mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 05:36:00 +00:00
Fixed test class names + add perm. check to api session auth
This commit is contained in:
Dan Brown
parent
a7a97a53f1
commit
a8595d8aaf
@ -2,6 +2,7 @@
|
||||
|
||||
namespace BookStack\Http\Middleware;
|
||||
|
||||
use BookStack\Exceptions\ApiAuthException;
|
||||
use BookStack\Exceptions\UnauthorizedException;
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
@ -36,6 +37,9 @@ class ApiAuthenticate
|
||||
// This is to make it easy to browser the API via browser after just logging into the system.
|
||||
if (signedInUser()) {
|
||||
$this->ensureEmailConfirmedIfRequested();
|
||||
if (!auth()->user()->can('access-api')) {
|
||||
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
namespace Tests;
|
||||
|
||||
use BookStack\Auth\Permissions\RolePermission;
|
||||
use BookStack\Auth\User;
|
||||
use Carbon\Carbon;
|
||||
|
||||
class ApiAuthTest extends TestCase
|
||||
@ -14,6 +15,8 @@ class ApiAuthTest extends TestCase
|
||||
public function test_requests_succeed_with_default_auth()
|
||||
{
|
||||
$viewer = $this->getViewer();
|
||||
$this->giveUserPermissions($viewer, ['access-api']);
|
||||
|
||||
$resp = $this->get($this->endpoint);
|
||||
$resp->assertStatus(401);
|
||||
|
||||
@ -62,6 +65,28 @@ class ApiAuthTest extends TestCase
|
||||
$editorRole->detachPermission($accessApiPermission);
|
||||
|
||||
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
|
||||
$resp->assertStatus(403);
|
||||
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
|
||||
}
|
||||
|
||||
public function test_api_access_permission_required_to_access_api_with_session_auth()
|
||||
{
|
||||
$editor = $this->getEditor();
|
||||
$this->actingAs($editor, 'web');
|
||||
|
||||
$resp = $this->get($this->endpoint);
|
||||
$resp->assertStatus(200);
|
||||
auth('web')->logout();
|
||||
|
||||
$accessApiPermission = RolePermission::getByName('access-api');
|
||||
$editorRole = $this->getEditor()->roles()->first();
|
||||
$editorRole->detachPermission($accessApiPermission);
|
||||
|
||||
$editor = User::query()->where('id', '=', $editor->id)->first();
|
||||
|
||||
$this->actingAs($editor, 'web');
|
||||
$resp = $this->get($this->endpoint);
|
||||
$resp->assertStatus(403);
|
||||
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
|
||||
}
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ namespace Tests;
|
||||
use BookStack\Auth\Permissions\RolePermission;
|
||||
use Carbon\Carbon;
|
||||
|
||||
class ApiAuthTest extends TestCase
|
||||
class ApiConfigTest extends TestCase
|
||||
{
|
||||
use TestsApi;
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ use BookStack\Auth\Permissions\RolePermission;
|
||||
use BookStack\Entities\Book;
|
||||
use Carbon\Carbon;
|
||||
|
||||
class ApiAuthTest extends TestCase
|
||||
class ApiListingTest extends TestCase
|
||||
{
|
||||
use TestsApi;
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user