X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/c429cf78187e80deb63982a282a1c6889f30291a..refs/pull/5280/head:/tests/Api/ApiAuthTest.php

diff --git a/tests/Api/ApiAuthTest.php b/tests/Api/ApiAuthTest.php
index c45bd77ee..93e4b02e4 100644
--- a/tests/Api/ApiAuthTest.php
+++ b/tests/Api/ApiAuthTest.php
@@ -2,8 +2,9 @@
 
 namespace Tests\Api;
 
-use BookStack\Auth\Permissions\RolePermission;
-use BookStack\Auth\User;
+use BookStack\Permissions\Models\RolePermission;
+use BookStack\Users\Models\Role;
+use BookStack\Users\Models\User;
 use Carbon\Carbon;
 use Tests\TestCase;
 
@@ -15,8 +16,8 @@ class ApiAuthTest extends TestCase
 
     public function test_requests_succeed_with_default_auth()
     {
-        $viewer = $this->getViewer();
-        $this->giveUserPermissions($viewer, ['access-api']);
+        $viewer = $this->users->viewer();
+        $this->permissions->grantUserRolePermissions($viewer, ['access-api']);
 
         $resp = $this->get($this->endpoint);
         $resp->assertStatus(401);
@@ -62,7 +63,7 @@ class ApiAuthTest extends TestCase
         auth()->logout();
 
         $accessApiPermission = RolePermission::getByName('access-api');
-        $editorRole = $this->getEditor()->roles()->first();
+        $editorRole = $this->users->editor()->roles()->first();
         $editorRole->detachPermission($accessApiPermission);
 
         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
@@ -72,7 +73,7 @@ class ApiAuthTest extends TestCase
 
     public function test_api_access_permission_required_to_access_api_with_session_auth()
     {
-        $editor = $this->getEditor();
+        $editor = $this->users->editor();
         $this->actingAs($editor, 'standard');
 
         $resp = $this->get($this->endpoint);
@@ -80,7 +81,7 @@ class ApiAuthTest extends TestCase
         auth('standard')->logout();
 
         $accessApiPermission = RolePermission::getByName('access-api');
-        $editorRole = $this->getEditor()->roles()->first();
+        $editorRole = $this->users->editor()->roles()->first();
         $editorRole->detachPermission($accessApiPermission);
 
         $editor = User::query()->where('id', '=', $editor->id)->first();
@@ -91,9 +92,29 @@ class ApiAuthTest extends TestCase
         $resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403));
     }
 
+    public function test_access_prevented_for_guest_users_with_api_permission_while_public_access_disabled()
+    {
+        $this->disableCookieEncryption();
+        $publicRole = Role::getSystemRole('public');
+        $accessApiPermission = RolePermission::getByName('access-api');
+        $publicRole->attachPermission($accessApiPermission);
+
+        $this->withCookie('bookstack_session', 'abc123');
+
+        // Test API access when not public
+        setting()->put('app-public', false);
+        $resp = $this->get($this->endpoint);
+        $resp->assertStatus(403);
+
+        // Test API access when public
+        setting()->put('app-public', true);
+        $resp = $this->get($this->endpoint);
+        $resp->assertStatus(200);
+    }
+
     public function test_token_expiry_checked()
     {
-        $editor = $this->getEditor();
+        $editor = $this->users->editor();
         $token = $editor->apiTokens()->first();
 
         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
@@ -109,7 +130,7 @@ class ApiAuthTest extends TestCase
 
     public function test_email_confirmation_checked_using_api_auth()
     {
-        $editor = $this->getEditor();
+        $editor = $this->users->editor();
         $editor->email_confirmed = false;
         $editor->save();