     */
 class BoardsTest extends PHPUnit_Framework_TestCase {
    private $boards;

--- a/test/api/controllers/ColumnsTest.php
+++ b/test/api/controllers/ColumnsTest.php
@ -54,6 +54,25 @@ class ColumnsTest extends PHPUnit_Framework_TestCase {
            $actual->alerts[0]['text']);
    }

+    public function testGetColumnForbidden() {
+        $this->createColumn();
+
+        DataMock::createBoardAdminUser();
+
+        $args = [];
+        $args['id'] = 1;
+
+        $request = new RequestMock();
+        $request->header = [DataMock::getJwt(2)];
+
+        $this->columns = new Columns(new ContainerMock());
+
+        $actual = $this->columns->getColumn($request,
+            new ResponseMock(), $args);
+        $this->assertEquals('Access restricted.',
+            $actual->alerts[0]['text']);
+    }
+
    public function testAddRemoveColumn() {
        $actual = $this->createColumn();
        $this->assertEquals('success', $actual->status);
@ -122,6 +141,44 @@ class ColumnsTest extends PHPUnit_Framework_TestCase {
        $this->assertEquals('failure', $response->status);
    }

+    public function testAddColumnForbidden() {
+        $this->createColumn();
+
+        DataMock::createBoardAdminUser();
+
+        $column = DataMock::getColumn();
+        $column->id = 0;
+
+        $request = new RequestMock();
+        $request->header = [DataMock::getJwt(2)];
+        $request->payload = $column;
+
+        $this->columns = new Columns(new ContainerMock());
+
+        $actual = $this->columns->addColumn($request,
+            new ResponseMock(), null);
+        $this->assertEquals('Access restricted.',
+            $actual->alerts[0]['text']);
+    }
+
+    public function testRemoveColumnForbidden() {
+        $this->createColumn();
+
+        DataMock::createBoardAdminUser();
+
+        $args = [];
+        $args['id'] = 1;
+
+        $request = new RequestMock();
+        $request->header = [DataMock::getJwt(2)];
+
+        $this->columns = new Columns(new ContainerMock());
+
+        $actual = $this->columns->removeColumn($request,
+            new ResponseMock(), $args);
+        $this->assertEquals('Access restricted.',
+            $actual->alerts[0]['text']);
+    }
    public function testUpdateColumn() {
        $this->createColumn();

@ -170,12 +227,56 @@ class ColumnsTest extends PHPUnit_Framework_TestCase {
            $actual->alerts[0]['text']);
    }

+    public function testUpdateColumnForbidden() {
+        $this->createColumn();
+
+        DataMock::createBoardAdminUser();
+
+        $column = DataMock::getColumn();
+        $column->name = 'test';
+
+        $args = [];
+        $args['id'] = $column->id;
+
+        $request = new RequestMock();
+        $request->header = [DataMock::getJwt(2)];
+        $request->payload = $column;
+
+        $this->columns = new Columns(new ContainerMock());
+
+        $actual = $this->columns->updateColumn($request,
+            new ResponseMock(), $args);
+        $this->assertEquals('Access restricted.',
+            $actual->alerts[0]['text']);
+    }
+
+    private function createBoard() {
+        $request = new RequestMock();
+        $request->header = [DataMock::getJwt()];
+
+        $board = DataMock::getBoard();
+        $board->id = 0;
+
+        $request->payload = $board;
+        $boards = new Boards(new ContainerMock());
+
+        $response = $boards->addBoard($request,
+            new ResponseMock(), null);
+        $this->assertEquals('success', $response->status);
+
+        return $response;
+    }
+
    private function createColumn() {
+        $this->createBoard();
+
        $request = new RequestMock();
        $request->header = [DataMock::getJwt()];

        $column = DataMock::getColumn();
        $column->id = 0;
+        $column->name = 'testing';
+        $column->tasks = [];

        $request->payload = $column;