From 0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0 Mon Sep 17 00:00:00 2001
From: Kevin Decherf <kevin@kdecherf.com>
Date: Sat, 29 Dec 2018 19:43:07 +0100
Subject: TagRestController: add tests to ensure that other user's tags are
 unreachable

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
---
 .../ApiBundle/Controller/TagRestControllerTest.php | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php')

diff --git a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
index 430e548d..8f1e6f02 100644
--- a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
+++ b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
@@ -7,6 +7,8 @@ use Wallabag\CoreBundle\Entity\Tag;
 
 class TagRestControllerTest extends WallabagApiTestCase
 {
+    private $otherUserTagLabel = 'bob';
+
     public function testGetUserTags()
     {
         $this->client->request('GET', '/api/tags.json');
@@ -19,6 +21,12 @@ class TagRestControllerTest extends WallabagApiTestCase
         $this->assertArrayHasKey('id', $content[0]);
         $this->assertArrayHasKey('label', $content[0]);
 
+        $tagLabels = array_map(function ($i) {
+            return $i['label'];
+        }, $content);
+
+        $this->assertNotContains($this->otherUserTagLabel, $tagLabels, 'There is a possible tag leak');
+
         return end($content);
     }
 
@@ -53,6 +61,16 @@ class TagRestControllerTest extends WallabagApiTestCase
         $this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag');
     }
 
+    public function testDeleteOtherUserTag()
+    {
+        $em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
+        $tag = $em->getRepository('WallabagCoreBundle:Tag')->findOneByLabel($this->otherUserTagLabel);
+
+        $this->client->request('DELETE', '/api/tags/' . $tag->getId() . '.json');
+
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
+
     public function dataForDeletingTagByLabel()
     {
         return [
@@ -112,6 +130,13 @@ class TagRestControllerTest extends WallabagApiTestCase
         $this->assertSame(404, $this->client->getResponse()->getStatusCode());
     }
 
+    public function testDeleteTagByLabelOtherUser()
+    {
+        $this->client->request('DELETE', '/api/tag/label.json', ['tag' => $this->otherUserTagLabel]);
+
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
+
     /**
      * @dataProvider dataForDeletingTagByLabel
      */
@@ -180,4 +205,11 @@ class TagRestControllerTest extends WallabagApiTestCase
 
         $this->assertSame(404, $this->client->getResponse()->getStatusCode());
     }
+
+    public function testDeleteTagsByLabelOtherUser()
+    {
+        $this->client->request('DELETE', '/api/tags/label.json', ['tags' => $this->otherUserTagLabel]);
+
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
 }
-- 
cgit v1.2.3


From 6c40d7fc85b98e335adf765d1c6b4465647da62c Mon Sep 17 00:00:00 2001
From: Kevin Decherf <kevin@kdecherf.com>
Date: Sat, 29 Dec 2018 20:43:34 +0100
Subject: TagRestController: fix test for tag without entries

As the deletion now requires that at least one entry for the user must
be linked to the given tag, we fix the test testDeleteUserTag by linking
it to an entry.

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
---
 .../ApiBundle/Controller/TagRestControllerTest.php         | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php')

diff --git a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
index 8f1e6f02..9daa94cd 100644
--- a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
+++ b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
@@ -32,12 +32,22 @@ class TagRestControllerTest extends WallabagApiTestCase
 
     public function testDeleteUserTag()
     {
+        $em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
+        $entry = $this->client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneWithTags($this->user->getId());
+
+        $entry = $entry[0];
+
         $tagLabel = 'tagtest';
         $tag = new Tag();
         $tag->setLabel($tagLabel);
-
-        $em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
         $em->persist($tag);
+
+        $entry->addTag($tag);
+
+        $em->persist($entry);
         $em->flush();
         $em->clear();
 
-- 
cgit v1.2.3