mirror of
https://gitlab.com/davical-project/davical.git
synced 2026-01-27 00:33:34 +00:00
f69480ce77
Test that other users can't delete: - collections - tickets - bindings No significant change, just return an error message rather than assume that things worked.
166 lines
4.8 KiB
Plaintext
166 lines
4.8 KiB
Plaintext
MODE=TAP,20
|
|
|
|
# Test creating deleting bindings.
|
|
|
|
BEGINPERL
|
|
|
|
my $mech;
|
|
|
|
subtest 'Login' => sub {
|
|
plan tests => 4;
|
|
|
|
$mech = webui_login(
|
|
username => 'user2',
|
|
password => 'user2',
|
|
url => "http://$webhost",
|
|
);
|
|
};
|
|
|
|
$mech->follow_link( text_regex => qr/View My Details/ );
|
|
|
|
(my $principal_id = $mech->uri()) =~ s/^.*&id=(\d+)$/$1/;
|
|
|
|
my $edit_url = $mech->uri();
|
|
|
|
$mech->follow_link( text_regex => qr/Create Collection/ );
|
|
my $create_collection_url = $mech->uri();
|
|
|
|
# Create 3 binds for testing deletion.
|
|
# 0 = Delete by the principal who created it.
|
|
# 1 = Try to delete by another principal
|
|
# 2 = Try to delete by another principal
|
|
my @col_id;
|
|
my @binding_id;
|
|
|
|
for (my $i = 0; $i < 3; $i++) {
|
|
$col_id[$i] = create_collection($mech, $create_collection_url, $i);
|
|
$binding_id[$i] = create_binding($mech, $edit_url, $i, "/user2/test_binding_collection_$i/");
|
|
}
|
|
|
|
#$mech->save_content("$save_location/$case-A", binmode => ':utf8');
|
|
|
|
# Delete our first binding.
|
|
$mech->get("http://$webhost/admin.php?action=edit&t=principal&id=$principal_id&bind_id=" . $binding_id[0] . "&subaction=delete_bind_in");
|
|
$mech->follow_link( text_regex => qr/Confirm Deletion of the Binding/ );
|
|
|
|
$mech->content_contains(
|
|
'Binding deleted',
|
|
'Binding deleted message displayed'
|
|
);
|
|
|
|
#diag("Saved content of B to $save_location/$case-B");
|
|
#$mech->save_content("$save_location/$case-B", binmode => ':utf8');
|
|
|
|
my $mech_other;
|
|
subtest 'Login as user1' => sub {
|
|
plan tests => 4;
|
|
|
|
$mech_other = webui_login(
|
|
username => 'user1',
|
|
password => 'user1',
|
|
url => "http://$webhost",
|
|
);
|
|
};
|
|
|
|
$mech_other->follow_link( text_regex => qr/View My Details/ );
|
|
(my $other_principal_id = $mech_other->uri()) =~ s/^.*&id=(\d+)$/$1/;
|
|
|
|
# Try delete binding as another user, should be rejected.
|
|
$mech_other->get("http://$webhost/admin.php?action=edit&t=principal&id=$principal_id&bind_id=" . $binding_id[1] . "&subaction=delete_bind_in");
|
|
$mech_other->follow_link( text_regex => qr/Confirm Deletion of the Binding/ );
|
|
|
|
$mech_other->content_contains(
|
|
'You are not allowed to delete bindings for this principal.',
|
|
'Binding deletion error displayed when specifying other principal and their bind'
|
|
);
|
|
|
|
#diag("Saved content of C to $save_location/$case-C");
|
|
#$mech_other->save_content("$save_location/$case-C", binmode => ':utf8');
|
|
|
|
|
|
# Try delete other users binding as us, should be rejected.
|
|
$mech_other->get("http://$webhost/admin.php?action=edit&t=principal&id=$other_principal_id&bind_id=" . $binding_id[2] . "&subaction=delete_bind_in");
|
|
$mech_other->follow_link( text_regex => qr/Confirm Deletion of the Binding/ );
|
|
|
|
$mech_other->content_contains(
|
|
'Binding deletion failed.',
|
|
'Binding deletion error display when specifying our principal and their collection'
|
|
);
|
|
|
|
#diag("Saved content of D to $save_location/$case-D");
|
|
#$mech_other->save_content("$save_location/$case-D", binmode => ':utf8');
|
|
|
|
sub create_collection {
|
|
my ($mech, $create_url, $i) = @_;
|
|
|
|
$mech->get($create_url);
|
|
|
|
# Create a collection
|
|
$mech->submit_form_ok(
|
|
{
|
|
form_number => 1,
|
|
button => 'submit',
|
|
fields => {
|
|
collection_name => "test_binding_collection_$i",
|
|
dav_displayname => "Test binding_Collection $i",
|
|
description => "Description for Binding Collection $i",
|
|
},
|
|
}, "Create collection - $i"
|
|
);
|
|
|
|
$mech->content_contains(
|
|
'Creating new Collection.',
|
|
"Collection created message displayed - $i"
|
|
);
|
|
|
|
if ($mech->content() =~ /Collection ID:.*?(\d+)/m) {
|
|
return $1;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
sub create_binding {
|
|
my ($mech, $create_url, $i, $collection) = @_;
|
|
|
|
$mech->get($create_url);
|
|
|
|
# Create a binding
|
|
$mech->submit_form_ok(
|
|
{
|
|
form_number => 4,
|
|
button => 'bindingrow',
|
|
fields => {
|
|
dav_name => "/user2/binding$i",
|
|
dav_displayname => "Binding $i",
|
|
source => $collection,
|
|
},
|
|
}, "Create binding - $i"
|
|
);
|
|
|
|
$mech->content_contains(
|
|
'Creating new binding for this principal',
|
|
"Binding created message displayed - $i"
|
|
);
|
|
|
|
if ($mech->content() =~ m,^(?:<tbody>|</tr>)<tr class="r\d+"><td class="left">(\d+)</td>\s*<td style="white-space:nowrap;">$collection</td>,m) {
|
|
pass("Binding with collection path displayed - $i");
|
|
return $1;
|
|
}
|
|
}
|
|
|
|
ENDPERL
|
|
|
|
|
|
# Check that the state of the following collections:
|
|
# 0 = Deleted
|
|
# 1 = Exists
|
|
# 2 = Exists
|
|
# Hard as the ticket ID will change... Exclude that from the query.
|
|
BEGINQUERY
|
|
SELECT d.dav_name, d.dav_displayname, c.dav_name
|
|
FROM dav_binding AS d LEFT JOIN collection AS c ON (d.bound_source_id = c.collection_id)
|
|
WHERE d.dav_name like '/user2/binding%'
|
|
ORDER BY d.dav_name;
|
|
ENDQUERY
|