xref: /dokuwiki/_test/tests/Remote/ApiCoreAclCheckTest.php (revision 884caed926ca0aa0af6ce3f34ae3aa7317a3361a)
1285c73a1SAndreas Gohr<?php
2285c73a1SAndreas Gohr
3285c73a1SAndreas Gohrnamespace dokuwiki\test\Remote;
4285c73a1SAndreas Gohr
5*884caed9SAndreas Gohruse dokuwiki\Remote\AccessDeniedException;
6285c73a1SAndreas Gohruse dokuwiki\Remote\Api;
7285c73a1SAndreas Gohr
8285c73a1SAndreas Gohr/**
9285c73a1SAndreas Gohr * Class remoteapicore_test
10285c73a1SAndreas Gohr */
11285c73a1SAndreas Gohrclass ApiCoreAclCheckTest extends \DokuWikiTest {
12285c73a1SAndreas Gohr
13285c73a1SAndreas Gohr    protected $userinfo;
14285c73a1SAndreas Gohr    protected $oldAuthAcl;
15285c73a1SAndreas Gohr    /** @var  Api */
16285c73a1SAndreas Gohr    protected $remote;
17285c73a1SAndreas Gohr
18285c73a1SAndreas Gohr    protected $pluginsEnabled = array('auth_plugin_authplain');
19285c73a1SAndreas Gohr
20285c73a1SAndreas Gohr    protected function reloadUsers() {
21285c73a1SAndreas Gohr        global $auth;
22285c73a1SAndreas Gohr
23285c73a1SAndreas Gohr        /* auth caches data loaded from file, but recreated object forces reload */
24285c73a1SAndreas Gohr        $auth = new \auth_plugin_authplain();
25285c73a1SAndreas Gohr    }
26285c73a1SAndreas Gohr
27285c73a1SAndreas Gohr    public function setUp() : void {
28285c73a1SAndreas Gohr        global $config_cascade;
29285c73a1SAndreas Gohr        global $conf;
30285c73a1SAndreas Gohr        global $USERINFO;
31285c73a1SAndreas Gohr        global $AUTH_ACL;
32285c73a1SAndreas Gohr
33285c73a1SAndreas Gohr        parent::setUp();
34285c73a1SAndreas Gohr
35285c73a1SAndreas Gohr        $name = $config_cascade['plainauth.users']['default'];
36285c73a1SAndreas Gohr        copy($name, $name . ".orig");
37285c73a1SAndreas Gohr        $this->reloadUsers();
38285c73a1SAndreas Gohr
39285c73a1SAndreas Gohr        $this->oldAuthAcl = $AUTH_ACL;
40285c73a1SAndreas Gohr        $this->userinfo = $USERINFO;
41285c73a1SAndreas Gohr
42285c73a1SAndreas Gohr        $conf['remote'] = 1;
43285c73a1SAndreas Gohr        $conf['remoteuser'] = '@user';
44285c73a1SAndreas Gohr        $conf['useacl'] = 0;
45285c73a1SAndreas Gohr
46285c73a1SAndreas Gohr        $this->remote = new Api();
47285c73a1SAndreas Gohr
48285c73a1SAndreas Gohr    }
49285c73a1SAndreas Gohr
50285c73a1SAndreas Gohr    public function tearDown() : void {
51285c73a1SAndreas Gohr        global $USERINFO;
52285c73a1SAndreas Gohr        global $AUTH_ACL;
53285c73a1SAndreas Gohr        global $config_cascade;
54285c73a1SAndreas Gohr
55285c73a1SAndreas Gohr        parent::tearDown();
56285c73a1SAndreas Gohr
57285c73a1SAndreas Gohr        $USERINFO = $this->userinfo;
58285c73a1SAndreas Gohr        $AUTH_ACL = $this->oldAuthAcl;
59285c73a1SAndreas Gohr
60285c73a1SAndreas Gohr        $name = $config_cascade['plainauth.users']['default'];
61285c73a1SAndreas Gohr        copy($name . ".orig", $name);
62285c73a1SAndreas Gohr    }
63285c73a1SAndreas Gohr
64*884caed9SAndreas Gohr    /**
65*884caed9SAndreas Gohr     * A regular (non-admin) user may check their own permissions.
66*884caed9SAndreas Gohr     */
67*884caed9SAndreas Gohr    public function testCheckaclSelf() {
68285c73a1SAndreas Gohr        global $conf;
69285c73a1SAndreas Gohr        global $AUTH_ACL, $USERINFO;
70285c73a1SAndreas Gohr
71285c73a1SAndreas Gohr        $conf['useacl'] = 1;
72285c73a1SAndreas Gohr        $_SERVER['REMOTE_USER'] = 'john';
73285c73a1SAndreas Gohr        $USERINFO['grps'] = ['user'];
74285c73a1SAndreas Gohr        $AUTH_ACL = [
75285c73a1SAndreas Gohr            '*                  @ALL           0', //none
76285c73a1SAndreas Gohr            '*                  @user          2', //edit
77*884caed9SAndreas Gohr        ];
78*884caed9SAndreas Gohr
79*884caed9SAndreas Gohr        // no user given -> current user is used
80*884caed9SAndreas Gohr        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', ['nice_page']));
81*884caed9SAndreas Gohr
82*884caed9SAndreas Gohr        // naming yourself explicitly is allowed too
83*884caed9SAndreas Gohr        $params = [
84*884caed9SAndreas Gohr            'nice_page',
85*884caed9SAndreas Gohr            'john',
86*884caed9SAndreas Gohr            ['user']
87*884caed9SAndreas Gohr        ];
88*884caed9SAndreas Gohr        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
89*884caed9SAndreas Gohr    }
90*884caed9SAndreas Gohr
91*884caed9SAndreas Gohr    /**
92*884caed9SAndreas Gohr     * Checking another user's permissions is restricted to superusers and must
93*884caed9SAndreas Gohr     * be denied for a regular user.
94*884caed9SAndreas Gohr     */
95*884caed9SAndreas Gohr    public function testCheckaclOtherUserDeniedForNonAdmin() {
96*884caed9SAndreas Gohr        global $conf;
97*884caed9SAndreas Gohr        global $AUTH_ACL, $USERINFO;
98*884caed9SAndreas Gohr
99*884caed9SAndreas Gohr        $conf['useacl'] = 1;
100*884caed9SAndreas Gohr        $_SERVER['REMOTE_USER'] = 'john';
101*884caed9SAndreas Gohr        $USERINFO['grps'] = ['user'];
102*884caed9SAndreas Gohr        $AUTH_ACL = [
103*884caed9SAndreas Gohr            '*                  @ALL           0', //none
104*884caed9SAndreas Gohr            '*                  @user          2', //edit
105*884caed9SAndreas Gohr        ];
106*884caed9SAndreas Gohr
107*884caed9SAndreas Gohr        $this->expectException(AccessDeniedException::class);
108*884caed9SAndreas Gohr        $this->remote->call('core.aclCheck', ['nice_page', 'someoneelse', ['user']]);
109*884caed9SAndreas Gohr    }
110*884caed9SAndreas Gohr
111*884caed9SAndreas Gohr    /**
112*884caed9SAndreas Gohr     * A superuser may check the permissions of arbitrary users and groups.
113*884caed9SAndreas Gohr     */
114*884caed9SAndreas Gohr    public function testCheckaclOtherUsersAsAdmin() {
115*884caed9SAndreas Gohr        global $conf;
116*884caed9SAndreas Gohr        global $AUTH_ACL, $USERINFO;
117*884caed9SAndreas Gohr        /** @var auth_plugin_authplain $auth */
118*884caed9SAndreas Gohr        global $auth;
119*884caed9SAndreas Gohr
120*884caed9SAndreas Gohr        $conf['useacl'] = 1;
121*884caed9SAndreas Gohr        $_SERVER['REMOTE_USER'] = 'testuser'; // configured superuser, see _test/conf/local.php
122*884caed9SAndreas Gohr        $USERINFO['grps'] = ['user'];
123*884caed9SAndreas Gohr        $AUTH_ACL = [
124*884caed9SAndreas Gohr            '*                  @ALL           0', //none
125*884caed9SAndreas Gohr            '*                  @user          2', //edit
126285c73a1SAndreas Gohr            '*                  @more          4', //create
127285c73a1SAndreas Gohr            'nice_page          user2          8'  //upload
128285c73a1SAndreas Gohr        ];
129285c73a1SAndreas Gohr
130285c73a1SAndreas Gohr        $auth->createUser("user1", "54321", "a User", "you@example.com");
131285c73a1SAndreas Gohr        $auth->createUser("user2", "543210", "You", "he@example.com");
132285c73a1SAndreas Gohr        $auth->createUser("mwuser", "12345", "Wiki User", "me@example.com", ['more']); //not in default group
133285c73a1SAndreas Gohr
134285c73a1SAndreas Gohr        $params = [
135285c73a1SAndreas Gohr            'nice_page',
136285c73a1SAndreas Gohr            'user1'
137285c73a1SAndreas Gohr        ];
1386e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
139285c73a1SAndreas Gohr
140285c73a1SAndreas Gohr        $params = [
141285c73a1SAndreas Gohr            'nice_page',
142285c73a1SAndreas Gohr            'mwuser',
1436e1ddc64SAndreas Gohr            // member of group 'more' (automatically retrieved)
144285c73a1SAndreas Gohr        ];
1456e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params));
1466e1ddc64SAndreas Gohr
1476e1ddc64SAndreas Gohr        $params = [
1486e1ddc64SAndreas Gohr            'nice_page',
1496e1ddc64SAndreas Gohr            'mwuser',
1506e1ddc64SAndreas Gohr            [] // member of group 'more' (automatically retrieved)
1516e1ddc64SAndreas Gohr        ];
1526e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params));
153285c73a1SAndreas Gohr
154285c73a1SAndreas Gohr        $params = [
155285c73a1SAndreas Gohr            'nice_page',
156285c73a1SAndreas Gohr            'notexistinguser',
157285c73a1SAndreas Gohr            ['more']
158285c73a1SAndreas Gohr        ];
1596e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params));
160285c73a1SAndreas Gohr
161285c73a1SAndreas Gohr        $params = [
162285c73a1SAndreas Gohr            'nice_page',
163285c73a1SAndreas Gohr            'user2',
1646e1ddc64SAndreas Gohr            // (automatically retrieved)
165285c73a1SAndreas Gohr        ];
1666e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_UPLOAD, $this->remote->call('core.aclCheck', $params));
167285c73a1SAndreas Gohr
168285c73a1SAndreas Gohr        $params = [
1696e1ddc64SAndreas Gohr            'nice_page',
1706e1ddc64SAndreas Gohr            'user2',
1716e1ddc64SAndreas Gohr            [] // (automatically retrieved)
172285c73a1SAndreas Gohr        ];
1736e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_UPLOAD, $this->remote->call('core.aclCheck', $params));
174285c73a1SAndreas Gohr
175285c73a1SAndreas Gohr        $params = [
176285c73a1SAndreas Gohr            'unknown_page',
177285c73a1SAndreas Gohr            'user2',
1786e1ddc64SAndreas Gohr            // (automatically retrieved)
179285c73a1SAndreas Gohr        ];
1806e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
1816e1ddc64SAndreas Gohr
1826e1ddc64SAndreas Gohr        $params = [
1836e1ddc64SAndreas Gohr            'unknown_page',
1846e1ddc64SAndreas Gohr            'user2',
1856e1ddc64SAndreas Gohr            [] // (automatically retrieved)
1866e1ddc64SAndreas Gohr        ];
1876e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params));
188285c73a1SAndreas Gohr
189285c73a1SAndreas Gohr        $params = array(
190285c73a1SAndreas Gohr            'nice_page',
1916e1ddc64SAndreas Gohr            'testuser', // superuser set via conf
1926e1ddc64SAndreas Gohr            // (automatically retrieved)
193285c73a1SAndreas Gohr        );
1946e1ddc64SAndreas Gohr        $this->assertEquals(AUTH_ADMIN, $this->remote->call('core.aclCheck', $params));
195285c73a1SAndreas Gohr    }
196285c73a1SAndreas Gohr
197285c73a1SAndreas Gohr}
198