Fixed test class names + add perm. check to api session auth

diff --git a/app/Http/Middleware/ApiAuthenticate.php b/app/Http/Middleware/ApiAuthenticate.php
index 655334450f8d1cfac8a2efc148c337edcccf4cb3..15962b3b00471d1fc55dd2a229824b50319886d6 100644 (file)
--- a/app/Http/Middleware/ApiAuthenticate.php
+++ b/app/Http/Middleware/ApiAuthenticate.php
@@ -2,6 +2,7 @@
 
 namespace BookStack\Http\Middleware;
 
+use BookStack\Exceptions\ApiAuthException;
 use BookStack\Exceptions\UnauthorizedException;
 use Closure;
 use Illuminate\Http\Request;
@@ -36,6 +37,9 @@ class ApiAuthenticate
         // This is to make it easy to browser the API via browser after just logging into the system.
         if (signedInUser()) {
             $this->ensureEmailConfirmedIfRequested();
+            if (!auth()->user()->can('access-api')) {
+                throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
+            }
             return;
         }
 

diff --git a/tests/Api/ApiAuthTest.php b/tests/Api/ApiAuthTest.php
index 30d7f4ead4e855478ba2209b443d919d5070b53c..b6b6b72ac795090d6c603a8791cb6a147f045d9f 100644 (file)
--- a/tests/Api/ApiAuthTest.php
+++ b/tests/Api/ApiAuthTest.php
@@ -3,6 +3,7 @@
 namespace Tests;
 
 use BookStack\Auth\Permissions\RolePermission;
+use BookStack\Auth\User;
 use Carbon\Carbon;
 
 class ApiAuthTest extends TestCase
@@ -14,6 +15,8 @@ class ApiAuthTest extends TestCase
     public function test_requests_succeed_with_default_auth()
     {
         $viewer = $this->getViewer();
+        $this->giveUserPermissions($viewer, ['access-api']);
+
         $resp = $this->get($this->endpoint);
         $resp->assertStatus(401);
 
@@ -62,6 +65,28 @@ class ApiAuthTest extends TestCase
         $editorRole->detachPermission($accessApiPermission);
 
         $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+        $resp->assertStatus(403);
+        $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
+    }
+
+    public function test_api_access_permission_required_to_access_api_with_session_auth()
+    {
+        $editor = $this->getEditor();
+        $this->actingAs($editor, 'web');
+
+        $resp = $this->get($this->endpoint);
+        $resp->assertStatus(200);
+        auth('web')->logout();
+
+        $accessApiPermission = RolePermission::getByName('access-api');
+        $editorRole = $this->getEditor()->roles()->first();
+        $editorRole->detachPermission($accessApiPermission);
+
+        $editor = User::query()->where('id', '=', $editor->id)->first();
+
+        $this->actingAs($editor, 'web');
+        $resp = $this->get($this->endpoint);
+        $resp->assertStatus(403);
         $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
     }
 

diff --git a/tests/Api/ApiConfigTest.php b/tests/Api/ApiConfigTest.php
index 99b063c69bfcb1b146c65729d819dff19dec7c2e..d9367741f55d02672d7a2424ac5040d9956657c3 100644 (file)
--- a/tests/Api/ApiConfigTest.php
+++ b/tests/Api/ApiConfigTest.php
@@ -5,7 +5,7 @@ namespace Tests;
 use BookStack\Auth\Permissions\RolePermission;
 use Carbon\Carbon;
 
-class ApiAuthTest extends TestCase
+class ApiConfigTest extends TestCase
 {
     use TestsApi;
 

diff --git a/tests/Api/ApiListingTest.php b/tests/Api/ApiListingTest.php
index 26014cdec2c0e07677fa730057f3ae19b1d7bc13..fa28dfb368b79b4141e275dc7875cb87c1240dff 100644 (file)
--- a/tests/Api/ApiListingTest.php
+++ b/tests/Api/ApiListingTest.php
@@ -6,7 +6,7 @@ use BookStack\Auth\Permissions\RolePermission;
 use BookStack\Entities\Book;
 use Carbon\Carbon;
 
-class ApiAuthTest extends TestCase
+class ApiListingTest extends TestCase
 {
     use TestsApi;