Adding new tests in PostControllerTest to check for potential private post leakage.

2019-04-03 18:55:29 +03:00 · 2019-04-03 18:55:29 +03:00 · b455a6c8e7
parent 5e8935ce66
commit b455a6c8e7
2 changed files with 45 additions and 11 deletions
--- a/src/Skobkin/Bundle/PointToolsBundle/DataFixtures/ORM/LoadPostData.php
+++ b/src/Skobkin/Bundle/PointToolsBundle/DataFixtures/ORM/LoadPostData.php
@ -8,6 +8,12 @@ use Skobkin\Bundle\PointToolsBundle\Entity\{Blogs\Post, User};

 class LoadPostData extends AbstractFixture implements OrderedFixtureInterface
 {
+    public const POST_ID_LONG = 'longpost';
+    public const POST_ID_SHORT = 'shortpost';
+    public const POST_ID_PR_USER = 'prusrpst';
+    public const POST_ID_WL_USER = 'wlusrpst';
+    public const POST_ID_PR_WL_USER = 'prwlusrpst';
+
    public function load(ObjectManager $om)
    {
        /** @var User $mainUser */
@ -19,31 +25,31 @@ class LoadPostData extends AbstractFixture implements OrderedFixtureInterface
        /** @var User $prWlUser */
        $prWlUser = $this->getReference('test_user_'.LoadUserData::USER_PRWL_ID);

-        $longPost = (new Post('longpost', $mainUser, new \DateTime(), Post::TYPE_POST))
+        $longPost = (new Post(self::POST_ID_LONG, $mainUser, new \DateTime(), Post::TYPE_POST))
            ->setText('Test post with many comments')
            ->setPrivate(false)
            ->setDeleted(false)
        ;

-        $shortPost = (new Post('shortpost', $mainUser, new \DateTime(), Post::TYPE_POST))
+        $shortPost = (new Post(self::POST_ID_SHORT, $mainUser, new \DateTime(), Post::TYPE_POST))
            ->setText('Test short post')
            ->setPrivate(false)
            ->setDeleted(false)
        ;

-        $privateUserPost = (new Post('prusrpst', $privateUser, new \DateTime(), Post::TYPE_POST))
+        $privateUserPost = (new Post(self::POST_ID_PR_USER, $privateUser, new \DateTime(), Post::TYPE_POST))
            ->setText('Post from private user. Should not be visible in the public feed.')
            ->setPrivate(false)
            ->setDeleted(false)
        ;

-        $wlUserPost = (new Post('wlusrpst', $wlUser, new \DateTime(), Post::TYPE_POST))
+        $wlUserPost = (new Post(self::POST_ID_WL_USER, $wlUser, new \DateTime(), Post::TYPE_POST))
            ->setText('Post from whitelist-only user. Should only be visible for whitelisted users.')
            ->setPrivate(false)
            ->setDeleted(false)
        ;

-        $privateWlUserPost = (new Post('prwlusrpst', $prWlUser, new \DateTime(), Post::TYPE_POST))
+        $privateWlUserPost = (new Post(self::POST_ID_PR_WL_USER, $prWlUser, new \DateTime(), Post::TYPE_POST))
            ->setText('Post from private AND whitelist-only user. Should not be visible in the public feed.')
            ->setPrivate(false)
            ->setDeleted(false)
--- a/tests/Skobkin/PointToolsBundle/Controller/PostControllerTest.php
+++ b/tests/Skobkin/PointToolsBundle/Controller/PostControllerTest.php
@ -2,15 +2,15 @@

 namespace Tests\Skobkin\PointToolsBundle\Controller;

-use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Skobkin\Bundle\PointToolsBundle\DataFixtures\ORM\LoadPostData;
+use Symfony\Bundle\FrameworkBundle\{Client, Test\WebTestCase};
 use Symfony\Component\DomCrawler\Crawler;

 class PostControllerTest extends WebTestCase
 {
    public function testNonExistingPostPage()
    {
-        $client = static::createClient();
-        $client->request('GET', '/nonexistingpost');
+        $client = $this->createClientForPostId('nonexistingpost');

        $this->assertTrue($client->getResponse()->isNotFound(), '404 response code for non-existing post');
    }
@ -20,12 +20,11 @@ class PostControllerTest extends WebTestCase
     */
    public function testShortPostPageIsOk()
    {
-        $client = static::createClient();
-        $crawler = $client->request('GET', '/shortpost');
+        $client = $this->createClientForPostId(LoadPostData::POST_ID_SHORT);

        $this->assertTrue($client->getResponse()->isOk(), '200 response code for existing post');

-        return $crawler;
+        return $client->getCrawler();
    }

    /**
@ -58,4 +57,33 @@ class PostControllerTest extends WebTestCase
        $this->assertEquals(1, $p->count(), '.post-text has zero or more than one paragraphs');
        $this->assertEquals('Test short post', $p->text(), '.post-text has no correct post text');
    }
+
+    public function testPrivateUserPostForbidden()
+    {
+        $client = $this->createClientForPostId(LoadPostData::POST_ID_PR_USER);
+
+        $this->assertTrue($client->getResponse()->isForbidden(), '403 response code for private user\'s post');
+    }
+
+    public function testWhitelistOnlyUserPostForbidden()
+    {
+        $client = $this->createClientForPostId(LoadPostData::POST_ID_WL_USER);
+
+        $this->assertTrue($client->getResponse()->isForbidden(), '403 response code for whitelist-only user\'s post');
+    }
+
+    public function testPrivateWhitelistOnlyUserPostForbidden()
+    {
+        $client = $this->createClientForPostId(LoadPostData::POST_ID_PR_WL_USER);
+
+        $this->assertTrue($client->getResponse()->isForbidden(), '403 response code for private whitelist-only user\'s post');
+    }
+
+    private function createClientForPostId(string $id): Client
+    {
+        $client = static::createClient();
+        $client->request('GET', '/'.$id);
+
+        return $client;
+    }
 }