BookStack Code Mirror - bookstack/blob - tests/User/RoleManagementTest.php

   1 <?php
   2
   3 namespace Tests\User;
   4
   5 use BookStack\Activity\ActivityType;
   6 use BookStack\Users\Models\Role;
   7 use BookStack\Users\Models\User;
   8 use Tests\TestCase;
   9
  10 class RoleManagementTest extends TestCase
  11 {
  12     public function test_cannot_delete_admin_role()
  13     {
  14         $adminRole = Role::getRole('admin');
  15         $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;
  16
  17         $this->asAdmin()->get($deletePageUrl);
  18         $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);
  19         $this->get($deletePageUrl)->assertSee('cannot be deleted');
  20     }
  21
  22     public function test_role_cannot_be_deleted_if_default()
  23     {
  24         $newRole = $this->users->createRole();
  25         $this->setSettings(['registration-role' => $newRole->id]);
  26
  27         $deletePageUrl = '/settings/roles/delete/' . $newRole->id;
  28         $this->asAdmin()->get($deletePageUrl);
  29         $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);
  30         $this->get($deletePageUrl)->assertSee('cannot be deleted');
  31     }
  32
  33     public function test_role_create_update_delete_flow()
  34     {
  35         $testRoleName = 'Test Role';
  36         $testRoleDesc = 'a little test description';
  37         $testRoleUpdateName = 'An Super Updated role';
  38
  39         // Creation
  40         $resp = $this->asAdmin()->get('/settings/features');
  41         $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles') . '"]', 'Roles');
  42
  43         $resp = $this->get('/settings/roles');
  44         $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles/new') . '"]', 'Create New Role');
  45
  46         $resp = $this->get('/settings/roles/new');
  47         $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/new') . '"]', 'Save Role');
  48
  49         $resp = $this->post('/settings/roles/new', [
  50             'display_name' => $testRoleName,
  51             'description'  => $testRoleDesc,
  52         ]);
  53         $resp->assertRedirect('/settings/roles');
  54
  55         $resp = $this->get('/settings/roles');
  56         $resp->assertSee($testRoleName);
  57         $resp->assertSee($testRoleDesc);
  58         $this->assertDatabaseHas('roles', [
  59             'display_name' => $testRoleName,
  60             'description'  => $testRoleDesc,
  61             'mfa_enforced' => false,
  62         ]);
  63
  64         /** @var Role $role */
  65         $role = Role::query()->where('display_name', '=', $testRoleName)->first();
  66
  67         // Updating
  68         $resp = $this->get('/settings/roles/' . $role->id);
  69         $resp->assertSee($testRoleName);
  70         $resp->assertSee($testRoleDesc);
  71         $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/' . $role->id) . '"]', 'Save Role');
  72
  73         $resp = $this->put('/settings/roles/' . $role->id, [
  74             'display_name' => $testRoleUpdateName,
  75             'description'  => $testRoleDesc,
  76             'mfa_enforced' => 'true',
  77         ]);
  78         $resp->assertRedirect('/settings/roles');
  79         $this->assertDatabaseHas('roles', [
  80             'display_name' => $testRoleUpdateName,
  81             'description'  => $testRoleDesc,
  82             'mfa_enforced' => true,
  83         ]);
  84
  85         // Deleting
  86         $resp = $this->get('/settings/roles/' . $role->id);
  87         $this->withHtml($resp)->assertElementContains('a[href="' . url("/settings/roles/delete/$role->id") . '"]', 'Delete Role');
  88
  89         $resp = $this->get("/settings/roles/delete/$role->id");
  90         $resp->assertSee($testRoleUpdateName);
  91         $this->withHtml($resp)->assertElementContains('form[action="' . url("/settings/roles/delete/$role->id") . '"]', 'Confirm');
  92
  93         $resp = $this->delete("/settings/roles/delete/$role->id");
  94         $resp->assertRedirect('/settings/roles');
  95         $this->get('/settings/roles')->assertSee('Role successfully deleted');
  96         $this->assertActivityExists(ActivityType::ROLE_DELETE);
  97     }
  98
  99     public function test_role_external_auth_id_validation()
 100     {
 101         config()->set('auth.method', 'oidc');
 102         $role = Role::query()->first();
 103         $routeByMethod = [
 104             'post' => '/settings/roles/new',
 105             'put' => "/settings/roles/{$role->id}",
 106         ];
 107
 108         foreach ($routeByMethod as $method => $route) {
 109             $resp = $this->asAdmin()->get($route);
 110             $resp->assertDontSee('The external auth id');
 111
 112             $resp = $this->asAdmin()->call($method, $route, [
 113                 'display_name' => 'Test role for auth id validation',
 114                 'description'  => '',
 115                 'external_auth_id' => str_repeat('a', 181),
 116             ]);
 117
 118             $resp->assertRedirect($route);
 119             $resp = $this->followRedirects($resp);
 120             $resp->assertSee('The external auth id may not be greater than 180 characters.');
 121         }
 122     }
 123
 124     public function test_admin_role_cannot_be_removed_if_user_last_admin()
 125     {
 126         /** @var Role $adminRole */
 127         $adminRole = Role::query()->where('system_name', '=', 'admin')->first();
 128         $adminUser = $this->users->admin();
 129         $adminRole->users()->where('id', '!=', $adminUser->id)->delete();
 130         $this->assertEquals(1, $adminRole->users()->count());
 131
 132         $viewerRole = $this->users->viewer()->roles()->first();
 133
 134         $editUrl = '/settings/users/' . $adminUser->id;
 135         $resp = $this->actingAs($adminUser)->put($editUrl, [
 136             'name'  => $adminUser->name,
 137             'email' => $adminUser->email,
 138             'roles' => [
 139                 'viewer' => strval($viewerRole->id),
 140             ],
 141         ]);
 142
 143         $resp->assertRedirect($editUrl);
 144
 145         $resp = $this->get($editUrl);
 146         $resp->assertSee('This user is the only user assigned to the administrator role');
 147     }
 148
 149     public function test_migrate_users_on_delete_works()
 150     {
 151         $roleA = $this->users->createRole();
 152         $roleB = $this->users->createRole();
 153         $user = $this->users->viewer();
 154         $user->attachRole($roleB);
 155
 156         $this->assertCount(0, $roleA->users()->get());
 157         $this->assertCount(1, $roleB->users()->get());
 158
 159         $deletePage = $this->asAdmin()->get("/settings/roles/delete/$roleB->id");
 160         $this->withHtml($deletePage)->assertElementExists('select[name=migrate_role_id]');
 161         $this->asAdmin()->delete("/settings/roles/delete/$roleB->id", [
 162             'migrate_role_id' => $roleA->id,
 163         ]);
 164
 165         $this->assertCount(1, $roleA->users()->get());
 166         $this->assertEquals($user->id, $roleA->users()->first()->id);
 167     }
 168
 169     public function test_delete_with_empty_migrate_option_works()
 170     {
 171         $role = $this->users->attachNewRole($this->users->viewer());
 172
 173         $this->assertCount(1, $role->users()->get());
 174
 175         $deletePage = $this->asAdmin()->get("/settings/roles/delete/$role->id");
 176         $this->withHtml($deletePage)->assertElementExists('select[name=migrate_role_id]');
 177         $resp = $this->asAdmin()->delete("/settings/roles/delete/$role->id", [
 178             'migrate_role_id' => '',
 179         ]);
 180
 181         $resp->assertRedirect('/settings/roles');
 182         $this->assertDatabaseMissing('roles', ['id' => $role->id]);
 183     }
 184
 185     public function test_entity_permissions_are_removed_on_delete()
 186     {
 187         /** @var Role $roleA */
 188         $roleA = Role::query()->create(['display_name' => 'Entity Permissions Delete Test']);
 189         $page = $this->entities->page();
 190
 191         $this->permissions->setEntityPermissions($page, ['view'], [$roleA]);
 192
 193         $this->assertDatabaseHas('entity_permissions', [
 194             'role_id' => $roleA->id,
 195             'entity_id' => $page->id,
 196             'entity_type' => $page->getMorphClass(),
 197         ]);
 198
 199         $this->asAdmin()->delete("/settings/roles/delete/$roleA->id");
 200
 201         $this->assertDatabaseMissing('entity_permissions', [
 202             'role_id' => $roleA->id,
 203             'entity_id' => $page->id,
 204             'entity_type' => $page->getMorphClass(),
 205         ]);
 206     }
 207
 208     public function test_image_view_notice_shown_on_role_form()
 209     {
 210         /** @var Role $role */
 211         $role = Role::query()->first();
 212         $this->asAdmin()->get("/settings/roles/{$role->id}")
 213             ->assertSee('Actual access of uploaded image files will be dependant upon system image storage option');
 214     }
 215
 216     public function test_copy_role_button_shown()
 217     {
 218         /** @var Role $role */
 219         $role = Role::query()->first();
 220         $resp = $this->asAdmin()->get("/settings/roles/{$role->id}");
 221         $this->withHtml($resp)->assertElementContains('a[href$="/roles/new?copy_from=' . $role->id . '"]', 'Copy');
 222     }
 223
 224     public function test_copy_from_param_on_create_prefills_with_other_role_data()
 225     {
 226         /** @var Role $role */
 227         $role = Role::query()->first();
 228         $resp = $this->asAdmin()->get("/settings/roles/new?copy_from={$role->id}");
 229         $resp->assertOk();
 230         $this->withHtml($resp)->assertElementExists('input[name="display_name"][value="' . ($role->display_name . ' (Copy)') . '"]');
 231     }
 232
 233     public function test_public_role_visible_in_user_edit_screen()
 234     {
 235         /** @var User $user */
 236         $user = User::query()->first();
 237         $adminRole = Role::getSystemRole('admin');
 238         $publicRole = Role::getSystemRole('public');
 239         $resp = $this->asAdmin()->get('/settings/users/' . $user->id);
 240         $this->withHtml($resp)->assertElementExists('[name="roles[' . $adminRole->id . ']"]')
 241             ->assertElementExists('[name="roles[' . $publicRole->id . ']"]');
 242     }
 243
 244     public function test_public_role_visible_in_role_listing()
 245     {
 246         $this->asAdmin()->get('/settings/roles')
 247             ->assertSee('Admin')
 248             ->assertSee('Public');
 249     }
 250
 251     public function test_public_role_visible_in_default_role_setting()
 252     {
 253         $resp = $this->asAdmin()->get('/settings/registration');
 254         $this->withHtml($resp)->assertElementExists('[data-system-role-name="admin"]')
 255             ->assertElementExists('[data-system-role-name="public"]');
 256     }
 257
 258     public function test_public_role_not_deletable()
 259     {
 260         /** @var Role $publicRole */
 261         $publicRole = Role::getSystemRole('public');
 262         $resp = $this->asAdmin()->delete('/settings/roles/delete/' . $publicRole->id);
 263         $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);
 264
 265         $this->get('/settings/roles/delete/' . $publicRole->id);
 266         $resp = $this->delete('/settings/roles/delete/' . $publicRole->id);
 267         $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);
 268         $resp = $this->get('/settings/roles/delete/' . $publicRole->id);
 269         $resp->assertSee('This role is a system role and cannot be deleted');
 270     }
 271
 272     public function test_role_permission_removal()
 273     {
 274         // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.
 275         $page = $this->entities->page();
 276         $viewerRole = Role::getRole('viewer');
 277         $viewer = $this->users->viewer();
 278         $this->actingAs($viewer)->get($page->getUrl())->assertOk();
 279
 280         $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [
 281             'display_name' => $viewerRole->display_name,
 282             'description'  => $viewerRole->description,
 283             'permissions'  => [],
 284         ])->assertStatus(302);
 285
 286         $this->actingAs($viewer)->get($page->getUrl())->assertStatus(404);
 287     }
 288
 289     public function test_index_listing_sorting()
 290     {
 291         $this->asAdmin();
 292         $role = $this->users->createRole();
 293         $role->display_name = 'zz test role';
 294         $role->created_at = now()->addDays(1);
 295         $role->save();
 296
 297         $runTest = function (string $order, string $direction, bool $expectFirstResult) use ($role) {
 298             setting()->putForCurrentUser('roles_sort', $order);
 299             setting()->putForCurrentUser('roles_sort_order', $direction);
 300             $html = $this->withHtml($this->get('/settings/roles'));
 301             $selector = ".item-list-row:first-child a[href$=\"/roles/{$role->id}\"]";
 302             if ($expectFirstResult) {
 303                 $html->assertElementExists($selector);
 304             } else {
 305                 $html->assertElementNotExists($selector);
 306             }
 307         };
 308
 309         $runTest('name', 'asc', false);
 310         $runTest('name', 'desc', true);
 311         $runTest('created_at', 'desc', true);
 312         $runTest('created_at', 'asc', false);
 313     }
 314 }