diff options
| author | Jérémy Benoist <j0k3r@users.noreply.github.com> | 2019-01-03 09:14:26 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-03 09:14:26 +0100 |
| commit | 2378fd6347dd1a824c8e1f4f7c3892c6eccddc85 (patch) | |
| tree | cd039dc92f7a7a0dde5c6ca7484b8a9eefc359ca /tests/Wallabag | |
| parent | 4d0c632c70ea50d459c3c55ddda2e0f394dd51cb (diff) | |
| parent | 6c40d7fc85b98e335adf765d1c6b4465647da62c (diff) | |
| download | wallabag-2378fd6347dd1a824c8e1f4f7c3892c6eccddc85.tar.gz wallabag-2378fd6347dd1a824c8e1f4f7c3892c6eccddc85.tar.zst wallabag-2378fd6347dd1a824c8e1f4f7c3892c6eccddc85.zip | |
Merge pull request #3823 from wallabag/fix-tag-api-leak
Fix tag API leak
Diffstat (limited to 'tests/Wallabag')
| -rw-r--r-- | tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php | 46 |
1 files changed, 44 insertions, 2 deletions
diff --git a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php index 430e548d..9daa94cd 100644 --- a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php +++ b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php | |||
| @@ -7,6 +7,8 @@ use Wallabag\CoreBundle\Entity\Tag; | |||
| 7 | 7 | ||
| 8 | class TagRestControllerTest extends WallabagApiTestCase | 8 | class TagRestControllerTest extends WallabagApiTestCase |
| 9 | { | 9 | { |
| 10 | private $otherUserTagLabel = 'bob'; | ||
| 11 | |||
| 10 | public function testGetUserTags() | 12 | public function testGetUserTags() |
| 11 | { | 13 | { |
| 12 | $this->client->request('GET', '/api/tags.json'); | 14 | $this->client->request('GET', '/api/tags.json'); |
| @@ -19,17 +21,33 @@ class TagRestControllerTest extends WallabagApiTestCase | |||
| 19 | $this->assertArrayHasKey('id', $content[0]); | 21 | $this->assertArrayHasKey('id', $content[0]); |
| 20 | $this->assertArrayHasKey('label', $content[0]); | 22 | $this->assertArrayHasKey('label', $content[0]); |
| 21 | 23 | ||
| 24 | $tagLabels = array_map(function ($i) { | ||
| 25 | return $i['label']; | ||
| 26 | }, $content); | ||
| 27 | |||
| 28 | $this->assertNotContains($this->otherUserTagLabel, $tagLabels, 'There is a possible tag leak'); | ||
| 29 | |||
| 22 | return end($content); | 30 | return end($content); |
| 23 | } | 31 | } |
| 24 | 32 | ||
| 25 | public function testDeleteUserTag() | 33 | public function testDeleteUserTag() |
| 26 | { | 34 | { |
| 35 | $em = $this->client->getContainer()->get('doctrine.orm.entity_manager'); | ||
| 36 | $entry = $this->client->getContainer() | ||
| 37 | ->get('doctrine.orm.entity_manager') | ||
| 38 | ->getRepository('WallabagCoreBundle:Entry') | ||
| 39 | ->findOneWithTags($this->user->getId()); | ||
| 40 | |||
| 41 | $entry = $entry[0]; | ||
| 42 | |||
| 27 | $tagLabel = 'tagtest'; | 43 | $tagLabel = 'tagtest'; |
| 28 | $tag = new Tag(); | 44 | $tag = new Tag(); |
| 29 | $tag->setLabel($tagLabel); | 45 | $tag->setLabel($tagLabel); |
| 30 | |||
| 31 | $em = $this->client->getContainer()->get('doctrine.orm.entity_manager'); | ||
| 32 | $em->persist($tag); | 46 | $em->persist($tag); |
| 47 | |||
| 48 | $entry->addTag($tag); | ||
| 49 | |||
| 50 | $em->persist($entry); | ||
| 33 | $em->flush(); | 51 | $em->flush(); |
| 34 | $em->clear(); | 52 | $em->clear(); |
| 35 | 53 | ||
| @@ -53,6 +71,16 @@ class TagRestControllerTest extends WallabagApiTestCase | |||
| 53 | $this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag'); | 71 | $this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag'); |
| 54 | } | 72 | } |
| 55 | 73 | ||
| 74 | public function testDeleteOtherUserTag() | ||
| 75 | { | ||
| 76 | $em = $this->client->getContainer()->get('doctrine.orm.entity_manager'); | ||
| 77 | $tag = $em->getRepository('WallabagCoreBundle:Tag')->findOneByLabel($this->otherUserTagLabel); | ||
| 78 | |||
| 79 | $this->client->request('DELETE', '/api/tags/' . $tag->getId() . '.json'); | ||
| 80 | |||
| 81 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); | ||
| 82 | } | ||
| 83 | |||
| 56 | public function dataForDeletingTagByLabel() | 84 | public function dataForDeletingTagByLabel() |
| 57 | { | 85 | { |
| 58 | return [ | 86 | return [ |
| @@ -112,6 +140,13 @@ class TagRestControllerTest extends WallabagApiTestCase | |||
| 112 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); | 140 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); |
| 113 | } | 141 | } |
| 114 | 142 | ||
| 143 | public function testDeleteTagByLabelOtherUser() | ||
| 144 | { | ||
| 145 | $this->client->request('DELETE', '/api/tag/label.json', ['tag' => $this->otherUserTagLabel]); | ||
| 146 | |||
| 147 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); | ||
| 148 | } | ||
| 149 | |||
| 115 | /** | 150 | /** |
| 116 | * @dataProvider dataForDeletingTagByLabel | 151 | * @dataProvider dataForDeletingTagByLabel |
| 117 | */ | 152 | */ |
| @@ -180,4 +215,11 @@ class TagRestControllerTest extends WallabagApiTestCase | |||
| 180 | 215 | ||
| 181 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); | 216 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); |
| 182 | } | 217 | } |
| 218 | |||
| 219 | public function testDeleteTagsByLabelOtherUser() | ||
| 220 | { | ||
| 221 | $this->client->request('DELETE', '/api/tags/label.json', ['tags' => $this->otherUserTagLabel]); | ||
| 222 | |||
| 223 | $this->assertSame(404, $this->client->getResponse()->getStatusCode()); | ||
| 224 | } | ||
| 183 | } | 225 | } |