mirror of
https://gitlab.com/davical-project/davical.git
synced 2026-01-27 00:33:34 +00:00
f69480ce77
Test that other users can't delete: - collections - tickets - bindings No significant change, just return an error message rather than assume that things worked.
187 lines
5.4 KiB
Plaintext
187 lines
5.4 KiB
Plaintext
MODE=TAP,23
|
|
|
|
# Test creating deleting tickets.
|
|
|
|
BEGINPERL
|
|
|
|
my $mech;
|
|
|
|
subtest 'Login' => sub {
|
|
plan tests => 4;
|
|
|
|
$mech = webui_login(
|
|
username => 'user2',
|
|
password => 'user2',
|
|
url => "http://$webhost",
|
|
);
|
|
};
|
|
|
|
$mech->follow_link( text_regex => qr/View My Details/ );
|
|
|
|
(my $principal_id = $mech->uri()) =~ s/^.*&id=(\d+)$/$1/;
|
|
|
|
my $edit_url = $mech->uri();
|
|
|
|
$mech->follow_link( text_regex => qr/Create Collection/ );
|
|
my $create_collection_url = $mech->uri();
|
|
|
|
# Create 3 tickets for testing deletion.
|
|
# 0 = Delete by the principal who created it.
|
|
# 1 = Try to delete by another principal
|
|
# 2 = Try to delete by another principal
|
|
my @col_id;
|
|
my @ticket_id;
|
|
|
|
for (my $i = 0; $i < 3; $i++) {
|
|
$col_id[$i] = create_collection($mech, $create_collection_url, $i);
|
|
$ticket_id[$i] = create_ticket($mech, $edit_url, $i, "/user2/test_ticket_collection_$i/");
|
|
}
|
|
|
|
#$mech->save_content("$save_location/$case-A", binmode => ':utf8');
|
|
|
|
# Delete our first ticket.
|
|
$mech->get("http://$webhost/admin.php?action=edit&t=principal&id=$principal_id&ticket_id=" . $ticket_id[0] . "&subaction=delete_ticket");
|
|
$mech->follow_link( text_regex => qr/Confirm Deletion of the Ticket/ );
|
|
|
|
$mech->content_contains(
|
|
'Access ticket deleted',
|
|
'Access ticket deleted message displayed'
|
|
);
|
|
|
|
#diag("Saved content of B to $save_location/$case-B");
|
|
#$mech->save_content("$save_location/$case-B", binmode => ':utf8');
|
|
|
|
my $mech_other;
|
|
subtest 'Login as user1' => sub {
|
|
plan tests => 4;
|
|
|
|
$mech_other = webui_login(
|
|
username => 'user1',
|
|
password => 'user1',
|
|
url => "http://$webhost",
|
|
);
|
|
};
|
|
|
|
$mech_other->follow_link( text_regex => qr/View My Details/ );
|
|
(my $other_principal_id = $mech_other->uri()) =~ s/^.*&id=(\d+)$/$1/;
|
|
|
|
# Try delete ticket as another user, should be rejected.
|
|
$mech_other->get("http://$webhost/admin.php?action=edit&t=principal&id=$principal_id&ticket_id=" . $ticket_id[1] . "&subaction=delete_ticket");
|
|
$mech->follow_link( text_regex => qr/Confirm Deletion of the Ticket/ );
|
|
|
|
$mech_other->content_contains(
|
|
'You are not allowed to delete tickets for this principal.',
|
|
'Collection deletion error displayed when specifying other principal and their ticket'
|
|
);
|
|
|
|
#diag("Saved content of C to $save_location/$case-C");
|
|
#$mech_other->save_content("$save_location/$case-C", binmode => ':utf8');
|
|
|
|
|
|
# Try delete other users ticket as us, should be rejected.
|
|
$mech_other->get("http://$webhost/admin.php?action=edit&t=principal&id=$other_principal_id&collection_id=" . $ticket_id[2] . "&subaction=delete_ticket");
|
|
$mech_other->follow_link( text_regex => qr/Confirm Deletion of the Ticket/ );
|
|
|
|
$mech_other->content_contains(
|
|
'Access ticket deletion failed.',
|
|
'Ticket deletion error display when specifying our principal and their collection'
|
|
);
|
|
|
|
#diag("Saved content of D to $save_location/$case-D");
|
|
#$mech_other->save_content("$save_location/$case-D", binmode => ':utf8');
|
|
|
|
sub create_collection {
|
|
my ($mech, $create_url, $i) = @_;
|
|
|
|
$mech->get($create_url);
|
|
|
|
# Create a collection
|
|
$mech->submit_form_ok(
|
|
{
|
|
form_number => 1,
|
|
button => 'submit',
|
|
fields => {
|
|
collection_name => "test_ticket_collection_$i",
|
|
dav_displayname => "Test Ticket_Collection $i",
|
|
description => "Description for Ticket Collection $i",
|
|
},
|
|
}, "Create collection - $i"
|
|
);
|
|
|
|
$mech->content_contains(
|
|
'Creating new Collection.',
|
|
"Collection created message displayed - $i"
|
|
);
|
|
|
|
if ($mech->content() =~ /Collection ID:.*?(\d+)/m) {
|
|
return $1;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
sub create_ticket {
|
|
my ($mech, $create_url, $i, $collection, $fail) = @_;
|
|
|
|
$mech->get($create_url);
|
|
|
|
# Find the new ticket ID
|
|
my $ticket_id;
|
|
if ($mech->content() =~ qr/<input type="hidden" name="ticket_id" value="(\S+?)">/) {
|
|
$ticket_id = $1;
|
|
|
|
like($ticket_id, qr/^[0-9a-z]{8}$/i, "Found new ticket ID - $i");
|
|
} else {
|
|
fail("No ticket ID found - $i");
|
|
}
|
|
|
|
# Create a ticket
|
|
$mech->submit_form_ok(
|
|
{
|
|
form_number => 3,
|
|
button => 'ticketrow',
|
|
fields => {
|
|
target => $collection,
|
|
'ticket_privileges[read]' => 1,
|
|
'ticket_privileges[write-content]' => 1,
|
|
},
|
|
}, "Create ticket - $i"
|
|
);
|
|
|
|
if (! defined $fail) {
|
|
$mech->content_contains(
|
|
'Creating new ticket granting privileges to this Principal',
|
|
"Ticket created message displayed - $i"
|
|
);
|
|
|
|
$mech->content_like(
|
|
qr,^(?:<tbody>|</tr>)<tr class="r\d+"><td class="left">$ticket_id</td>\s*<td style="white-space:nowrap;">$collection</td>,m,
|
|
"Ticket with collection path displayed - $i"
|
|
);
|
|
|
|
return $ticket_id;
|
|
} else {
|
|
$mech->content_contains(
|
|
'Can only add tickets for existing collection paths which you own',
|
|
"Ticket creation failed message displayed - $i"
|
|
);
|
|
|
|
return;
|
|
}
|
|
}
|
|
|
|
ENDPERL
|
|
|
|
|
|
# Check that the state of the following collections:
|
|
# 0 = Deleted
|
|
# 1 = Exists
|
|
# 2 = Exists
|
|
# Hard as the ticket ID will change... Exclude that from the query.
|
|
BEGINQUERY
|
|
SELECT t.privileges, c.dav_name, c.dav_displayname
|
|
FROM access_ticket AS t LEFT JOIN collection AS c ON (t.target_collection_id = c.collection_id)
|
|
WHERE c.dav_name like '/user2/test_ticket_collection%'
|
|
ORDER BY c.dav_name;
|
|
ENDQUERY
|