From: Dan Brown Date: Thu, 15 Dec 2022 11:22:53 +0000 (+0000) Subject: Started more formal permission test case definitions X-Git-Url: http://source.bookstackapp.com/bookstack/commitdiff_plain/d54ea1b3ede4fe6ea3ee04108503c62f427fad3f Started more formal permission test case definitions --- diff --git a/app/Auth/Permissions/PermissionApplicator.php b/app/Auth/Permissions/PermissionApplicator.php index 47d152a04..acb08ee3a 100644 --- a/app/Auth/Permissions/PermissionApplicator.php +++ b/app/Auth/Permissions/PermissionApplicator.php @@ -107,7 +107,7 @@ class PermissionApplicator $allowedByTypeById = ['fallback' => [], 'user' => [], 'role' => []]; /** @var EntityPermission $permission */ foreach ($relevantPermissions as $permission) { - $allowedByTypeById[$permission->getAssignedType()][$permission->getAssignedTypeId()] = $permission->$permission; + $allowedByTypeById[$permission->getAssignedType()][$permission->getAssignedTypeId()] = boolval($permission->$action); } $inheriting = !isset($allowedByTypeById['fallback'][0]); diff --git a/dev/docs/permission-scenario-testing.md b/dev/docs/permission-scenario-testing.md new file mode 100644 index 000000000..7cd7667d2 --- /dev/null +++ b/dev/docs/permission-scenario-testing.md @@ -0,0 +1,37 @@ +# Permission Scenario Testing + +Due to complexity that can arise in the various combinations of permissions, this document details scenarios and their expected results. + +Test cases are written ability abstract, since all abilities should act the same in theory. Functional test cases may test abilities separate due to implementation differences. + +## Cases + +### Entity Role Permissions + +These are tests related to entity-level role-specific permission overrides. + +#### entity_role_01 - Explicit allow + +- Page permissions have inherit disabled. +- Role A has explicit page permission. +- User has Role A. + +User should have page permission. + +#### entity_role_02 - Explicit deny + +- Page permissions have inherit disabled. +- Role A has explicit page permission. +- User has Role A. + +User should not have permission. + +#### entity_role_03 - Same level conflicting + +- Page permissions have inherit disabled. +- Role A has explicit page permission. +- Role B has explicit blocked page permission. +- User has both Role A & B. + +User should have page permission. Explicit grant overrides explicit deny at same level. + diff --git a/tests/Permissions/Scenarios/EntityRolePermissions.php b/tests/Permissions/Scenarios/EntityRolePermissions.php new file mode 100644 index 000000000..40c0890f4 --- /dev/null +++ b/tests/Permissions/Scenarios/EntityRolePermissions.php @@ -0,0 +1,52 @@ +getViewer(); + $role = $user->roles->first(); + $page = $this->entities->page(); + $this->entities->setPermissions($page, ['view'], [$role], false); + + $this->actingAs($user); + $this->assertTrue(userCan('page-view', $page)); + $this->assertNotNull(Page::visible()->findOrFail($page->id)); + } + + public function test_02_explicit_deny() + { + $user = $this->getViewer(); + $role = $user->roles->first(); + $page = $this->entities->page(); + $this->entities->setPermissions($page, ['edit'], [$role], false); + + $this->actingAs($user); + $this->assertFalse(userCan('page-view', $page)); + $this->assertNull(Page::visible()->find($page->id)); + } + + public function test_03_same_level_conflicting() + { + $user = $this->getViewer(); + $roleA = $user->roles->first(); + $roleB = $this->createNewRole(); + $user->attachRole($roleB); + + $page = $this->entities->page(); + // TODO - Can't do this as second call will overwrite first + $this->entities->setPermissions($page, ['edit'], [$roleA], false); + $this->entities->setPermissions($page, ['view'], [$roleB], false); + + $this->actingAs($user); + $this->assertFalse(userCan('page-view', $page)); + $this->assertNull(Page::visible()->find($page->id)); + } +}