TagRestController: add tests to ensure that other user's tags are unreachable

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
author: Kevin Decherf <kevin@kdecherf.com> 2018-12-29 19:43:07 +0100
committer: Kevin Decherf <kevin@kdecherf.com> 2018-12-30 01:34:49 +0100
commit: 0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0 (patch)
tree: 55890da9a068a0cfbc8821de1d98433e8895a652
parent: 6708bf238de46d7ce861e3c0eeb6a9b4623931ed (diff)
download: wallabag-0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0.tar.gz
wallabag-0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0.tar.zst
wallabag-0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0.zip
1 files changed, 32 insertions, 0 deletions
diff --git a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
index 430e548d..8f1e6f02 100644
--- a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
+++ b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
@@ -7,6 +7,8 @@ use Wallabag\CoreBundle\Entity\Tag;
 class TagRestControllerTest extends WallabagApiTestCase
 {
+    private $otherUserTagLabel = 'bob';
    public function testGetUserTags()
    {
        $this->client->request('GET', '/api/tags.json');
@@ -19,6 +21,12 @@ class TagRestControllerTest extends WallabagApiTestCase
        $this->assertArrayHasKey('id', $content[0]);
        $this->assertArrayHasKey('label', $content[0]);
+        $tagLabels = array_map(function ($i) {
+            return $i['label'];
+        }, $content);
+        $this->assertNotContains($this->otherUserTagLabel, $tagLabels, 'There is a possible tag leak');
        return end($content);
    }
@@ -53,6 +61,16 @@ class TagRestControllerTest extends WallabagApiTestCase
        $this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag');
    }
+    public function testDeleteOtherUserTag()
+    {
+        $em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
+        $tag = $em->getRepository('WallabagCoreBundle:Tag')->findOneByLabel($this->otherUserTagLabel);
+        $this->client->request('DELETE', '/api/tags/' . $tag->getId() . '.json');
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
    public function dataForDeletingTagByLabel()
    {
        return [
@@ -112,6 +130,13 @@ class TagRestControllerTest extends WallabagApiTestCase
        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
    }
+    public function testDeleteTagByLabelOtherUser()
+    {
+        $this->client->request('DELETE', '/api/tag/label.json', ['tag' => $this->otherUserTagLabel]);
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
    /**
     * @dataProvider dataForDeletingTagByLabel
     */
@@ -180,4 +205,11 @@ class TagRestControllerTest extends WallabagApiTestCase
        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
    }
+    public function testDeleteTagsByLabelOtherUser()
+    {
+        $this->client->request('DELETE', '/api/tags/label.json', ['tags' => $this->otherUserTagLabel]);
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
 }
author	Kevin Decherf <kevin@kdecherf.com>	2018-12-29 19:43:07 +0100
committer	Kevin Decherf <kevin@kdecherf.com>	2018-12-30 01:34:49 +0100
commit	0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0 (patch)
tree	55890da9a068a0cfbc8821de1d98433e8895a652
parent	6708bf238de46d7ce861e3c0eeb6a9b4623931ed (diff)
download	wallabag-0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0.tar.gz wallabag-0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0.tar.zst wallabag-0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0.zip

diff --git a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php index 430e548d..8f1e6f02 100644 --- a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php +++ b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
@@ -7,6 +7,8 @@ use Wallabag\CoreBundle\Entity\Tag;
7		7
8	class TagRestControllerTest extends WallabagApiTestCase	8	class TagRestControllerTest extends WallabagApiTestCase
9	{	9	{
		10	private $otherUserTagLabel = 'bob';
		11
10	public function testGetUserTags()	12	public function testGetUserTags()
11	{	13	{
12	$this->client->request('GET', '/api/tags.json');	14	$this->client->request('GET', '/api/tags.json');
@@ -19,6 +21,12 @@ class TagRestControllerTest extends WallabagApiTestCase
19	$this->assertArrayHasKey('id', $content[0]);	21	$this->assertArrayHasKey('id', $content[0]);
20	$this->assertArrayHasKey('label', $content[0]);	22	$this->assertArrayHasKey('label', $content[0]);
21		23
		24	$tagLabels = array_map(function ($i) {
		25	return $i['label'];
		26	}, $content);
		27
		28	$this->assertNotContains($this->otherUserTagLabel, $tagLabels, 'There is a possible tag leak');
		29
22	return end($content);	30	return end($content);
23	}	31	}
24		32
@@ -53,6 +61,16 @@ class TagRestControllerTest extends WallabagApiTestCase
53	$this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag');	61	$this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag');
54	}	62	}
55		63
		64	public function testDeleteOtherUserTag()
		65	{
		66	$em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
		67	$tag = $em->getRepository('WallabagCoreBundle:Tag')->findOneByLabel($this->otherUserTagLabel);
		68
		69	$this->client->request('DELETE', '/api/tags/' . $tag->getId() . '.json');
		70
		71	$this->assertSame(404, $this->client->getResponse()->getStatusCode());
		72	}
		73
56	public function dataForDeletingTagByLabel()	74	public function dataForDeletingTagByLabel()
57	{	75	{
58	return [	76	return [
@@ -112,6 +130,13 @@ class TagRestControllerTest extends WallabagApiTestCase
112	$this->assertSame(404, $this->client->getResponse()->getStatusCode());	130	$this->assertSame(404, $this->client->getResponse()->getStatusCode());
113	}	131	}
114		132
		133	public function testDeleteTagByLabelOtherUser()
		134	{
		135	$this->client->request('DELETE', '/api/tag/label.json', ['tag' => $this->otherUserTagLabel]);
		136
		137	$this->assertSame(404, $this->client->getResponse()->getStatusCode());
		138	}
		139
115	/**	140	/**
116	* @dataProvider dataForDeletingTagByLabel	141	* @dataProvider dataForDeletingTagByLabel
117	*/	142	*/
@@ -180,4 +205,11 @@ class TagRestControllerTest extends WallabagApiTestCase
180		205
181	$this->assertSame(404, $this->client->getResponse()->getStatusCode());	206	$this->assertSame(404, $this->client->getResponse()->getStatusCode());
182	}	207	}
		208
		209	public function testDeleteTagsByLabelOtherUser()
		210	{
		211	$this->client->request('DELETE', '/api/tags/label.json', ['tags' => $this->otherUserTagLabel]);
		212
		213	$this->assertSame(404, $this->client->getResponse()->getStatusCode());
		214	}
183	}	215	}