src/applications/base/controller/__tests__/PhabricatorAccessControlTestCase.php at upstream/main

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
fork atom
phorge / src / applications / base / controller / __tests__ / PhabricatorAccessControlTestCase.php
at upstream/main 281 lines 6.3 kB view raw
wrap content
Andre Klapper Replace some manual class name strings with ::class keyword 6mo ago
22b97a4b
  1<?php
  2
  3final class PhabricatorAccessControlTestCase extends PhabricatorTestCase {
  4
  5  protected function getPhabricatorTestCaseConfiguration() {
  6    return array(
  7      self::PHABRICATOR_TESTCONFIG_BUILD_STORAGE_FIXTURES => true,
  8    );
  9  }
 10
 11  public function testControllerAccessControls() {
 12    $root = dirname(phutil_get_library_root('phabricator'));
 13    require_once $root.'/support/startup/PhabricatorStartup.php';
 14
 15    $application_configuration = new AphrontApplicationConfiguration();
 16
 17    $host = 'meow.example.com';
 18
 19    $_SERVER['REQUEST_METHOD'] = 'GET';
 20
 21    $request = id(new AphrontRequest($host, '/'))
 22      ->setApplicationConfiguration($application_configuration)
 23      ->setRequestData(array());
 24
 25    $controller = new PhabricatorTestController();
 26    $controller->setRequest($request);
 27
 28    $u_public = id(new PhabricatorUser())
 29      ->setUsername('public');
 30
 31    $u_unverified = $this->generateNewTestUser()
 32      ->setUsername('unverified')
 33      ->save();
 34    $u_unverified->setIsEmailVerified(0)->save();
 35
 36    $u_normal = $this->generateNewTestUser()
 37      ->setUsername('normal')
 38      ->save();
 39
 40    $u_disabled = $this->generateNewTestUser()
 41      ->setIsDisabled(true)
 42      ->setUsername('disabled')
 43      ->save();
 44
 45    $u_admin = $this->generateNewTestUser()
 46      ->setIsAdmin(true)
 47      ->setUsername('admin')
 48      ->save();
 49
 50    $u_notapproved = $this->generateNewTestUser()
 51      ->setIsApproved(0)
 52      ->setUsername('notapproved')
 53      ->save();
 54
 55    $env = PhabricatorEnv::beginScopedEnv();
 56    $env->overrideEnvConfig('phabricator.base-uri', 'http://'.$host);
 57    $env->overrideEnvConfig('policy.allow-public', false);
 58    $env->overrideEnvConfig('auth.require-email-verification', false);
 59    $env->overrideEnvConfig('security.require-multi-factor-auth', false);
 60
 61
 62    // Test standard defaults.
 63
 64    $this->checkAccess(
 65      pht('Default'),
 66      id(clone $controller),
 67      $request,
 68      array(
 69        $u_normal,
 70        $u_admin,
 71        $u_unverified,
 72      ),
 73      array(
 74        $u_public,
 75        $u_disabled,
 76        $u_notapproved,
 77      ));
 78
 79
 80    // Test email verification.
 81
 82    $env->overrideEnvConfig('auth.require-email-verification', true);
 83    $this->checkAccess(
 84      pht('Email Verification Required'),
 85      id(clone $controller),
 86      $request,
 87      array(
 88        $u_normal,
 89        $u_admin,
 90      ),
 91      array(
 92        $u_unverified,
 93        $u_public,
 94        $u_disabled,
 95        $u_notapproved,
 96      ));
 97
 98    $this->checkAccess(
 99      pht('Email Verification Required, With Exception'),
100      id(clone $controller)->setConfig('email', false),
101      $request,
102      array(
103        $u_normal,
104        $u_admin,
105        $u_unverified,
106      ),
107      array(
108        $u_public,
109        $u_disabled,
110        $u_notapproved,
111      ));
112    $env->overrideEnvConfig('auth.require-email-verification', false);
113
114
115    // Test admin access.
116
117    $this->checkAccess(
118      pht('Admin Required'),
119      id(clone $controller)->setConfig('admin', true),
120      $request,
121      array(
122        $u_admin,
123      ),
124      array(
125        $u_normal,
126        $u_unverified,
127        $u_public,
128        $u_disabled,
129        $u_notapproved,
130      ));
131
132
133    // Test disabled access.
134
135    $this->checkAccess(
136      pht('Allow Disabled'),
137      id(clone $controller)->setConfig('enabled', false),
138      $request,
139      array(
140        $u_normal,
141        $u_unverified,
142        $u_admin,
143        $u_disabled,
144        $u_notapproved,
145      ),
146      array(
147        $u_public,
148      ));
149
150
151    // Test no login required.
152
153    $this->checkAccess(
154      pht('No Login Required'),
155      id(clone $controller)->setConfig('login', false),
156      $request,
157      array(
158        $u_normal,
159        $u_unverified,
160        $u_admin,
161        $u_public,
162        $u_notapproved,
163      ),
164      array(
165        $u_disabled,
166      ));
167
168
169    // Test public access.
170
171    $this->checkAccess(
172      pht('Public Access'),
173      id(clone $controller)->setConfig('public', true),
174      $request,
175      array(
176        $u_normal,
177        $u_unverified,
178        $u_admin,
179      ),
180      array(
181        $u_disabled,
182        $u_public,
183      ));
184
185    $env->overrideEnvConfig('policy.allow-public', true);
186    $this->checkAccess(
187      pht('Public + configured'),
188      id(clone $controller)->setConfig('public', true),
189      $request,
190      array(
191        $u_normal,
192        $u_unverified,
193        $u_admin,
194        $u_public,
195      ),
196      array(
197        $u_disabled,
198        $u_notapproved,
199      ));
200    $env->overrideEnvConfig('policy.allow-public', false);
201
202
203    $app = PhabricatorApplication::getByClass(
204      PhabricatorTestApplication::class);
205    $app->reset();
206    $app->setPolicy(
207      PhabricatorPolicyCapability::CAN_VIEW,
208      PhabricatorPolicies::POLICY_NOONE);
209
210    $app_controller = id(clone $controller)->setCurrentApplication($app);
211
212    $this->checkAccess(
213      pht('Application Controller'),
214      $app_controller,
215      $request,
216      array(
217      ),
218      array(
219        $u_normal,
220        $u_unverified,
221        $u_admin,
222        $u_public,
223        $u_disabled,
224        $u_notapproved,
225      ));
226
227    $this->checkAccess(
228      pht('Application Controller, No Login Required'),
229      id(clone $app_controller)->setConfig('login', false),
230      $request,
231      array(
232        $u_normal,
233        $u_unverified,
234        $u_admin,
235        $u_public,
236        $u_notapproved,
237      ),
238      array(
239        $u_disabled,
240      ));
241  }
242
243  private function checkAccess(
244    $label,
245    $controller,
246    $request,
247    array $yes,
248    array $no) {
249
250    foreach ($yes as $user) {
251      $request->setUser($user);
252      $uname = $user->getUsername();
253
254      try {
255        $result = id(clone $controller)->willBeginExecution();
256      } catch (Exception $ex) {
257        $result = $ex;
258      }
259
260      $this->assertTrue(
261        ($result === null),
262        pht("Expect user '%s' to be allowed access to '%s'.", $uname, $label));
263    }
264
265    foreach ($no as $user) {
266      $request->setUser($user);
267      $uname = $user->getUsername();
268
269      try {
270        $result = id(clone $controller)->willBeginExecution();
271      } catch (Exception $ex) {
272        $result = $ex;
273      }
274
275      $this->assertFalse(
276        ($result === null),
277        pht("Expect user '%s' to be denied access to '%s'.", $uname, $label));
278    }
279  }
280
281}