1285c73a1SAndreas Gohr<?php 2285c73a1SAndreas Gohr 3285c73a1SAndreas Gohrnamespace dokuwiki\test\Remote; 4285c73a1SAndreas Gohr 5*884caed9SAndreas Gohruse dokuwiki\Remote\AccessDeniedException; 6285c73a1SAndreas Gohruse dokuwiki\Remote\Api; 7285c73a1SAndreas Gohr 8285c73a1SAndreas Gohr/** 9285c73a1SAndreas Gohr * Class remoteapicore_test 10285c73a1SAndreas Gohr */ 11285c73a1SAndreas Gohrclass ApiCoreAclCheckTest extends \DokuWikiTest { 12285c73a1SAndreas Gohr 13285c73a1SAndreas Gohr protected $userinfo; 14285c73a1SAndreas Gohr protected $oldAuthAcl; 15285c73a1SAndreas Gohr /** @var Api */ 16285c73a1SAndreas Gohr protected $remote; 17285c73a1SAndreas Gohr 18285c73a1SAndreas Gohr protected $pluginsEnabled = array('auth_plugin_authplain'); 19285c73a1SAndreas Gohr 20285c73a1SAndreas Gohr protected function reloadUsers() { 21285c73a1SAndreas Gohr global $auth; 22285c73a1SAndreas Gohr 23285c73a1SAndreas Gohr /* auth caches data loaded from file, but recreated object forces reload */ 24285c73a1SAndreas Gohr $auth = new \auth_plugin_authplain(); 25285c73a1SAndreas Gohr } 26285c73a1SAndreas Gohr 27285c73a1SAndreas Gohr public function setUp() : void { 28285c73a1SAndreas Gohr global $config_cascade; 29285c73a1SAndreas Gohr global $conf; 30285c73a1SAndreas Gohr global $USERINFO; 31285c73a1SAndreas Gohr global $AUTH_ACL; 32285c73a1SAndreas Gohr 33285c73a1SAndreas Gohr parent::setUp(); 34285c73a1SAndreas Gohr 35285c73a1SAndreas Gohr $name = $config_cascade['plainauth.users']['default']; 36285c73a1SAndreas Gohr copy($name, $name . ".orig"); 37285c73a1SAndreas Gohr $this->reloadUsers(); 38285c73a1SAndreas Gohr 39285c73a1SAndreas Gohr $this->oldAuthAcl = $AUTH_ACL; 40285c73a1SAndreas Gohr $this->userinfo = $USERINFO; 41285c73a1SAndreas Gohr 42285c73a1SAndreas Gohr $conf['remote'] = 1; 43285c73a1SAndreas Gohr $conf['remoteuser'] = '@user'; 44285c73a1SAndreas Gohr $conf['useacl'] = 0; 45285c73a1SAndreas Gohr 46285c73a1SAndreas Gohr $this->remote = new Api(); 47285c73a1SAndreas Gohr 48285c73a1SAndreas Gohr } 49285c73a1SAndreas Gohr 50285c73a1SAndreas Gohr public function tearDown() : void { 51285c73a1SAndreas Gohr global $USERINFO; 52285c73a1SAndreas Gohr global $AUTH_ACL; 53285c73a1SAndreas Gohr global $config_cascade; 54285c73a1SAndreas Gohr 55285c73a1SAndreas Gohr parent::tearDown(); 56285c73a1SAndreas Gohr 57285c73a1SAndreas Gohr $USERINFO = $this->userinfo; 58285c73a1SAndreas Gohr $AUTH_ACL = $this->oldAuthAcl; 59285c73a1SAndreas Gohr 60285c73a1SAndreas Gohr $name = $config_cascade['plainauth.users']['default']; 61285c73a1SAndreas Gohr copy($name . ".orig", $name); 62285c73a1SAndreas Gohr } 63285c73a1SAndreas Gohr 64*884caed9SAndreas Gohr /** 65*884caed9SAndreas Gohr * A regular (non-admin) user may check their own permissions. 66*884caed9SAndreas Gohr */ 67*884caed9SAndreas Gohr public function testCheckaclSelf() { 68285c73a1SAndreas Gohr global $conf; 69285c73a1SAndreas Gohr global $AUTH_ACL, $USERINFO; 70285c73a1SAndreas Gohr 71285c73a1SAndreas Gohr $conf['useacl'] = 1; 72285c73a1SAndreas Gohr $_SERVER['REMOTE_USER'] = 'john'; 73285c73a1SAndreas Gohr $USERINFO['grps'] = ['user']; 74285c73a1SAndreas Gohr $AUTH_ACL = [ 75285c73a1SAndreas Gohr '* @ALL 0', //none 76285c73a1SAndreas Gohr '* @user 2', //edit 77*884caed9SAndreas Gohr ]; 78*884caed9SAndreas Gohr 79*884caed9SAndreas Gohr // no user given -> current user is used 80*884caed9SAndreas Gohr $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', ['nice_page'])); 81*884caed9SAndreas Gohr 82*884caed9SAndreas Gohr // naming yourself explicitly is allowed too 83*884caed9SAndreas Gohr $params = [ 84*884caed9SAndreas Gohr 'nice_page', 85*884caed9SAndreas Gohr 'john', 86*884caed9SAndreas Gohr ['user'] 87*884caed9SAndreas Gohr ]; 88*884caed9SAndreas Gohr $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params)); 89*884caed9SAndreas Gohr } 90*884caed9SAndreas Gohr 91*884caed9SAndreas Gohr /** 92*884caed9SAndreas Gohr * Checking another user's permissions is restricted to superusers and must 93*884caed9SAndreas Gohr * be denied for a regular user. 94*884caed9SAndreas Gohr */ 95*884caed9SAndreas Gohr public function testCheckaclOtherUserDeniedForNonAdmin() { 96*884caed9SAndreas Gohr global $conf; 97*884caed9SAndreas Gohr global $AUTH_ACL, $USERINFO; 98*884caed9SAndreas Gohr 99*884caed9SAndreas Gohr $conf['useacl'] = 1; 100*884caed9SAndreas Gohr $_SERVER['REMOTE_USER'] = 'john'; 101*884caed9SAndreas Gohr $USERINFO['grps'] = ['user']; 102*884caed9SAndreas Gohr $AUTH_ACL = [ 103*884caed9SAndreas Gohr '* @ALL 0', //none 104*884caed9SAndreas Gohr '* @user 2', //edit 105*884caed9SAndreas Gohr ]; 106*884caed9SAndreas Gohr 107*884caed9SAndreas Gohr $this->expectException(AccessDeniedException::class); 108*884caed9SAndreas Gohr $this->remote->call('core.aclCheck', ['nice_page', 'someoneelse', ['user']]); 109*884caed9SAndreas Gohr } 110*884caed9SAndreas Gohr 111*884caed9SAndreas Gohr /** 112*884caed9SAndreas Gohr * A superuser may check the permissions of arbitrary users and groups. 113*884caed9SAndreas Gohr */ 114*884caed9SAndreas Gohr public function testCheckaclOtherUsersAsAdmin() { 115*884caed9SAndreas Gohr global $conf; 116*884caed9SAndreas Gohr global $AUTH_ACL, $USERINFO; 117*884caed9SAndreas Gohr /** @var auth_plugin_authplain $auth */ 118*884caed9SAndreas Gohr global $auth; 119*884caed9SAndreas Gohr 120*884caed9SAndreas Gohr $conf['useacl'] = 1; 121*884caed9SAndreas Gohr $_SERVER['REMOTE_USER'] = 'testuser'; // configured superuser, see _test/conf/local.php 122*884caed9SAndreas Gohr $USERINFO['grps'] = ['user']; 123*884caed9SAndreas Gohr $AUTH_ACL = [ 124*884caed9SAndreas Gohr '* @ALL 0', //none 125*884caed9SAndreas Gohr '* @user 2', //edit 126285c73a1SAndreas Gohr '* @more 4', //create 127285c73a1SAndreas Gohr 'nice_page user2 8' //upload 128285c73a1SAndreas Gohr ]; 129285c73a1SAndreas Gohr 130285c73a1SAndreas Gohr $auth->createUser("user1", "54321", "a User", "you@example.com"); 131285c73a1SAndreas Gohr $auth->createUser("user2", "543210", "You", "he@example.com"); 132285c73a1SAndreas Gohr $auth->createUser("mwuser", "12345", "Wiki User", "me@example.com", ['more']); //not in default group 133285c73a1SAndreas Gohr 134285c73a1SAndreas Gohr $params = [ 135285c73a1SAndreas Gohr 'nice_page', 136285c73a1SAndreas Gohr 'user1' 137285c73a1SAndreas Gohr ]; 1386e1ddc64SAndreas Gohr $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params)); 139285c73a1SAndreas Gohr 140285c73a1SAndreas Gohr $params = [ 141285c73a1SAndreas Gohr 'nice_page', 142285c73a1SAndreas Gohr 'mwuser', 1436e1ddc64SAndreas Gohr // member of group 'more' (automatically retrieved) 144285c73a1SAndreas Gohr ]; 1456e1ddc64SAndreas Gohr $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params)); 1466e1ddc64SAndreas Gohr 1476e1ddc64SAndreas Gohr $params = [ 1486e1ddc64SAndreas Gohr 'nice_page', 1496e1ddc64SAndreas Gohr 'mwuser', 1506e1ddc64SAndreas Gohr [] // member of group 'more' (automatically retrieved) 1516e1ddc64SAndreas Gohr ]; 1526e1ddc64SAndreas Gohr $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params)); 153285c73a1SAndreas Gohr 154285c73a1SAndreas Gohr $params = [ 155285c73a1SAndreas Gohr 'nice_page', 156285c73a1SAndreas Gohr 'notexistinguser', 157285c73a1SAndreas Gohr ['more'] 158285c73a1SAndreas Gohr ]; 1596e1ddc64SAndreas Gohr $this->assertEquals(AUTH_CREATE, $this->remote->call('core.aclCheck', $params)); 160285c73a1SAndreas Gohr 161285c73a1SAndreas Gohr $params = [ 162285c73a1SAndreas Gohr 'nice_page', 163285c73a1SAndreas Gohr 'user2', 1646e1ddc64SAndreas Gohr // (automatically retrieved) 165285c73a1SAndreas Gohr ]; 1666e1ddc64SAndreas Gohr $this->assertEquals(AUTH_UPLOAD, $this->remote->call('core.aclCheck', $params)); 167285c73a1SAndreas Gohr 168285c73a1SAndreas Gohr $params = [ 1696e1ddc64SAndreas Gohr 'nice_page', 1706e1ddc64SAndreas Gohr 'user2', 1716e1ddc64SAndreas Gohr [] // (automatically retrieved) 172285c73a1SAndreas Gohr ]; 1736e1ddc64SAndreas Gohr $this->assertEquals(AUTH_UPLOAD, $this->remote->call('core.aclCheck', $params)); 174285c73a1SAndreas Gohr 175285c73a1SAndreas Gohr $params = [ 176285c73a1SAndreas Gohr 'unknown_page', 177285c73a1SAndreas Gohr 'user2', 1786e1ddc64SAndreas Gohr // (automatically retrieved) 179285c73a1SAndreas Gohr ]; 1806e1ddc64SAndreas Gohr $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params)); 1816e1ddc64SAndreas Gohr 1826e1ddc64SAndreas Gohr $params = [ 1836e1ddc64SAndreas Gohr 'unknown_page', 1846e1ddc64SAndreas Gohr 'user2', 1856e1ddc64SAndreas Gohr [] // (automatically retrieved) 1866e1ddc64SAndreas Gohr ]; 1876e1ddc64SAndreas Gohr $this->assertEquals(AUTH_EDIT, $this->remote->call('core.aclCheck', $params)); 188285c73a1SAndreas Gohr 189285c73a1SAndreas Gohr $params = array( 190285c73a1SAndreas Gohr 'nice_page', 1916e1ddc64SAndreas Gohr 'testuser', // superuser set via conf 1926e1ddc64SAndreas Gohr // (automatically retrieved) 193285c73a1SAndreas Gohr ); 1946e1ddc64SAndreas Gohr $this->assertEquals(AUTH_ADMIN, $this->remote->call('core.aclCheck', $params)); 195285c73a1SAndreas Gohr } 196285c73a1SAndreas Gohr 197285c73a1SAndreas Gohr} 198