From 350d7205b017d9a1d169d11f05700db0e1af76d6 Mon Sep 17 00:00:00 2001 From: Blake Payne Date: Wed, 3 Mar 2021 21:32:18 +0000 Subject: [PATCH 1/6] Updated GroupFilterGambit to prevent hidden groups being visible where they shouldn't be and to ensure that only the selected groups are returned on a search. #2559 --- src/User/Query/GroupFilterGambit.php | 10 +- .../integration/api/users/GroupSearchTest.php | 325 ++++++++++++++++++ 2 files changed, 333 insertions(+), 2 deletions(-) create mode 100644 tests/integration/api/users/GroupSearchTest.php diff --git a/src/User/Query/GroupFilterGambit.php b/src/User/Query/GroupFilterGambit.php index 9d419a7b90..ec34912da4 100644 --- a/src/User/Query/GroupFilterGambit.php +++ b/src/User/Query/GroupFilterGambit.php @@ -51,14 +51,20 @@ protected function constrain(Builder $query, User $actor, string $rawQuery, bool $groupQuery = Group::whereVisibleTo($actor); + $ids = []; + $names = []; foreach ($groupIdentifiers as $identifier) { if (is_numeric($identifier)) { - $groupQuery->orWhere('id', $identifier); + $ids[] = $identifier; } else { - $groupQuery->orWhere('name_singular', $identifier)->orWhere('name_plural', $identifier); + $names[] = $identifier; } } + $groupQuery->whereIn('id', $ids) + ->orWhereIn('name_singular', $names) + ->orWhereIn('name_plural', $names); + $userIds = $groupQuery->join('group_user', 'groups.id', 'group_user.group_id') ->pluck('group_user.user_id') ->all(); diff --git a/tests/integration/api/users/GroupSearchTest.php b/tests/integration/api/users/GroupSearchTest.php new file mode 100644 index 0000000000..6570bd38f0 --- /dev/null +++ b/tests/integration/api/users/GroupSearchTest.php @@ -0,0 +1,325 @@ +prepareDatabase([ + 'users' => [ + $this->normalUser(), + ], + ]); + } + + /** + * @test + */ + public function disallows_group_filter_for_user_without_permission() + { + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:admin']]) + ); + + $this->assertEquals(403, $response->getStatusCode()); + } + + /** + * @test + */ + public function allows_group_filter_for_admin() + { + $response = $this->send( + $this->request('GET', '/api/users?filter%5Bq%5D=group%3Aadmin', [ + 'authenticatedAs' => 1, + ])->withQueryParams(['filter' => ['q' => 'group:admin']]) + ); + + $this->assertEquals(200, $response->getStatusCode()); + } + + /** + * @test + */ + public function allows_group_filter_for_user_with_permission() + { + $this->prepareDatabase([ + 'group_permission' => [ + ['permission' => 'viewUserList', 'group_id' => 2], + ], + ]); + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:admin']]) + ); + + $this->assertEquals(200, $response->getStatusCode()); + } + + /** + * @test + */ + public function non_admin_gets_correct_results_group_name_singular() + { + $this->prepareDatabase([ + 'group_permission' => [ + ['permission' => 'viewUserList', 'group_id' => 2], + ], + ]); + + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:admin']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:mod']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + } + + /** + * @test + */ + public function non_admin_gets_correct_results_group_name_plural() + { + $this->prepareDatabase([ + 'group_permission' => [ + ['permission' => 'viewUserList', 'group_id' => 2], + ], + ]); + + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:admins']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:mods']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + } + + /** + * @test + */ + public function non_admin_gets_correct_results_group_id() + { + $this->prepareDatabase([ + 'group_permission' => [ + ['permission' => 'viewUserList', 'group_id' => 2], + ], + ]); + + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:1']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + + $response = $this->send( + $this->request('GET', '/api/users') + ->withQueryParams(['filter' => ['q' => 'group:4']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + } + + /** + * @test + */ + public function non_admin_cannot_see_hidden_groups() + { + $this->prepareDatabase([ + 'users' => [ + [ + 'id' => 3, + 'username' => 'normal2', + 'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure" + 'email' => 'normal2@machine.local', + 'is_email_confirmed' => 1, + ], + ], + 'groups' => [ + [ + 'id' => 99, + 'name_singular' => 'hidden user', + 'name_plural' => 'hidden users', + 'is_hidden' => true + ], + ], + 'group_user' => [ + [ + 'user_id' => 3, + 'group_id' => 99 + ] + ], + ]); + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 2 + ])->withQueryParams(['filter' => ['q' => 'group:99']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + + } + + /** + * @test + */ + public function admin_gets_correct_results_group_name_singular() + { + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:admin']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:mod']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + } + + /** + * @test + */ + public function admin_gets_correct_results_group_name_plural() + { + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:admins']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:mods']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + } + + /** + * @test + */ + public function admin_gets_correct_results_group_id() + { + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:1']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:4']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); + } + + /** + * @test + */ + public function admin_can_see_hidden_groups() + { + $this->prepareDatabase([ + 'users' => [ + [ + 'id' => 3, + 'username' => 'normal2', + 'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure" + 'email' => 'normal2@machine.local', + 'is_email_confirmed' => 1, + ], + ], + 'groups' => [ + [ + 'id' => 99, + 'name_singular' => 'hidden user', + 'name_plural' => 'hidden users', + 'is_hidden' => true + ], + ], + 'group_user' => [ + [ + 'user_id' => 3, + 'group_id' => 99 + ] + ], + ]); + $response = $this->send( + $this->request('GET', '/api/users', [ + 'authenticatedAs' => 1 + ])->withQueryParams(['filter' => ['q' => 'group:99']]) + ); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(99, $responseBodyContents->included[0]->id); + } +} From cdc48b5516df99263a08a1839067f806e7492131 Mon Sep 17 00:00:00 2001 From: Blake Payne Date: Wed, 3 Mar 2021 21:39:23 +0000 Subject: [PATCH 2/6] Update for styleci --- tests/integration/api/users/GroupSearchTest.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/integration/api/users/GroupSearchTest.php b/tests/integration/api/users/GroupSearchTest.php index 6570bd38f0..9e0e4dedbc 100644 --- a/tests/integration/api/users/GroupSearchTest.php +++ b/tests/integration/api/users/GroupSearchTest.php @@ -1,5 +1,12 @@ assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - } /** From 499e947d912a3ef43dc3bee44b03b652b564ce8f Mon Sep 17 00:00:00 2001 From: Blake Payne Date: Wed, 3 Mar 2021 22:06:42 +0000 Subject: [PATCH 3/6] Updated as requested in code review --- .../integration/api/users/GroupSearchTest.php | 44 ++----------------- 1 file changed, 4 insertions(+), 40 deletions(-) diff --git a/tests/integration/api/users/GroupSearchTest.php b/tests/integration/api/users/GroupSearchTest.php index 9e0e4dedbc..bda03f1049 100644 --- a/tests/integration/api/users/GroupSearchTest.php +++ b/tests/integration/api/users/GroupSearchTest.php @@ -18,7 +18,7 @@ class GroupSearchTest extends TestCase public function setUp(): void { - parent::setUp(); // TODO: Change the autogenerated stub + parent::setUp(); $this->prepareDatabase([ 'users' => [ @@ -46,7 +46,7 @@ public function disallows_group_filter_for_user_without_permission() public function allows_group_filter_for_admin() { $response = $this->send( - $this->request('GET', '/api/users?filter%5Bq%5D=group%3Aadmin', [ + $this->request('GET', '/api/users', [ 'authenticatedAs' => 1, ])->withQueryParams(['filter' => ['q' => 'group:admin']]) ); @@ -75,7 +75,7 @@ public function allows_group_filter_for_user_with_permission() /** * @test */ - public function non_admin_gets_correct_results_group_name_singular() + public function non_admin_gets_correct_results() { $this->prepareDatabase([ 'group_permission' => [ @@ -101,18 +101,6 @@ public function non_admin_gets_correct_results_group_name_singular() $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - } - - /** - * @test - */ - public function non_admin_gets_correct_results_group_name_plural() - { - $this->prepareDatabase([ - 'group_permission' => [ - ['permission' => 'viewUserList', 'group_id' => 2], - ], - ]); $response = $this->send( $this->request('GET', '/api/users') @@ -132,18 +120,6 @@ public function non_admin_gets_correct_results_group_name_plural() $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - } - - /** - * @test - */ - public function non_admin_gets_correct_results_group_id() - { - $this->prepareDatabase([ - 'group_permission' => [ - ['permission' => 'viewUserList', 'group_id' => 2], - ], - ]); $response = $this->send( $this->request('GET', '/api/users') @@ -209,7 +185,7 @@ public function non_admin_cannot_see_hidden_groups() /** * @test */ - public function admin_gets_correct_results_group_name_singular() + public function admin_gets_correct_results_group() { $response = $this->send( $this->request('GET', '/api/users', [ @@ -231,13 +207,7 @@ public function admin_gets_correct_results_group_name_singular() $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - } - /** - * @test - */ - public function admin_gets_correct_results_group_name_plural() - { $response = $this->send( $this->request('GET', '/api/users', [ 'authenticatedAs' => 1 @@ -258,13 +228,7 @@ public function admin_gets_correct_results_group_name_plural() $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - } - /** - * @test - */ - public function admin_gets_correct_results_group_id() - { $response = $this->send( $this->request('GET', '/api/users', [ 'authenticatedAs' => 1 From 556f3e2e8c15a58689f3cf5276691333a6e0d273 Mon Sep 17 00:00:00 2001 From: Blake Payne Date: Wed, 3 Mar 2021 23:08:57 +0000 Subject: [PATCH 4/6] Added tests for multiple groups and refactored out some repeated code --- .../integration/api/users/GroupSearchTest.php | 240 ++++++++++-------- 1 file changed, 136 insertions(+), 104 deletions(-) diff --git a/tests/integration/api/users/GroupSearchTest.php b/tests/integration/api/users/GroupSearchTest.php index bda03f1049..373521c818 100644 --- a/tests/integration/api/users/GroupSearchTest.php +++ b/tests/integration/api/users/GroupSearchTest.php @@ -32,10 +32,7 @@ public function setUp(): void */ public function disallows_group_filter_for_user_without_permission() { - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:admin']]) - ); + $response = $this->createRequest(['admin']); $this->assertEquals(403, $response->getStatusCode()); } @@ -45,11 +42,7 @@ public function disallows_group_filter_for_user_without_permission() */ public function allows_group_filter_for_admin() { - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1, - ])->withQueryParams(['filter' => ['q' => 'group:admin']]) - ); + $response = $this->createRequest(['admin'], 1); $this->assertEquals(200, $response->getStatusCode()); } @@ -64,10 +57,7 @@ public function allows_group_filter_for_user_with_permission() ['permission' => 'viewUserList', 'group_id' => 2], ], ]); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:admin']]) - ); + $response = $this->createRequest(['admin'], 2); $this->assertEquals(200, $response->getStatusCode()); } @@ -83,58 +73,40 @@ public function non_admin_gets_correct_results() ], ]); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:admin']]) - ); + $response = $this->createRequest(['admin'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); $this->assertEquals(1, $responseBodyContents->included[0]->id); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:mod']]) - ); + $response = $this->createRequest(['mod'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:admins']]) - ); + $response = $this->createRequest(['admins'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); $this->assertEquals(1, $responseBodyContents->included[0]->id); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:mods']]) - ); + $response = $this->createRequest(['mods'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:1']]) - ); + $response = $this->createRequest(['1'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); $this->assertEquals(1, $responseBodyContents->included[0]->id); - $response = $this->send( - $this->request('GET', '/api/users') - ->withQueryParams(['filter' => ['q' => 'group:4']]) - ); + $response = $this->createRequest(['4'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); @@ -147,104 +119,79 @@ public function non_admin_gets_correct_results() public function non_admin_cannot_see_hidden_groups() { $this->prepareDatabase([ - 'users' => [ - [ - 'id' => 3, - 'username' => 'normal2', - 'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure" - 'email' => 'normal2@machine.local', - 'is_email_confirmed' => 1, - ], - ], - 'groups' => [ - [ - 'id' => 99, - 'name_singular' => 'hidden user', - 'name_plural' => 'hidden users', - 'is_hidden' => true - ], - ], - 'group_user' => [ - [ - 'user_id' => 3, - 'group_id' => 99 - ] + 'group_permission' => [ + ['permission' => 'viewUserList', 'group_id' => 2], ], ]); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 2 - ])->withQueryParams(['filter' => ['q' => 'group:99']]) - ); + + $this->createHiddenUser(); + $response = $this->createRequest(['99'], 2); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); } + /** + * @test + */ + public function non_admin_can_select_multiple_groups_but_not_hidden() + { + $this->prepareDatabase([ + 'group_permission' => [ + ['permission' => 'viewUserList', 'group_id' => 2], + ], + ]); + $this->createMultipleUsersAndGroups(); + $response = $this->createRequest(['1', '4', '5', '6', '99'], 2); + $responseBodyContents = json_decode($response->getBody()->getContents()); + $this->assertCount(4, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(4, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + $this->assertEquals(4, $responseBodyContents->included[1]->id); + $this->assertEquals(5, $responseBodyContents->included[2]->id); + $this->assertEquals(6, $responseBodyContents->included[3]->id); + } + /** * @test */ public function admin_gets_correct_results_group() { - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:admin']]) - ); + $response = $this->createRequest(['admin'], 1); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); $this->assertEquals(1, $responseBodyContents->included[0]->id); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:mod']]) - ); + $response = $this->createRequest(['mod'], 1); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:admins']]) - ); + $response = $this->createRequest(['admins'], 1); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); $this->assertEquals(1, $responseBodyContents->included[0]->id); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:mods']]) - ); + $response = $this->createRequest(['mods'], 1); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertObjectNotHasAttribute('included', $responseBodyContents, json_encode($responseBodyContents)); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:1']]) - ); + $response = $this->createRequest(['1'], 1); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); $this->assertEquals(1, $responseBodyContents->included[0]->id); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:4']]) - ); + $response = $this->createRequest(['4'], 1); $responseBodyContents = json_decode($response->getBody()->getContents()); $this->assertCount(0, $responseBodyContents->data, json_encode($responseBodyContents)); @@ -255,6 +202,101 @@ public function admin_gets_correct_results_group() * @test */ public function admin_can_see_hidden_groups() + { + $this->createHiddenUser(); + $response = $this->createRequest(['99'], 1); + $responseBodyContents = json_decode($response->getBody()->getContents()); + + $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(99, $responseBodyContents->included[0]->id); + } + + /** + * @test + */ + public function admin_can_select_multiple_groups_and_hidden() + { + $this->createMultipleUsersAndGroups(); + $this->createHiddenUser(); + $response = $this->createRequest(['1', '4', '5', '6', '99'], 1); + $responseBodyContents = json_decode($response->getBody()->getContents()); + $this->assertCount(5, $responseBodyContents->data, json_encode($responseBodyContents)); + $this->assertCount(5, $responseBodyContents->included, json_encode($responseBodyContents)); + $this->assertEquals(1, $responseBodyContents->included[0]->id); + $this->assertEquals(99, $responseBodyContents->included[1]->id); + $this->assertEquals(4, $responseBodyContents->included[2]->id); + $this->assertEquals(5, $responseBodyContents->included[3]->id); + $this->assertEquals(6, $responseBodyContents->included[4]->id); + } + + private function createRequest(array $group, int $userId = null) + { + $auth = $userId ? ['authenticatedAs' => $userId] : []; + return $this->send( + $this->request('GET', '/api/users', $auth) + ->withQueryParams(['filter' => ['q' => 'group:' . implode(',', $group)]]) + ); + } + + private function createMultipleUsersAndGroups() + { + $this->prepareDatabase([ + 'users' => [ + [ + 'id' => 4, + 'username' => 'normal4', + 'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure" + 'email' => 'normal4@machine.local', + 'is_email_confirmed' => 1, + ], + [ + 'id' => 5, + 'username' => 'normal5', + 'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure" + 'email' => 'normal5@machine.local', + 'is_email_confirmed' => 1, + ], + [ + 'id' => 6, + 'username' => 'normal6', + 'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure" + 'email' => 'normal6@machine.local', + 'is_email_confirmed' => 1, + ], + ], + 'groups' => [ + [ + 'id' => 5, + 'name_singular' => 'test1 user', + 'name_plural' => 'test1 users', + 'is_hidden' => false + ], + [ + 'id' => 6, + 'name_singular' => 'test2 user', + 'name_plural' => 'test2 users', + 'is_hidden' => false + ] + ], + 'group_user' => [ + [ + 'user_id' => 4, + 'group_id' => 4 + ], + [ + 'user_id' => 5, + 'group_id' => 5 + ], + [ + 'user_id' => 6, + 'group_id' => 6 + ], + ], + ]); + } + + private function createHiddenUser() { $this->prepareDatabase([ 'users' => [ @@ -281,15 +323,5 @@ public function admin_can_see_hidden_groups() ] ], ]); - $response = $this->send( - $this->request('GET', '/api/users', [ - 'authenticatedAs' => 1 - ])->withQueryParams(['filter' => ['q' => 'group:99']]) - ); - $responseBodyContents = json_decode($response->getBody()->getContents()); - - $this->assertCount(1, $responseBodyContents->data, json_encode($responseBodyContents)); - $this->assertCount(1, $responseBodyContents->included, json_encode($responseBodyContents)); - $this->assertEquals(99, $responseBodyContents->included[0]->id); } } From 96849fa06040006fd914bc055bf02e7bf10ec386 Mon Sep 17 00:00:00 2001 From: Blake Payne Date: Wed, 3 Mar 2021 23:10:27 +0000 Subject: [PATCH 5/6] update for styleci --- tests/integration/api/users/GroupSearchTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/api/users/GroupSearchTest.php b/tests/integration/api/users/GroupSearchTest.php index 373521c818..9759fb0d68 100644 --- a/tests/integration/api/users/GroupSearchTest.php +++ b/tests/integration/api/users/GroupSearchTest.php @@ -235,7 +235,7 @@ private function createRequest(array $group, int $userId = null) $auth = $userId ? ['authenticatedAs' => $userId] : []; return $this->send( $this->request('GET', '/api/users', $auth) - ->withQueryParams(['filter' => ['q' => 'group:' . implode(',', $group)]]) + ->withQueryParams(['filter' => ['q' => 'group:'.implode(',', $group)]]) ); } From b97d064c4d7a1b36ab172d427634cff468a97c4a Mon Sep 17 00:00:00 2001 From: Blake Payne Date: Wed, 3 Mar 2021 23:11:03 +0000 Subject: [PATCH 6/6] update for styleci --- tests/integration/api/users/GroupSearchTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/integration/api/users/GroupSearchTest.php b/tests/integration/api/users/GroupSearchTest.php index 9759fb0d68..bc6accda55 100644 --- a/tests/integration/api/users/GroupSearchTest.php +++ b/tests/integration/api/users/GroupSearchTest.php @@ -233,6 +233,7 @@ public function admin_can_select_multiple_groups_and_hidden() private function createRequest(array $group, int $userId = null) { $auth = $userId ? ['authenticatedAs' => $userId] : []; + return $this->send( $this->request('GET', '/api/users', $auth) ->withQueryParams(['filter' => ['q' => 'group:'.implode(',', $group)]])