Documents: Add tests + fix session access

4 years ago · 287c0e3d3e
parent 4e15f58338
commit 287c0e3d3e
3 changed files with 66 additions and 13 deletions
--- a/src/CoreBundle/DataProvider/Extension/CDocumentExtension.php
+++ b/src/CoreBundle/DataProvider/Extension/CDocumentExtension.php
@ -47,12 +47,12 @@ final class CDocumentExtension implements QueryCollectionExtensionInterface //,
            return;
        }

-        if ($this->security->isGranted('ROLE_ADMIN')) {
+        /*if ($this->security->isGranted('ROLE_ADMIN')) {
            return;
-        }
+        }*/

        if (null === $user = $this->security->getUser()) {
-            return;
+            throw new AccessDeniedException('Access Denied.');
        }

        $request = $this->requestStack->getCurrentRequest();
@ -103,6 +103,15 @@ final class CDocumentExtension implements QueryCollectionExtensionInterface //,
            ;
        }

+        if (empty($groupId)) {
+            $queryBuilder->andWhere('links.group IS NULL');
+        } else {
+            $queryBuilder
+                ->andWhere('links.group = :group')
+                ->setParameter('group', $groupId)
+            ;
+        }
+
        /*$queryBuilder->
            andWhere('node.creator = :current_user')
        ;*/
--- a/src/CoreBundle/Security/Authorization/Voter/ResourceNodeVoter.php
+++ b/src/CoreBundle/Security/Authorization/Voter/ResourceNodeVoter.php
@ -96,7 +96,6 @@ class ResourceNodeVoter extends Voter
        /*if (!$user instanceof UserInterface) {
            return false;
        }*/
-
        /** @var ResourceNode $resourceNode */
        $resourceNode = $subject;
        $resourceTypeName = $resourceNode->getResourceType()->getName();
@ -318,8 +317,7 @@ class ResourceNodeVoter extends Voter

            if (!empty($sessionId)) {
                if ($this->security->isGranted(self::ROLE_CURRENT_COURSE_SESSION_TEACHER)) {
-                    $resourceRight = new ResourceRight();
-                    $resourceRight
+                    $resourceRight = (new ResourceRight())
                        ->setMask($editorMask)
                        ->setRole(self::ROLE_CURRENT_COURSE_SESSION_TEACHER)
                    ;
@ -327,8 +325,7 @@ class ResourceNodeVoter extends Voter
                }

                if ($this->security->isGranted(self::ROLE_CURRENT_COURSE_SESSION_STUDENT)) {
-                    $resourceRight = new ResourceRight();
-                    $resourceRight
+                    $resourceRight = (new ResourceRight())
                        ->setMask($readerMask)
                        ->setRole(self::ROLE_CURRENT_COURSE_SESSION_STUDENT)
                    ;
@ -338,8 +335,7 @@ class ResourceNodeVoter extends Voter

            if (empty($rights) && ResourceLink::VISIBILITY_PUBLISHED === $link->getVisibility()) {
                // Give just read access.
-                $resourceRight = new ResourceRight();
-                $resourceRight
+                $resourceRight = (new ResourceRight())
                    ->setMask($readerMask)
                    ->setRole('ROLE_USER')
                ;
--- a/tests/CourseBundle/Repository/CDocumentRepositoryTest.php
+++ b/tests/CourseBundle/Repository/CDocumentRepositoryTest.php
@ -42,18 +42,17 @@ class CDocumentRepositoryTest extends AbstractApiTest

        $this->assertCount(0, $response->toArray()['hydra:member']);
        $this->assertMatchesResourceCollectionJsonSchema(CDocument::class);
-
-        // Test as user
    }

    public function testCreateFolder(): void
    {
        $course = $this->createCourse('Test');
+        $courseId = $course->getId();

        // Create folder.
        $resourceLinkList = [
            [
-                'cid' => $course->getId(),
+                'cid' => $courseId,
                'visibility' => ResourceLink::VISIBILITY_PUBLISHED,
            ],
        ];
@ -103,6 +102,55 @@ class CDocumentRepositoryTest extends AbstractApiTest
            '@type' => 'Documents',
            'title' => 'edited',
        ]);
+
+        // Test access.
+        $data = json_decode($response->getContent());
+        $documentId = $data->iid;
+
+        $this->createClientWithCredentials($token)->request(
+            'GET',
+            '/api/documents/'.$documentId,
+            [
+                'query' => [
+                    'getFile' => true,
+                ],
+            ]
+        );
+        $this->assertResponseIsSuccessful();
+
+        $this->createUser('test');
+
+        $testToken = $this->getUserToken(
+            [
+                'username' => 'test',
+                'password' => 'test',
+            ],
+            true
+        );
+
+        $this->createClientWithCredentials($testToken)->request(
+            'GET',
+            '/api/documents/'.$documentId,
+            [
+                'query' => [
+                    'cid' => $courseId,
+                ],
+            ]
+        );
+        $this->assertResponseIsSuccessful();
+
+        $this->createClientWithCredentials($testToken)->request(
+            'GET',
+            '/api/documents/'.$documentId,
+            [
+                'query' => [
+                    'cid' => 'abc',
+                    'sid' => 'abc',
+                    'gip' => 'abc',
+                ],
+            ]
+        );
+        $this->assertResponseStatusCodeSame(403);
    }

    public function testUploadFile(): void