From a8595d8aaf96b2070b1173ee2ddb0c3738ba52b6 Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Wed, 1 Jan 2020 17:01:36 +0000 Subject: [PATCH] Fixed test class names + add perm. check to api session auth --- app/Http/Middleware/ApiAuthenticate.php | 4 ++++ tests/Api/ApiAuthTest.php | 25 +++++++++++++++++++++++++ tests/Api/ApiConfigTest.php | 2 +- tests/Api/ApiListingTest.php | 2 +- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/app/Http/Middleware/ApiAuthenticate.php b/app/Http/Middleware/ApiAuthenticate.php index 655334450..15962b3b0 100644 --- a/app/Http/Middleware/ApiAuthenticate.php +++ b/app/Http/Middleware/ApiAuthenticate.php @@ -2,6 +2,7 @@ namespace BookStack\Http\Middleware; +use BookStack\Exceptions\ApiAuthException; use BookStack\Exceptions\UnauthorizedException; use Closure; use Illuminate\Http\Request; @@ -36,6 +37,9 @@ class ApiAuthenticate // This is to make it easy to browser the API via browser after just logging into the system. if (signedInUser()) { $this->ensureEmailConfirmedIfRequested(); + if (!auth()->user()->can('access-api')) { + throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403); + } return; } diff --git a/tests/Api/ApiAuthTest.php b/tests/Api/ApiAuthTest.php index 30d7f4ead..b6b6b72ac 100644 --- a/tests/Api/ApiAuthTest.php +++ b/tests/Api/ApiAuthTest.php @@ -3,6 +3,7 @@ namespace Tests; use BookStack\Auth\Permissions\RolePermission; +use BookStack\Auth\User; use Carbon\Carbon; class ApiAuthTest extends TestCase @@ -14,6 +15,8 @@ class ApiAuthTest extends TestCase public function test_requests_succeed_with_default_auth() { $viewer = $this->getViewer(); + $this->giveUserPermissions($viewer, ['access-api']); + $resp = $this->get($this->endpoint); $resp->assertStatus(401); @@ -62,6 +65,28 @@ class ApiAuthTest extends TestCase $editorRole->detachPermission($accessApiPermission); $resp = $this->get($this->endpoint, $this->apiAuthHeader()); + $resp->assertStatus(403); + $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403)); + } + + public function test_api_access_permission_required_to_access_api_with_session_auth() + { + $editor = $this->getEditor(); + $this->actingAs($editor, 'web'); + + $resp = $this->get($this->endpoint); + $resp->assertStatus(200); + auth('web')->logout(); + + $accessApiPermission = RolePermission::getByName('access-api'); + $editorRole = $this->getEditor()->roles()->first(); + $editorRole->detachPermission($accessApiPermission); + + $editor = User::query()->where('id', '=', $editor->id)->first(); + + $this->actingAs($editor, 'web'); + $resp = $this->get($this->endpoint); + $resp->assertStatus(403); $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403)); } diff --git a/tests/Api/ApiConfigTest.php b/tests/Api/ApiConfigTest.php index 99b063c69..d9367741f 100644 --- a/tests/Api/ApiConfigTest.php +++ b/tests/Api/ApiConfigTest.php @@ -5,7 +5,7 @@ namespace Tests; use BookStack\Auth\Permissions\RolePermission; use Carbon\Carbon; -class ApiAuthTest extends TestCase +class ApiConfigTest extends TestCase { use TestsApi; diff --git a/tests/Api/ApiListingTest.php b/tests/Api/ApiListingTest.php index 26014cdec..fa28dfb36 100644 --- a/tests/Api/ApiListingTest.php +++ b/tests/Api/ApiListingTest.php @@ -6,7 +6,7 @@ use BookStack\Auth\Permissions\RolePermission; use BookStack\Entities\Book; use Carbon\Carbon; -class ApiAuthTest extends TestCase +class ApiListingTest extends TestCase { use TestsApi;