2022-02-03 07:33:26 -05:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace Tests\Api;
|
|
|
|
|
2022-02-03 19:26:19 -05:00
|
|
|
use BookStack\Actions\ActivityType;
|
2022-02-03 07:33:26 -05:00
|
|
|
use BookStack\Auth\Role;
|
|
|
|
use BookStack\Auth\User;
|
2022-02-03 19:26:19 -05:00
|
|
|
use BookStack\Entities\Models\Entity;
|
|
|
|
use BookStack\Notifications\UserInvite;
|
2022-02-03 11:52:28 -05:00
|
|
|
use Illuminate\Support\Facades\Hash;
|
2022-02-03 19:26:19 -05:00
|
|
|
use Illuminate\Support\Facades\Notification;
|
2022-02-03 07:33:26 -05:00
|
|
|
use Tests\TestCase;
|
|
|
|
|
|
|
|
class UsersApiTest extends TestCase
|
|
|
|
{
|
|
|
|
use TestsApi;
|
|
|
|
|
|
|
|
protected $baseEndpoint = '/api/users';
|
|
|
|
|
2022-02-03 19:26:19 -05:00
|
|
|
protected $endpointMap = [
|
|
|
|
['get', '/api/users'],
|
|
|
|
['post', '/api/users'],
|
|
|
|
['get', '/api/users/1'],
|
|
|
|
['put', '/api/users/1'],
|
|
|
|
['delete', '/api/users/1'],
|
|
|
|
];
|
|
|
|
|
2022-02-03 07:33:26 -05:00
|
|
|
public function test_users_manage_permission_needed_for_all_endpoints()
|
|
|
|
{
|
2022-02-03 19:26:19 -05:00
|
|
|
$this->actingAsApiEditor();
|
|
|
|
foreach ($this->endpointMap as [$method, $uri]) {
|
|
|
|
$resp = $this->json($method, $uri);
|
|
|
|
$resp->assertStatus(403);
|
|
|
|
$resp->assertJson($this->permissionErrorResponse());
|
|
|
|
}
|
2022-02-03 07:33:26 -05:00
|
|
|
}
|
|
|
|
|
2022-02-03 10:12:50 -05:00
|
|
|
public function test_no_endpoints_accessible_in_demo_mode()
|
|
|
|
{
|
2022-02-03 19:26:19 -05:00
|
|
|
config()->set('app.env', 'demo');
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
|
|
|
|
foreach ($this->endpointMap as [$method, $uri]) {
|
|
|
|
$resp = $this->json($method, $uri);
|
|
|
|
$resp->assertStatus(403);
|
|
|
|
$resp->assertJson($this->permissionErrorResponse());
|
|
|
|
}
|
2022-02-03 10:12:50 -05:00
|
|
|
}
|
|
|
|
|
2022-02-03 07:33:26 -05:00
|
|
|
public function test_index_endpoint_returns_expected_shelf()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $firstUser */
|
|
|
|
$firstUser = User::query()->orderBy('id', 'asc')->first();
|
|
|
|
|
|
|
|
$resp = $this->getJson($this->baseEndpoint . '?count=1&sort=+id');
|
|
|
|
$resp->assertJson(['data' => [
|
|
|
|
[
|
2022-02-08 10:29:58 -05:00
|
|
|
'id' => $firstUser->id,
|
|
|
|
'name' => $firstUser->name,
|
|
|
|
'slug' => $firstUser->slug,
|
|
|
|
'email' => $firstUser->email,
|
2022-02-03 07:33:26 -05:00
|
|
|
'profile_url' => $firstUser->getProfileUrl(),
|
2022-02-08 10:29:58 -05:00
|
|
|
'edit_url' => $firstUser->getEditUrl(),
|
|
|
|
'avatar_url' => $firstUser->getAvatar(),
|
2022-02-03 07:33:26 -05:00
|
|
|
],
|
|
|
|
]]);
|
|
|
|
}
|
|
|
|
|
2022-02-03 19:26:19 -05:00
|
|
|
public function test_create_endpoint()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var Role $role */
|
|
|
|
$role = Role::query()->first();
|
|
|
|
|
|
|
|
$resp = $this->postJson($this->baseEndpoint, [
|
2022-02-08 10:29:58 -05:00
|
|
|
'name' => 'Benny Boris',
|
|
|
|
'email' => 'bboris@example.com',
|
|
|
|
'password' => 'mysuperpass',
|
|
|
|
'language' => 'it',
|
|
|
|
'roles' => [$role->id],
|
2022-02-03 19:26:19 -05:00
|
|
|
'send_invite' => false,
|
|
|
|
]);
|
|
|
|
|
|
|
|
$resp->assertStatus(200);
|
|
|
|
$resp->assertJson([
|
2022-02-08 10:29:58 -05:00
|
|
|
'name' => 'Benny Boris',
|
|
|
|
'email' => 'bboris@example.com',
|
2022-02-03 19:26:19 -05:00
|
|
|
'external_auth_id' => '',
|
2022-02-08 10:29:58 -05:00
|
|
|
'roles' => [
|
2022-02-03 19:26:19 -05:00
|
|
|
[
|
2022-02-08 10:29:58 -05:00
|
|
|
'id' => $role->id,
|
2022-02-03 19:26:19 -05:00
|
|
|
'display_name' => $role->display_name,
|
2022-02-08 10:29:58 -05:00
|
|
|
],
|
2022-02-03 19:26:19 -05:00
|
|
|
],
|
|
|
|
]);
|
|
|
|
$this->assertDatabaseHas('users', ['email' => 'bboris@example.com']);
|
|
|
|
|
|
|
|
/** @var User $user */
|
|
|
|
$user = User::query()->where('email', '=', 'bboris@example.com')->first();
|
|
|
|
$this->assertActivityExists(ActivityType::USER_CREATE, null, $user->logDescriptor());
|
|
|
|
$this->assertEquals(1, $user->roles()->count());
|
|
|
|
$this->assertEquals('it', setting()->getUser($user, 'language'));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_create_with_send_invite()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
Notification::fake();
|
|
|
|
|
|
|
|
$resp = $this->postJson($this->baseEndpoint, [
|
2022-02-08 10:29:58 -05:00
|
|
|
'name' => 'Benny Boris',
|
|
|
|
'email' => 'bboris@example.com',
|
2022-02-03 19:26:19 -05:00
|
|
|
'send_invite' => true,
|
|
|
|
]);
|
|
|
|
|
|
|
|
$resp->assertStatus(200);
|
|
|
|
/** @var User $user */
|
|
|
|
$user = User::query()->where('email', '=', 'bboris@example.com')->first();
|
|
|
|
Notification::assertSentTo($user, UserInvite::class);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_create_name_and_email_validation()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $existingUser */
|
|
|
|
$existingUser = User::query()->first();
|
|
|
|
|
|
|
|
$resp = $this->postJson($this->baseEndpoint, [
|
|
|
|
'email' => 'bboris@example.com',
|
|
|
|
]);
|
|
|
|
$resp->assertStatus(422);
|
|
|
|
$resp->assertJson($this->validationResponse(['name' => ['The name field is required.']]));
|
|
|
|
|
|
|
|
$resp = $this->postJson($this->baseEndpoint, [
|
|
|
|
'name' => 'Benny Boris',
|
|
|
|
]);
|
|
|
|
$resp->assertStatus(422);
|
|
|
|
$resp->assertJson($this->validationResponse(['email' => ['The email field is required.']]));
|
|
|
|
|
|
|
|
$resp = $this->postJson($this->baseEndpoint, [
|
|
|
|
'email' => $existingUser->email,
|
2022-02-08 10:29:58 -05:00
|
|
|
'name' => 'Benny Boris',
|
2022-02-03 19:26:19 -05:00
|
|
|
]);
|
|
|
|
$resp->assertStatus(422);
|
|
|
|
$resp->assertJson($this->validationResponse(['email' => ['The email has already been taken.']]));
|
|
|
|
}
|
|
|
|
|
2022-02-03 07:33:26 -05:00
|
|
|
public function test_read_endpoint()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $user */
|
|
|
|
$user = User::query()->first();
|
|
|
|
/** @var Role $userRole */
|
|
|
|
$userRole = $user->roles()->first();
|
|
|
|
|
|
|
|
$resp = $this->getJson($this->baseEndpoint . "/{$user->id}");
|
|
|
|
|
|
|
|
$resp->assertStatus(200);
|
|
|
|
$resp->assertJson([
|
2022-02-08 10:29:58 -05:00
|
|
|
'id' => $user->id,
|
|
|
|
'slug' => $user->slug,
|
|
|
|
'email' => $user->email,
|
2022-02-03 07:33:26 -05:00
|
|
|
'external_auth_id' => $user->external_auth_id,
|
2022-02-08 10:29:58 -05:00
|
|
|
'roles' => [
|
2022-02-03 07:33:26 -05:00
|
|
|
[
|
2022-02-08 10:29:58 -05:00
|
|
|
'id' => $userRole->id,
|
2022-02-03 07:33:26 -05:00
|
|
|
'display_name' => $userRole->display_name,
|
2022-02-08 10:29:58 -05:00
|
|
|
],
|
2022-02-03 07:33:26 -05:00
|
|
|
],
|
|
|
|
]);
|
|
|
|
}
|
2022-02-03 10:12:50 -05:00
|
|
|
|
2022-02-03 11:52:28 -05:00
|
|
|
public function test_update_endpoint()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $user */
|
2023-01-21 06:08:34 -05:00
|
|
|
$user = $this->users->admin();
|
2022-02-03 11:52:28 -05:00
|
|
|
$roles = Role::query()->pluck('id');
|
|
|
|
$resp = $this->putJson($this->baseEndpoint . "/{$user->id}", [
|
2022-02-08 10:29:58 -05:00
|
|
|
'name' => 'My updated user',
|
|
|
|
'email' => 'barrytest@example.com',
|
|
|
|
'roles' => $roles,
|
2022-02-03 11:52:28 -05:00
|
|
|
'external_auth_id' => 'btest',
|
2022-02-08 10:29:58 -05:00
|
|
|
'password' => 'barrytester',
|
|
|
|
'language' => 'fr',
|
2022-02-03 11:52:28 -05:00
|
|
|
]);
|
|
|
|
|
|
|
|
$resp->assertStatus(200);
|
|
|
|
$resp->assertJson([
|
2022-02-08 10:29:58 -05:00
|
|
|
'id' => $user->id,
|
|
|
|
'name' => 'My updated user',
|
|
|
|
'email' => 'barrytest@example.com',
|
2022-02-03 11:52:28 -05:00
|
|
|
'external_auth_id' => 'btest',
|
|
|
|
]);
|
|
|
|
$user->refresh();
|
|
|
|
$this->assertEquals('fr', setting()->getUser($user, 'language'));
|
|
|
|
$this->assertEquals(count($roles), $user->roles()->count());
|
|
|
|
$this->assertNotEquals('barrytester', $user->password);
|
|
|
|
$this->assertTrue(Hash::check('barrytester', $user->password));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_update_endpoint_does_not_remove_info_if_not_provided()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $user */
|
2023-01-21 06:08:34 -05:00
|
|
|
$user = $this->users->admin();
|
2022-02-03 11:52:28 -05:00
|
|
|
$roleCount = $user->roles()->count();
|
|
|
|
$resp = $this->putJson($this->baseEndpoint . "/{$user->id}", []);
|
|
|
|
|
|
|
|
$resp->assertStatus(200);
|
|
|
|
$this->assertDatabaseHas('users', [
|
2022-02-08 10:29:58 -05:00
|
|
|
'id' => $user->id,
|
|
|
|
'name' => $user->name,
|
|
|
|
'email' => $user->email,
|
2022-02-03 11:52:28 -05:00
|
|
|
'password' => $user->password,
|
|
|
|
]);
|
|
|
|
$this->assertEquals($roleCount, $user->roles()->count());
|
|
|
|
}
|
|
|
|
|
2022-02-03 10:12:50 -05:00
|
|
|
public function test_delete_endpoint()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $user */
|
2023-01-21 06:08:34 -05:00
|
|
|
$user = User::query()->where('id', '!=', $this->users->admin()->id)
|
2022-02-03 10:12:50 -05:00
|
|
|
->whereNull('system_name')
|
|
|
|
->first();
|
|
|
|
|
|
|
|
$resp = $this->deleteJson($this->baseEndpoint . "/{$user->id}");
|
|
|
|
|
|
|
|
$resp->assertStatus(204);
|
|
|
|
$this->assertActivityExists('user_delete', null, $user->logDescriptor());
|
|
|
|
}
|
|
|
|
|
2022-02-03 19:26:19 -05:00
|
|
|
public function test_delete_endpoint_with_ownership_migration_user()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $user */
|
2023-01-21 06:08:34 -05:00
|
|
|
$user = User::query()->where('id', '!=', $this->users->admin()->id)
|
2022-02-03 19:26:19 -05:00
|
|
|
->whereNull('system_name')
|
|
|
|
->first();
|
2022-09-29 11:49:25 -04:00
|
|
|
$entityChain = $this->entities->createChainBelongingToUser($user);
|
2022-02-03 19:26:19 -05:00
|
|
|
/** @var User $newOwner */
|
|
|
|
$newOwner = User::query()->where('id', '!=', $user->id)->first();
|
|
|
|
|
|
|
|
/** @var Entity $entity */
|
|
|
|
foreach ($entityChain as $entity) {
|
|
|
|
$this->assertEquals($user->id, $entity->owned_by);
|
|
|
|
}
|
|
|
|
|
|
|
|
$resp = $this->deleteJson($this->baseEndpoint . "/{$user->id}", [
|
|
|
|
'migrate_ownership_id' => $newOwner->id,
|
|
|
|
]);
|
|
|
|
|
|
|
|
$resp->assertStatus(204);
|
|
|
|
/** @var Entity $entity */
|
|
|
|
foreach ($entityChain as $entity) {
|
|
|
|
$this->assertEquals($newOwner->id, $entity->refresh()->owned_by);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-02-03 10:12:50 -05:00
|
|
|
public function test_delete_endpoint_fails_deleting_only_admin()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
$adminRole = Role::getSystemRole('admin');
|
|
|
|
$adminToDelete = $adminRole->users()->first();
|
|
|
|
$adminRole->users()->where('id', '!=', $adminToDelete->id)->delete();
|
|
|
|
|
|
|
|
$resp = $this->deleteJson($this->baseEndpoint . "/{$adminToDelete->id}");
|
|
|
|
|
|
|
|
$resp->assertStatus(500);
|
|
|
|
$resp->assertJson($this->errorResponse('You cannot delete the only admin', 500));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_delete_endpoint_fails_deleting_public_user()
|
|
|
|
{
|
|
|
|
$this->actingAsApiAdmin();
|
|
|
|
/** @var User $publicUser */
|
|
|
|
$publicUser = User::query()->where('system_name', '=', 'public')->first();
|
|
|
|
|
|
|
|
$resp = $this->deleteJson($this->baseEndpoint . "/{$publicUser->id}");
|
|
|
|
|
|
|
|
$resp->assertStatus(500);
|
|
|
|
$resp->assertJson($this->errorResponse('You cannot delete the guest user', 500));
|
|
|
|
}
|
2022-02-03 07:33:26 -05:00
|
|
|
}
|