reivilibre/TaskBoard
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 2 Wiki Activity

Response filtering for board endpoints

Browse Source
This commit is contained in:
Matthew Ross 2016-06-16 10:01:00 -04:00
parent 133737d4a4
commit d81918cf68
3 changed files with 61 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/api/controllers/Boards.php
View File

@ -16,11 +16,13 @@ class Boards extends BaseController {
$this->apiJson->setSuccess();
foreach($boardBeans as $bean) {
// TODO: Filter boards to those where the user is a member
$board = new Board($this->container);
$board->loadFromBean($bean);
$this->apiJson->addData($board);
if (Auth::HasBoardAccess($this->container,
$request, $board->id)) {
$this->apiJson->addData($board);
}
}
} else {
$this->logger->addInfo('No boards in database.');
@ -38,7 +40,6 @@ class Boards extends BaseController {
}
$board = new Board($this->container, (int)$args['id']);
// TODO: Filter boards to those where the user is a member
if ($board->id === 0) {
$this->logger->addError('Attempt to load board ' . $args['id'] .
@ -49,6 +50,10 @@ class Boards extends BaseController {
return $this->jsonResponse($response);
}
if (!$this->checkBoardAccess($board->id, $request)) {
return $this->jsonResponse($response, 403);
}
$this->apiJson->setSuccess();
$this->apiJson->addData($board);
@ -93,7 +98,10 @@ class Boards extends BaseController {
}
$board = new Board($this->container, (int)$args['id']);
// TODO: Filter boards to those where the user is a member
if (!$this->checkBoardAccess($board->id, $request)) {
return $this->jsonResponse($response, 403);
}
$update = new Board($this->container);
$update->loadFromJson($request->getBody());
@ -131,6 +139,10 @@ class Boards extends BaseController {
$id = (int)$args['id'];
$board = new Board($this->container, $id);
if (!$this->checkBoardAccess($board->id, $request)) {
return $this->jsonResponse($response, 403);
}
if ($board->id !== $id) {
$this->logger->addError('Remove Board: ', [$board]);
$this->apiJson->addAlert('error', 'Error removing board. ' .

3
test/api/controllers/AttachmentsTest.php
View File

@ -1,9 +1,6 @@
<?php
require_once __DIR__ . '/../Mocks.php';
/**
* @group single
*/
class AttachmentsTest extends PHPUnit_Framework_TestCase {
private $attachments;

45
test/api/controllers/BoardsTest.php
View File

@ -1,6 +1,9 @@
<?php
require_once __DIR__ . '/../Mocks.php';
/**
* @group single
*/
class BoardsTest extends PHPUnit_Framework_TestCase {
private $boards;
@ -82,6 +85,25 @@ class BoardsTest extends PHPUnit_Framework_TestCase {
$actual->alerts[0]['text']);
}
public function testGetBoardForbidden() {
$this->createBoard();
DataMock::createBoardAdminUser();
$args = [];
$args['id'] = 1;
$request = new RequestMock();
$request->header = [DataMock::getJwt(2)];
$this->boards = new Boards(new ContainerMock());
$actual = $this->boards->getBoard($request,
new ResponseMock(), $args);
$this->assertEquals('Access restricted.',
$actual->alerts[0]['text']);
}
public function testAddRemoveBoard() {
$actual = $this->createBoard();
@ -186,6 +208,29 @@ class BoardsTest extends PHPUnit_Framework_TestCase {
$this->assertEquals('failure', $response->status);
}
public function testUpdateBoardForbidden() {
$this->createBoard();
DataMock::createBoardAdminUser();
$board = DataMock::getBoard();
$board->is_active = false;
$args = [];
$args['id'] = $board->id;
$this->boards = new Boards(new ContainerMock());
$request = new RequestMock();
$request->payload = $board;
$request->header = [DataMock::getJwt(2)];
$actual = $this->boards->updateBoard($request,
new ResponseMock(), $args);
$this->assertEquals('Access restricted.',
$actual->alerts[0]['text']);
}
private function createBoard() {
$request = new RequestMock();
$request->header = [DataMock::getJwt()];