xref: /dokuwiki/_test/tests/inc/auth_mediaaclpath.test.php (revision 7e687fd85a40bd8453b39b64bae8e989ab32fd36) 
1<?php
2
3use dokuwiki\test\mock\AuthPlugin;
4
5/**
6 * Tests for mediaAclPath() and its effect on media ACL evaluation.
7 */
8class auth_mediaaclpath_test extends DokuWikiTest
9{
10    public function setUp(): void
11    {
12        parent::setUp();
13        global $auth;
14        $auth = new AuthPlugin();
15    }
16
17    public function provideMediaIds(): array
18    {
19        return [
20            // [media id, expected ACL path]
21            'nested namespace'   => ['wiki:sub:image.png', 'wiki:sub:*'],
22            'single namespace'   => ['wiki:image.png', 'wiki:*'],
23            'root namespace'     => ['image.png', '*'],
24            'empty id'           => ['', '*'],
25            'page-like id'       => ['wiki:secret.png', 'wiki:*'],
26        ];
27    }
28
29    /**
30     * @dataProvider provideMediaIds
31     */
32    public function test_mediaAclPath_transform($id, $expected)
33    {
34        $this->assertSame($expected, mediaAclPath($id));
35    }
36
37    /**
38     * A page-intended exact-ID rule (e.g. wiki:secret.png as a page) must NOT
39     * govern a media file with the same ID. The media file's permission is
40     * decided solely by its namespace ACL.
41     */
42    public function test_mediaAclPath_ignores_exact_id_rule()
43    {
44        global $conf;
45        global $AUTH_ACL;
46        $conf['useacl'] = 1;
47
48        $AUTH_ACL = [
49            '*                  @ALL    8',  // everyone has upload on root
50            'wiki:secret.png    @ALL    0',  // page-intended deny on this exact ID
51        ];
52
53        // raw-id check (the old buggy pattern) hits the deny rule
54        $this->assertEquals(AUTH_NONE, auth_aclcheck('wiki:secret.png', '', []));
55
56        // the helper produces wiki:*, which the deny rule does not match
57        $this->assertEquals(AUTH_UPLOAD, auth_aclcheck(mediaAclPath('wiki:secret.png'), '', []));
58    }
59
60    /**
61     * Namespace-level ACLs must still apply to media via mediaAclPath().
62     */
63    public function test_mediaAclPath_applies_namespace_rule()
64    {
65        global $conf;
66        global $AUTH_ACL;
67        $conf['useacl'] = 1;
68
69        $AUTH_ACL = [
70            '*           @ALL    8',
71            'private:*   @ALL    0',
72        ];
73
74        $this->assertEquals(AUTH_NONE, auth_aclcheck(mediaAclPath('private:image.png'), '', []));
75        $this->assertEquals(AUTH_UPLOAD, auth_aclcheck(mediaAclPath('public:image.png'), '', []));
76    }
77
78    /**
79     * Root-namespace media must still resolve against the root ACL rule.
80     */
81    public function test_mediaAclPath_root_namespace()
82    {
83        global $conf;
84        global $AUTH_ACL;
85        $conf['useacl'] = 1;
86
87        $AUTH_ACL = [
88            '*  @ALL  8',
89        ];
90
91        $this->assertEquals(AUTH_UPLOAD, auth_aclcheck(mediaAclPath('image.png'), '', []));
92    }
93}
94