xref: /dokuwiki/_test/tests/Remote/ApiCoreAclCheckTest.php (revision 884caed926ca0aa0af6ce3f34ae3aa7317a3361a) 
1<?php
2
3namespace dokuwiki\test\Remote;
4
5use dokuwiki\Remote\AccessDeniedException;
6use dokuwiki\Remote\Api;
7
8/**
9 * Class remoteapicore_test
10 */
11class ApiCoreAclCheckTest extends \DokuWikiTest {
12
13    protected $userinfo;
14    protected $oldAuthAcl;
15    /** @var  Api */
16    protected $remote;
17
18    protected $pluginsEnabled = array('auth_plugin_authplain');
19
20    protected function reloadUsers() {
21        global $auth;
22
23        /* auth caches data loaded from file, but recreated object forces reload */
24        $auth = new \auth_plugin_authplain();
25    }
26
27    public function setUp() : void {
28        global $config_cascade;
29        global $conf;
30        global $USERINFO;
31        global $AUTH_ACL;
32
33        parent::setUp();
34
35        $name = $config_cascade['plainauth.users']['default'];
36        copy($name, $name . ".orig");
37        $this->reloadUsers();
38
39        $this->oldAuthAcl = $AUTH_ACL;
40        $this->userinfo = $USERINFO;
41
42        $conf['remote'] = 1;
43        $conf['remoteuser'] = '@user';
44        $conf['useacl'] = 0;
45
46        $this->remote = new Api();
47
48    }
49
50    public function tearDown() : void {
51        global $USERINFO;
52        global $AUTH_ACL;
53        global $config_cascade;
54
55        parent::tearDown();
56
57        $USERINFO = $this->userinfo;
58        $AUTH_ACL = $this->oldAuthAcl;
59
60        $name = $config_cascade['plainauth.users']['default'];
61        copy($name . ".orig", $name);
62    }
63
64    /**
65     * A regular (non-admin) user may check their own permissions.
66     */
67    public function testCheckaclSelf() {
68        global $conf;
69        global $AUTH_ACL, $USERINFO;
70
71        $conf['useacl'] = 1;
72        $_SERVER['REMOTE_USER'] = 'john';
73        $USERINFO['grps'] = ['user'];
74        $AUTH_ACL = [
75            '*                  @ALL           0', //none
76            '*                  @user          2', //edit
77        ];
78
79        // no user given -> current user is used
80        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', ['nice_page']));
81
82        // naming yourself explicitly is allowed too
83        $params = [
84            'nice_page',
85            'john',
86            ['user']
87        ];
88        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
89    }
90
91    /**
92     * Checking another user's permissions is restricted to superusers and must
93     * be denied for a regular user.
94     */
95    public function testCheckaclOtherUserDeniedForNonAdmin() {
96        global $conf;
97        global $AUTH_ACL, $USERINFO;
98
99        $conf['useacl'] = 1;
100        $_SERVER['REMOTE_USER'] = 'john';
101        $USERINFO['grps'] = ['user'];
102        $AUTH_ACL = [
103            '*                  @ALL           0', //none
104            '*                  @user          2', //edit
105        ];
106
107        $this->expectException(AccessDeniedException::class);
108        $this->remote->call('core.aclCheck', ['nice_page', 'someoneelse', ['user']]);
109    }
110
111    /**
112     * A superuser may check the permissions of arbitrary users and groups.
113     */
114    public function testCheckaclOtherUsersAsAdmin() {
115        global $conf;
116        global $AUTH_ACL, $USERINFO;
117        /** @var auth_plugin_authplain $auth */
118        global $auth;
119
120        $conf['useacl'] = 1;
121        $_SERVER['REMOTE_USER'] = 'testuser'; // configured superuser, see _test/conf/local.php
122        $USERINFO['grps'] = ['user'];
123        $AUTH_ACL = [
124            '*                  @ALL           0', //none
125            '*                  @user          2', //edit
126            '*                  @more          4', //create
127            'nice_page          user2          8'  //upload
128        ];
129
130        $auth->createUser("user1", "54321", "a User", "you@example.com");
131        $auth->createUser("user2", "543210", "You", "he@example.com");
132        $auth->createUser("mwuser", "12345", "Wiki User", "me@example.com", ['more']); //not in default group
133
134        $params = [
135            'nice_page',
136            'user1'
137        ];
138        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
139
140        $params = [
141            'nice_page',
142            'mwuser',
143            // member of group 'more' (automatically retrieved)
144        ];
145        $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params));
146
147        $params = [
148            'nice_page',
149            'mwuser',
150            [] // member of group 'more' (automatically retrieved)
151        ];
152        $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params));
153
154        $params = [
155            'nice_page',
156            'notexistinguser',
157            ['more']
158        ];
159        $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params));
160
161        $params = [
162            'nice_page',
163            'user2',
164            // (automatically retrieved)
165        ];
166        $this->assertEquals(AUTH_UPLOAD, $this->remote->call('core.aclCheck', $params));
167
168        $params = [
169            'nice_page',
170            'user2',
171            [] // (automatically retrieved)
172        ];
173        $this->assertEquals(AUTH_UPLOAD, $this->remote->call('core.aclCheck', $params));
174
175        $params = [
176            'unknown_page',
177            'user2',
178            // (automatically retrieved)
179        ];
180        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
181
182        $params = [
183            'unknown_page',
184            'user2',
185            [] // (automatically retrieved)
186        ];
187        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
188
189        $params = array(
190            'nice_page',
191            'testuser', // superuser set via conf
192            // (automatically retrieved)
193        );
194        $this->assertEquals(AUTH_ADMIN, $this->remote->call('core.aclCheck', $params));
195    }
196
197}
198