From 426bb453d295900fb3e35dce2f9081a42639cf27 Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Fri, 2 Jun 2017 10:19:33 +0200 Subject: API user creation behing a toggle I've added a toggle feature (in internal settings) so that user api creation can be disabled while form registration still can be enabled. Also, the /api/user endpoint shouldn't require authentication. Even if we check the authentication when sending a GET request, to retrieve current user information. I've moved all the internal settings definition to config to avoid duplicated place to define them. I don't know why we didn't did that earlier. --- app/DoctrineMigrations/Version20170602075214.php | 52 ++++++ app/config/config.yml | 129 +++++++++++++++ app/config/security.yml | 1 + .../ApiBundle/Controller/UserRestController.php | 6 +- src/Wallabag/CoreBundle/Command/InstallCommand.php | 160 +------------------ .../DataFixtures/ORM/LoadSettingData.php | 174 ++------------------- .../DependencyInjection/Configuration.php | 11 ++ .../DependencyInjection/WallabagCoreExtension.php | 1 + .../Controller/UserRestControllerTest.php | 96 ++++++++++-- .../Controller/WallabagRestControllerTest.php | 10 +- 10 files changed, 297 insertions(+), 343 deletions(-) create mode 100644 app/DoctrineMigrations/Version20170602075214.php diff --git a/app/DoctrineMigrations/Version20170602075214.php b/app/DoctrineMigrations/Version20170602075214.php new file mode 100644 index 00000000..451d16ba --- /dev/null +++ b/app/DoctrineMigrations/Version20170602075214.php @@ -0,0 +1,52 @@ +container = $container; + } + + private function getTable($tableName) + { + return $this->container->getParameter('database_table_prefix').$tableName; + } + + /** + * @param Schema $schema + */ + public function up(Schema $schema) + { + $apiUserRegistration = $this->container + ->get('doctrine.orm.default_entity_manager') + ->getConnection() + ->fetchArray('SELECT * FROM '.$this->getTable('craue_config_setting')." WHERE name = 'api_user_registration'"); + + $this->skipIf(false !== $apiUserRegistration, 'It seems that you already played this migration.'); + + $this->addSql('INSERT INTO '.$this->getTable('craue_config_setting')." (name, value, section) VALUES ('api_user_registration', '0', 'api')"); + } + + /** + * @param Schema $schema + */ + public function down(Schema $schema) + { + $this->addSql('DELETE FROM '.$this->getTable('craue_config_setting')." WHERE name = 'api_user_registration';"); + } +} diff --git a/app/config/config.yml b/app/config/config.yml index 04f8547d..b0d330ab 100644 --- a/app/config/config.yml +++ b/app/config/config.yml @@ -62,6 +62,135 @@ wallabag_core: fetching_error_message: | wallabag can't retrieve contents for this article. Please troubleshoot this issue. api_limit_mass_actions: 10 + default_internal_settings: + - + name: share_public + value: 1 + section: entry + - + name: carrot + value: 1 + section: entry + - + name: share_diaspora + value: 1 + section: entry + - + name: diaspora_url + value: http://diasporapod.com + section: entry + - + name: share_unmark + value: 1 + section: entry + - + name: unmark_url + value: https://unmark.it + section: entry + - + name: share_shaarli + value: 1 + section: entry + - + name: share_scuttle + value: 1 + section: entry + - + name: shaarli_url + value: http://myshaarli.com + section: entry + - + name: scuttle_url + value: http://scuttle.org + section: entry + - + name: share_mail + value: 1 + section: entry + - + name: share_twitter + value: 1 + section: entry + - + name: show_printlink + value: 1 + section: entry + - + name: restricted_access + value: 0 + section: entry + - + name: export_epub + value: 1 + section: export + - + name: export_mobi + value: 1 + section: export + - + name: export_pdf + value: 1 + section: export + - + name: export_csv + value: 1 + section: export + - + name: export_json + value: 1 + section: export + - + name: export_txt + value: 1 + section: export + - + name: export_xml + value: 1 + section: export + - + name: import_with_redis + value: 0 + section: import + - + name: import_with_rabbitmq + value: 0 + section: import + - + name: piwik_enabled + value: 0 + section: analytics + - + name: piwik_host + value: v2.wallabag.org + section: analytics + - + name: piwik_site_id + value: 1 + section: analytics + - + name: demo_mode_enabled + value: 0 + section: misc + - + name: demo_mode_username + value: wallabag + section: misc + - + name: download_images_enabled + value: 0 + section: misc + - + name: wallabag_support_url + value: https://www.wallabag.org/pages/support.html + section: misc + - + name: wallabag_url + value: http://v2.wallabag.org + section: misc + - + name: api_user_registration + value: 0 + section: api wallabag_user: registration_enabled: "%fosuser_registration%" diff --git a/app/config/security.yml b/app/config/security.yml index efb00a53..ffb1d356 100644 --- a/app/config/security.yml +++ b/app/config/security.yml @@ -56,6 +56,7 @@ security: access_control: - { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/api/version, roles: IS_AUTHENTICATED_ANONYMOUSLY } + - { path: ^/api/user, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } diff --git a/src/Wallabag/ApiBundle/Controller/UserRestController.php b/src/Wallabag/ApiBundle/Controller/UserRestController.php index a1b78e3f..1fc67d00 100644 --- a/src/Wallabag/ApiBundle/Controller/UserRestController.php +++ b/src/Wallabag/ApiBundle/Controller/UserRestController.php @@ -43,7 +43,7 @@ class UserRestController extends WallabagRestController */ public function putUserAction(Request $request) { - if (!$this->container->getParameter('fosuser_registration')) { + if (!$this->getParameter('fosuser_registration') || !$this->get('craue_config')->get('api_user_registration')) { $json = $this->get('serializer')->serialize(['error' => "Server doesn't allow registrations"], 'json'); return (new JsonResponse())->setJson($json)->setStatusCode(403); @@ -51,8 +51,8 @@ class UserRestController extends WallabagRestController $userManager = $this->get('fos_user.user_manager'); $user = $userManager->createUser(); - // enable created user by default - $user->setEnabled(true); + // user will be disabled BY DEFAULT to avoid spamming account to be created + $user->setEnabled(false); $form = $this->createForm('Wallabag\UserBundle\Form\NewUserType', $user, [ 'csrf_protection' => false, diff --git a/src/Wallabag/CoreBundle/Command/InstallCommand.php b/src/Wallabag/CoreBundle/Command/InstallCommand.php index d9608246..0f119377 100644 --- a/src/Wallabag/CoreBundle/Command/InstallCommand.php +++ b/src/Wallabag/CoreBundle/Command/InstallCommand.php @@ -292,165 +292,7 @@ class InstallCommand extends ContainerAwareCommand // cleanup before insert new stuff $em->createQuery('DELETE FROM CraueConfigBundle:Setting')->execute(); - $settings = [ - [ - 'name' => 'share_public', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'carrot', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'share_diaspora', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'diaspora_url', - 'value' => 'http://diasporapod.com', - 'section' => 'entry', - ], - [ - 'name' => 'share_unmark', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'unmark_url', - 'value' => 'https://unmark.it', - 'section' => 'entry', - ], - [ - 'name' => 'share_shaarli', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'shaarli_url', - 'value' => 'http://myshaarli.com', - 'section' => 'entry', - ], - [ - 'name' => 'share_scuttle', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'scuttle_url', - 'value' => 'http://scuttle.org', - 'section' => 'entry', - ], - [ - 'name' => 'share_mail', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'share_twitter', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'export_epub', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_mobi', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_pdf', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_csv', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_json', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_txt', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_xml', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'import_with_redis', - 'value' => '0', - 'section' => 'import', - ], - [ - 'name' => 'import_with_rabbitmq', - 'value' => '0', - 'section' => 'import', - ], - [ - 'name' => 'show_printlink', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'wallabag_support_url', - 'value' => 'https://www.wallabag.org/pages/support.html', - 'section' => 'misc', - ], - [ - 'name' => 'wallabag_url', - 'value' => '', - 'section' => 'misc', - ], - [ - 'name' => 'piwik_enabled', - 'value' => '0', - 'section' => 'analytics', - ], - [ - 'name' => 'piwik_host', - 'value' => 'v2.wallabag.org', - 'section' => 'analytics', - ], - [ - 'name' => 'piwik_site_id', - 'value' => '1', - 'section' => 'analytics', - ], - [ - 'name' => 'demo_mode_enabled', - 'value' => '0', - 'section' => 'misc', - ], - [ - 'name' => 'demo_mode_username', - 'value' => 'wallabag', - 'section' => 'misc', - ], - [ - 'name' => 'download_images_enabled', - 'value' => '0', - 'section' => 'misc', - ], - [ - 'name' => 'restricted_access', - 'value' => '0', - 'section' => 'entry', - ], - ]; - - foreach ($settings as $setting) { + foreach ($this->getContainer()->getParameter('wallabag_core.default_internal_settings') as $setting) { $newSetting = new Setting(); $newSetting->setName($setting['name']); $newSetting->setValue($setting['value']); diff --git a/src/Wallabag/CoreBundle/DataFixtures/ORM/LoadSettingData.php b/src/Wallabag/CoreBundle/DataFixtures/ORM/LoadSettingData.php index aaeb9ee9..a52288e6 100644 --- a/src/Wallabag/CoreBundle/DataFixtures/ORM/LoadSettingData.php +++ b/src/Wallabag/CoreBundle/DataFixtures/ORM/LoadSettingData.php @@ -6,173 +6,27 @@ use Doctrine\Common\DataFixtures\AbstractFixture; use Doctrine\Common\DataFixtures\OrderedFixtureInterface; use Doctrine\Common\Persistence\ObjectManager; use Craue\ConfigBundle\Entity\Setting; +use Symfony\Component\DependencyInjection\ContainerAwareInterface; +use Symfony\Component\DependencyInjection\ContainerInterface; -class LoadSettingData extends AbstractFixture implements OrderedFixtureInterface +class LoadSettingData extends AbstractFixture implements OrderedFixtureInterface, ContainerAwareInterface { + /** + * @var ContainerInterface + */ + private $container; + + public function setContainer(ContainerInterface $container = null) + { + $this->container = $container; + } + /** * {@inheritdoc} */ public function load(ObjectManager $manager) { - $settings = [ - [ - 'name' => 'share_public', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'carrot', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'share_diaspora', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'diaspora_url', - 'value' => 'http://diasporapod.com', - 'section' => 'entry', - ], - [ - 'name' => 'share_unmark', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'unmark_url', - 'value' => 'https://unmark.it', - 'section' => 'entry', - ], - [ - 'name' => 'share_shaarli', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'share_scuttle', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'shaarli_url', - 'value' => 'http://myshaarli.com', - 'section' => 'entry', - ], - [ - 'name' => 'scuttle_url', - 'value' => 'http://scuttle.org', - 'section' => 'entry', - ], - [ - 'name' => 'share_mail', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'share_twitter', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'export_epub', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_mobi', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_pdf', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_csv', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_json', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_txt', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'export_xml', - 'value' => '1', - 'section' => 'export', - ], - [ - 'name' => 'import_with_redis', - 'value' => '0', - 'section' => 'import', - ], - [ - 'name' => 'import_with_rabbitmq', - 'value' => '0', - 'section' => 'import', - ], - [ - 'name' => 'show_printlink', - 'value' => '1', - 'section' => 'entry', - ], - [ - 'name' => 'wallabag_support_url', - 'value' => 'https://www.wallabag.org/pages/support.html', - 'section' => 'misc', - ], - [ - 'name' => 'wallabag_url', - 'value' => 'http://v2.wallabag.org', - 'section' => 'misc', - ], - [ - 'name' => 'piwik_enabled', - 'value' => '0', - 'section' => 'analytics', - ], - [ - 'name' => 'piwik_host', - 'value' => 'v2.wallabag.org', - 'section' => 'analytics', - ], - [ - 'name' => 'piwik_site_id', - 'value' => '1', - 'section' => 'analytics', - ], - [ - 'name' => 'demo_mode_enabled', - 'value' => '0', - 'section' => 'misc', - ], - [ - 'name' => 'demo_mode_username', - 'value' => 'wallabag', - 'section' => 'misc', - ], - [ - 'name' => 'download_images_enabled', - 'value' => '0', - 'section' => 'misc', - ], - [ - 'name' => 'restricted_access', - 'value' => '0', - 'section' => 'entry', - ], - ]; - - foreach ($settings as $setting) { + foreach ($this->container->getParameter('wallabag_core.default_internal_settings') as $setting) { $newSetting = new Setting(); $newSetting->setName($setting['name']); $newSetting->setValue($setting['value']); diff --git a/src/Wallabag/CoreBundle/DependencyInjection/Configuration.php b/src/Wallabag/CoreBundle/DependencyInjection/Configuration.php index 8b5b5744..33df92d3 100644 --- a/src/Wallabag/CoreBundle/DependencyInjection/Configuration.php +++ b/src/Wallabag/CoreBundle/DependencyInjection/Configuration.php @@ -52,6 +52,17 @@ class Configuration implements ConfigurationInterface ->scalarNode('api_limit_mass_actions') ->defaultValue(10) ->end() + ->arrayNode('default_internal_settings') + ->prototype('array') + ->children() + ->scalarNode('name')->end() + ->scalarNode('value')->end() + ->enumNode('section') + ->values(['entry', 'misc', 'api', 'analytics', 'export', 'import']) + ->end() + ->end() + ->end() + ->end() ->end() ; diff --git a/src/Wallabag/CoreBundle/DependencyInjection/WallabagCoreExtension.php b/src/Wallabag/CoreBundle/DependencyInjection/WallabagCoreExtension.php index a2a703cb..b4d8a386 100644 --- a/src/Wallabag/CoreBundle/DependencyInjection/WallabagCoreExtension.php +++ b/src/Wallabag/CoreBundle/DependencyInjection/WallabagCoreExtension.php @@ -28,6 +28,7 @@ class WallabagCoreExtension extends Extension $container->setParameter('wallabag_core.fetching_error_message', $config['fetching_error_message']); $container->setParameter('wallabag_core.fetching_error_message_title', $config['fetching_error_message_title']); $container->setParameter('wallabag_core.api_limit_mass_actions', $config['api_limit_mass_actions']); + $container->setParameter('wallabag_core.default_internal_settings', $config['default_internal_settings']); $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config')); $loader->load('services.yml'); diff --git a/tests/Wallabag/ApiBundle/Controller/UserRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/UserRestControllerTest.php index 3f4969a5..c1095da8 100644 --- a/tests/Wallabag/ApiBundle/Controller/UserRestControllerTest.php +++ b/tests/Wallabag/ApiBundle/Controller/UserRestControllerTest.php @@ -27,8 +27,25 @@ class UserRestControllerTest extends WallabagApiTestCase $this->assertEquals('application/json', $this->client->getResponse()->headers->get('Content-Type')); } + public function testGetUserWithoutAuthentication() + { + $client = static::createClient(); + $client->request('GET', '/api/user.json'); + $this->assertEquals(401, $client->getResponse()->getStatusCode()); + + $content = json_decode($client->getResponse()->getContent(), true); + + $this->assertArrayHasKey('error', $content); + $this->assertArrayHasKey('error_description', $content); + + $this->assertEquals('access_denied', $content['error']); + + $this->assertEquals('application/json', $client->getResponse()->headers->get('Content-Type')); + } + public function testCreateNewUser() { + $this->client->getContainer()->get('craue_config')->set('api_user_registration', 1); $this->client->request('PUT', '/api/user.json', [ 'username' => 'google', 'password' => 'googlegoogle', @@ -50,30 +67,51 @@ class UserRestControllerTest extends WallabagApiTestCase $this->assertEquals('application/json', $this->client->getResponse()->headers->get('Content-Type')); - // remove the created user to avoid side effect on other tests - // @todo remove these lines when test will be isolated - $em = $this->client->getContainer()->get('doctrine.orm.entity_manager'); + $this->client->getContainer()->get('craue_config')->set('api_user_registration', 0); + } + + public function testCreateNewUserWithoutAuthentication() + { + // create a new client instead of using $this->client to be sure client isn't authenticated + $client = static::createClient(); + $client->getContainer()->get('craue_config')->set('api_user_registration', 1); + $client->request('PUT', '/api/user.json', [ + 'username' => 'google', + 'password' => 'googlegoogle', + 'email' => 'wallabag@google.com', + ]); + + $this->assertEquals(200, $client->getResponse()->getStatusCode()); + + $content = json_decode($client->getResponse()->getContent(), true); + + $this->assertArrayHasKey('id', $content); + $this->assertArrayHasKey('email', $content); + $this->assertArrayHasKey('username', $content); + $this->assertArrayHasKey('created_at', $content); + $this->assertArrayHasKey('updated_at', $content); + + $this->assertEquals('wallabag@google.com', $content['email']); + $this->assertEquals('google', $content['username']); - $query = $em->createQuery('DELETE FROM Wallabag\CoreBundle\Entity\Config c WHERE c.user = :user_id'); - $query->setParameter('user_id', $content['id']); - $query->execute(); + $this->assertEquals('application/json', $client->getResponse()->headers->get('Content-Type')); - $query = $em->createQuery('DELETE FROM Wallabag\UserBundle\Entity\User u WHERE u.id = :id'); - $query->setParameter('id', $content['id']); - $query->execute(); + $client->getContainer()->get('craue_config')->set('api_user_registration', 0); } public function testCreateNewUserWithExistingEmail() { - $this->client->request('PUT', '/api/user.json', [ + $client = static::createClient(); + $client->getContainer()->get('craue_config')->set('api_user_registration', 1); + $client->request('PUT', '/api/user.json', [ 'username' => 'admin', 'password' => 'googlegoogle', 'email' => 'bigboss@wallabag.org', ]); - $this->assertEquals(400, $this->client->getResponse()->getStatusCode()); + $this->assertEquals(400, $client->getResponse()->getStatusCode()); - $content = json_decode($this->client->getResponse()->getContent(), true); + $content = json_decode($client->getResponse()->getContent(), true); $this->assertArrayHasKey('error', $content); $this->assertArrayHasKey('username', $content['error']); @@ -85,26 +123,50 @@ class UserRestControllerTest extends WallabagApiTestCase $this->assertEquals('This value is already used.', $content['error']['username'][0]); $this->assertEquals('This value is already used.', $content['error']['email'][0]); - $this->assertEquals('application/json', $this->client->getResponse()->headers->get('Content-Type')); + $this->assertEquals('application/json', $client->getResponse()->headers->get('Content-Type')); + + $client->getContainer()->get('craue_config')->set('api_user_registration', 0); } public function testCreateNewUserWithTooShortPassword() { - $this->client->request('PUT', '/api/user.json', [ + $client = static::createClient(); + $client->getContainer()->get('craue_config')->set('api_user_registration', 1); + $client->request('PUT', '/api/user.json', [ 'username' => 'facebook', 'password' => 'face', 'email' => 'facebook@wallabag.org', ]); - $this->assertEquals(400, $this->client->getResponse()->getStatusCode()); + $this->assertEquals(400, $client->getResponse()->getStatusCode()); - $content = json_decode($this->client->getResponse()->getContent(), true); + $content = json_decode($client->getResponse()->getContent(), true); $this->assertArrayHasKey('error', $content); $this->assertArrayHasKey('password', $content['error']); $this->assertEquals('validator.password_too_short', $content['error']['password'][0]); - $this->assertEquals('application/json', $this->client->getResponse()->headers->get('Content-Type')); + $this->assertEquals('application/json', $client->getResponse()->headers->get('Content-Type')); + + $client->getContainer()->get('craue_config')->set('api_user_registration', 0); + } + + public function testCreateNewUserWhenRegistrationIsDisabled() + { + $client = static::createClient(); + $client->request('PUT', '/api/user.json', [ + 'username' => 'facebook', + 'password' => 'face', + 'email' => 'facebook@wallabag.org', + ]); + + $this->assertEquals(403, $client->getResponse()->getStatusCode()); + + $content = json_decode($client->getResponse()->getContent(), true); + + $this->assertArrayHasKey('error', $content); + + $this->assertEquals('application/json', $client->getResponse()->headers->get('Content-Type')); } } diff --git a/tests/Wallabag/ApiBundle/Controller/WallabagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/WallabagRestControllerTest.php index c87e58de..df638e8f 100644 --- a/tests/Wallabag/ApiBundle/Controller/WallabagRestControllerTest.php +++ b/tests/Wallabag/ApiBundle/Controller/WallabagRestControllerTest.php @@ -8,12 +8,14 @@ class WallabagRestControllerTest extends WallabagApiTestCase { public function testGetVersion() { - $this->client->request('GET', '/api/version'); + // create a new client instead of using $this->client to be sure client isn't authenticated + $client = static::createClient(); + $client->request('GET', '/api/version'); - $this->assertEquals(200, $this->client->getResponse()->getStatusCode()); + $this->assertEquals(200, $client->getResponse()->getStatusCode()); - $content = json_decode($this->client->getResponse()->getContent(), true); + $content = json_decode($client->getResponse()->getContent(), true); - $this->assertEquals($this->client->getContainer()->getParameter('wallabag_core.version'), $content); + $this->assertEquals($client->getContainer()->getParameter('wallabag_core.version'), $content); } } -- cgit v1.2.3