1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-29 23:22:34 +01:00

Fixed test class names + add perm. check to api session auth

This commit is contained in:
Dan Brown 2020-01-01 17:01:36 +00:00
parent a7a97a53f1
commit a8595d8aaf
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 31 additions and 2 deletions

View File

@ -2,6 +2,7 @@
namespace BookStack\Http\Middleware;
use BookStack\Exceptions\ApiAuthException;
use BookStack\Exceptions\UnauthorizedException;
use Closure;
use Illuminate\Http\Request;
@ -36,6 +37,9 @@ class ApiAuthenticate
// This is to make it easy to browser the API via browser after just logging into the system.
if (signedInUser()) {
$this->ensureEmailConfirmedIfRequested();
if (!auth()->user()->can('access-api')) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
}
return;
}

View File

@ -3,6 +3,7 @@
namespace Tests;
use BookStack\Auth\Permissions\RolePermission;
use BookStack\Auth\User;
use Carbon\Carbon;
class ApiAuthTest extends TestCase
@ -14,6 +15,8 @@ class ApiAuthTest extends TestCase
public function test_requests_succeed_with_default_auth()
{
$viewer = $this->getViewer();
$this->giveUserPermissions($viewer, ['access-api']);
$resp = $this->get($this->endpoint);
$resp->assertStatus(401);
@ -62,6 +65,28 @@ class ApiAuthTest extends TestCase
$editorRole->detachPermission($accessApiPermission);
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(403);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
public function test_api_access_permission_required_to_access_api_with_session_auth()
{
$editor = $this->getEditor();
$this->actingAs($editor, 'web');
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
auth('web')->logout();
$accessApiPermission = RolePermission::getByName('access-api');
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
$editor = User::query()->where('id', '=', $editor->id)->first();
$this->actingAs($editor, 'web');
$resp = $this->get($this->endpoint);
$resp->assertStatus(403);
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}

View File

@ -5,7 +5,7 @@ namespace Tests;
use BookStack\Auth\Permissions\RolePermission;
use Carbon\Carbon;
class ApiAuthTest extends TestCase
class ApiConfigTest extends TestCase
{
use TestsApi;

View File

@ -6,7 +6,7 @@ use BookStack\Auth\Permissions\RolePermission;
use BookStack\Entities\Book;
use Carbon\Carbon;
class ApiAuthTest extends TestCase
class ApiListingTest extends TestCase
{
use TestsApi;