Fixed test class names + add perm. check to api session auth

This commit is contained in:
Dan Brown 2020-01-01 17:01:36 +00:00
parent a7a97a53f1
commit a8595d8aaf
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
4 changed files with 31 additions and 2 deletions

View file

@ -2,6 +2,7 @@
namespace BookStack\Http\Middleware; namespace BookStack\Http\Middleware;
use BookStack\Exceptions\ApiAuthException;
use BookStack\Exceptions\UnauthorizedException; use BookStack\Exceptions\UnauthorizedException;
use Closure; use Closure;
use Illuminate\Http\Request; use Illuminate\Http\Request;
@ -36,6 +37,9 @@ class ApiAuthenticate
// This is to make it easy to browser the API via browser after just logging into the system. // This is to make it easy to browser the API via browser after just logging into the system.
if (signedInUser()) { if (signedInUser()) {
$this->ensureEmailConfirmedIfRequested(); $this->ensureEmailConfirmedIfRequested();
if (!auth()->user()->can('access-api')) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
}
return; return;
} }

View file

@ -3,6 +3,7 @@
namespace Tests; namespace Tests;
use BookStack\Auth\Permissions\RolePermission; use BookStack\Auth\Permissions\RolePermission;
use BookStack\Auth\User;
use Carbon\Carbon; use Carbon\Carbon;
class ApiAuthTest extends TestCase class ApiAuthTest extends TestCase
@ -14,6 +15,8 @@ class ApiAuthTest extends TestCase
public function test_requests_succeed_with_default_auth() public function test_requests_succeed_with_default_auth()
{ {
$viewer = $this->getViewer(); $viewer = $this->getViewer();
$this->giveUserPermissions($viewer, ['access-api']);
$resp = $this->get($this->endpoint); $resp = $this->get($this->endpoint);
$resp->assertStatus(401); $resp->assertStatus(401);
@ -62,6 +65,28 @@ class ApiAuthTest extends TestCase
$editorRole->detachPermission($accessApiPermission); $editorRole->detachPermission($accessApiPermission);
$resp = $this->get($this->endpoint, $this->apiAuthHeader()); $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(403);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
public function test_api_access_permission_required_to_access_api_with_session_auth()
{
$editor = $this->getEditor();
$this->actingAs($editor, 'web');
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
auth('web')->logout();
$accessApiPermission = RolePermission::getByName('access-api');
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
$editor = User::query()->where('id', '=', $editor->id)->first();
$this->actingAs($editor, 'web');
$resp = $this->get($this->endpoint);
$resp->assertStatus(403);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403)); $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
} }

View file

@ -5,7 +5,7 @@ namespace Tests;
use BookStack\Auth\Permissions\RolePermission; use BookStack\Auth\Permissions\RolePermission;
use Carbon\Carbon; use Carbon\Carbon;
class ApiAuthTest extends TestCase class ApiConfigTest extends TestCase
{ {
use TestsApi; use TestsApi;

View file

@ -6,7 +6,7 @@ use BookStack\Auth\Permissions\RolePermission;
use BookStack\Entities\Book; use BookStack\Entities\Book;
use Carbon\Carbon; use Carbon\Carbon;
class ApiAuthTest extends TestCase class ApiListingTest extends TestCase
{ {
use TestsApi; use TestsApi;