X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/ee24635e06a8c01d751f80caba47c57f76e8989d..HEAD:/tests/User/UserApiTokenTest.php diff --git a/tests/User/UserApiTokenTest.php b/tests/User/UserApiTokenTest.php index 716f3614c..d94e97659 100644 --- a/tests/User/UserApiTokenTest.php +++ b/tests/User/UserApiTokenTest.php @@ -2,37 +2,38 @@ namespace Tests\User; -use BookStack\Actions\ActivityType; +use BookStack\Activity\ActivityType; use BookStack\Api\ApiToken; use Carbon\Carbon; +use Illuminate\Support\Facades\Hash; use Tests\TestCase; class UserApiTokenTest extends TestCase { - protected $testTokenData = [ + protected array $testTokenData = [ 'name' => 'My test API token', 'expires_at' => '2050-04-01', ]; - public function test_tokens_section_not_visible_without_access_api_permission() + public function test_tokens_section_not_visible_in_my_account_without_access_api_permission() { - $user = $this->getViewer(); + $user = $this->users->viewer(); - $resp = $this->actingAs($user)->get($user->getEditUrl()); + $resp = $this->actingAs($user)->get('/my-account/auth'); $resp->assertDontSeeText('API Tokens'); - $this->giveUserPermissions($user, ['access-api']); + $this->permissions->grantUserRolePermissions($user, ['access-api']); - $resp = $this->actingAs($user)->get($user->getEditUrl()); + $resp = $this->actingAs($user)->get('/my-account/auth'); $resp->assertSeeText('API Tokens'); $resp->assertSeeText('Create Token'); } public function test_those_with_manage_users_can_view_other_user_tokens_but_not_create() { - $viewer = $this->getViewer(); - $editor = $this->getEditor(); - $this->giveUserPermissions($viewer, ['users-manage']); + $viewer = $this->users->viewer(); + $editor = $this->users->editor(); + $this->permissions->grantUserRolePermissions($viewer, ['users-manage']); $resp = $this->actingAs($viewer)->get($editor->getEditUrl()); $resp->assertSeeText('API Tokens'); @@ -41,16 +42,16 @@ class UserApiTokenTest extends TestCase public function test_create_api_token() { - $editor = $this->getEditor(); + $editor = $this->users->editor(); - $resp = $this->asAdmin()->get($editor->getEditUrl('/create-api-token')); + $resp = $this->asAdmin()->get("/api-tokens/{$editor->id}/create"); $resp->assertStatus(200); $resp->assertSee('Create API Token'); $resp->assertSee('Token Secret'); - $resp = $this->post($editor->getEditUrl('/create-api-token'), $this->testTokenData); + $resp = $this->post("/api-tokens/{$editor->id}/create", $this->testTokenData); $token = ApiToken::query()->latest()->first(); - $resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id)); + $resp->assertRedirect("/api-tokens/{$editor->id}/{$token->id}"); $this->assertDatabaseHas('api_tokens', [ 'user_id' => $editor->id, 'name' => $this->testTokenData['name'], @@ -63,7 +64,7 @@ class UserApiTokenTest extends TestCase $this->assertDatabaseMissing('api_tokens', [ 'secret' => $secret, ]); - $this->assertTrue(\Hash::check($secret, $token->secret)); + $this->assertTrue(Hash::check($secret, $token->secret)); $this->assertTrue(strlen($token->token_id) === 32); $this->assertTrue(strlen($secret) === 32); @@ -74,8 +75,11 @@ class UserApiTokenTest extends TestCase public function test_create_with_no_expiry_sets_expiry_hundred_years_away() { - $editor = $this->getEditor(); - $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), ['name' => 'No expiry token', 'expires_at' => '']); + $editor = $this->users->editor(); + + $resp = $this->asAdmin()->post("/api-tokens/{$editor->id}/create", ['name' => 'No expiry token', 'expires_at' => '']); + $resp->assertRedirect(); + $token = ApiToken::query()->latest()->first(); $over = Carbon::now()->addYears(101); @@ -88,8 +92,10 @@ class UserApiTokenTest extends TestCase public function test_created_token_displays_on_profile_page() { - $editor = $this->getEditor(); - $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData); + $editor = $this->users->editor(); + $resp = $this->asAdmin()->post("/api-tokens/{$editor->id}/create", $this->testTokenData); + $resp->assertRedirect(); + $token = ApiToken::query()->latest()->first(); $resp = $this->get($editor->getEditUrl()); @@ -101,29 +107,30 @@ class UserApiTokenTest extends TestCase public function test_secret_shown_once_after_creation() { - $editor = $this->getEditor(); - $resp = $this->asAdmin()->followingRedirects()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData); + $editor = $this->users->editor(); + $resp = $this->asAdmin()->followingRedirects()->post("/api-tokens/{$editor->id}/create", $this->testTokenData); $resp->assertSeeText('Token Secret'); $token = ApiToken::query()->latest()->first(); $this->assertNull(session('api-token-secret:' . $token->id)); - $resp = $this->get($editor->getEditUrl('/api-tokens/' . $token->id)); + $resp = $this->get("/api-tokens/{$editor->id}/{$token->id}"); + $resp->assertOk(); $resp->assertDontSeeText('Client Secret'); } public function test_token_update() { - $editor = $this->getEditor(); - $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData); + $editor = $this->users->editor(); + $this->asAdmin()->post("/api-tokens/{$editor->id}/create", $this->testTokenData); $token = ApiToken::query()->latest()->first(); $updateData = [ 'name' => 'My updated token', 'expires_at' => '2011-01-01', ]; - $resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), $updateData); - $resp->assertRedirect($editor->getEditUrl('/api-tokens/' . $token->id)); + $resp = $this->put("/api-tokens/{$editor->id}/{$token->id}", $updateData); + $resp->assertRedirect("/api-tokens/{$editor->id}/{$token->id}"); $this->assertDatabaseHas('api_tokens', array_merge($updateData, ['id' => $token->id])); $this->assertSessionHas('success'); @@ -132,14 +139,14 @@ class UserApiTokenTest extends TestCase public function test_token_update_with_blank_expiry_sets_to_hundred_years_away() { - $editor = $this->getEditor(); - $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData); + $editor = $this->users->editor(); + $this->asAdmin()->post("/api-tokens/{$editor->id}/create", $this->testTokenData); $token = ApiToken::query()->latest()->first(); - $resp = $this->put($editor->getEditUrl('/api-tokens/' . $token->id), [ + $this->put("/api-tokens/{$editor->id}/{$token->id}", [ 'name' => 'My updated token', 'expires_at' => '', - ]); + ])->assertRedirect(); $token->refresh(); $over = Carbon::now()->addYears(101); @@ -152,16 +159,16 @@ class UserApiTokenTest extends TestCase public function test_token_delete() { - $editor = $this->getEditor(); - $this->asAdmin()->post($editor->getEditUrl('/create-api-token'), $this->testTokenData); + $editor = $this->users->editor(); + $this->asAdmin()->post("/api-tokens/{$editor->id}/create", $this->testTokenData); $token = ApiToken::query()->latest()->first(); - $tokenUrl = $editor->getEditUrl('/api-tokens/' . $token->id); + $tokenUrl = "/api-tokens/{$editor->id}/{$token->id}"; $resp = $this->get($tokenUrl . '/delete'); $resp->assertSeeText('Delete Token'); $resp->assertSeeText($token->name); - $this->withHtml($resp)->assertElementExists('form[action="' . $tokenUrl . '"]'); + $this->withHtml($resp)->assertElementExists('form[action$="' . $tokenUrl . '"]'); $resp = $this->delete($tokenUrl); $resp->assertRedirect($editor->getEditUrl('#api_tokens')); @@ -171,19 +178,50 @@ class UserApiTokenTest extends TestCase public function test_user_manage_can_delete_token_without_api_permission_themselves() { - $viewer = $this->getViewer(); - $editor = $this->getEditor(); - $this->giveUserPermissions($editor, ['users-manage']); + $viewer = $this->users->viewer(); + $editor = $this->users->editor(); + $this->permissions->grantUserRolePermissions($editor, ['users-manage']); - $this->asAdmin()->post($viewer->getEditUrl('/create-api-token'), $this->testTokenData); + $this->asAdmin()->post("/api-tokens/{$viewer->id}/create", $this->testTokenData); $token = ApiToken::query()->latest()->first(); - $resp = $this->actingAs($editor)->get($viewer->getEditUrl('/api-tokens/' . $token->id)); + $resp = $this->actingAs($editor)->get("/api-tokens/{$viewer->id}/{$token->id}"); $resp->assertStatus(200); $resp->assertSeeText('Delete Token'); - $resp = $this->actingAs($editor)->delete($viewer->getEditUrl('/api-tokens/' . $token->id)); + $resp = $this->actingAs($editor)->delete("/api-tokens/{$viewer->id}/{$token->id}"); $resp->assertRedirect($viewer->getEditUrl('#api_tokens')); $this->assertDatabaseMissing('api_tokens', ['id' => $token->id]); } + + public function test_return_routes_change_depending_on_entry_context() + { + $user = $this->users->admin(); + $returnByContext = [ + 'settings' => url("/https/source.bookstackapp.com/settings/users/{$user->id}/#api_tokens"), + 'my-account' => url('/https/source.bookstackapp.com/my-account/auth#api_tokens'), + ]; + + foreach ($returnByContext as $context => $returnUrl) { + $resp = $this->actingAs($user)->get("/api-tokens/{$user->id}/create?context={$context}"); + $this->withHtml($resp)->assertLinkExists($returnUrl, 'Cancel'); + + $this->post("/api-tokens/{$user->id}/create", $this->testTokenData); + $token = $user->apiTokens()->latest()->first(); + + $resp = $this->get($token->getUrl()); + $this->withHtml($resp)->assertLinkExists($returnUrl, 'Back'); + + $resp = $this->delete($token->getUrl()); + $resp->assertRedirect($returnUrl); + } + } + + public function test_context_assumed_for_editing_tokens_of_another_user() + { + $user = $this->users->viewer(); + + $resp = $this->asAdmin()->get("/api-tokens/{$user->id}/create?context=my-account"); + $this->withHtml($resp)->assertLinkExists($user->getEditUrl('#api_tokens'), 'Cancel'); + } }