yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added more security checks to the content controller

Browse Source
This commit is contained in:
Shannon
2013-08-09 18:04:44 +10:00
parent b8df64742c
commit 437f2dc588
6 changed files with 114 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/Umbraco.Tests/Controllers/WebApiEditors/EnsureUserPermissionForContentAttributeTests.cs
View File

@@ -14,6 +14,7 @@ using Umbraco.Core.Models.Membership;
using Umbraco.Core.Services;
using Umbraco.Tests.TestHelpers;
using Umbraco.Web;
using Umbraco.Web.Editors;
using Umbraco.Web.WebApi;
using Umbraco.Web.WebApi.Filters;
using umbraco.presentation.channels.businesslogic;
@@ -21,7 +22,7 @@ using umbraco.presentation.channels.businesslogic;
namespace Umbraco.Tests.Controllers.WebApiEditors
{
[TestFixture]
public class EnsureUserPermissionForContentAttributeTests
public class ContentControllerUnitTests
{
[Test]
public void Does_Not_Throw_Exception_When_Access_Allowed_By_Path()
@@ -37,12 +38,9 @@ namespace Umbraco.Tests.Controllers.WebApiEditors
var userService = MockRepository.GenerateStub<IUserService>();
var permissions = new List<EntityPermission>();
userService.Stub(x => x.GetPermissions(user, 1234)).Return(permissions);
var ctx = new HttpActionContext();
ctx.ActionArguments.Add("id", 1234);
var attribute = new EnsureUserPermissionForContentAttribute(1234);
//act
var result = attribute.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
var result = ContentController.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
//assert
Assert.IsTrue(result);
@@ -62,11 +60,9 @@ namespace Umbraco.Tests.Controllers.WebApiEditors
var userService = MockRepository.GenerateStub<IUserService>();
var permissions = new List<EntityPermission>();
userService.Stub(x => x.GetPermissions(user, 1234)).Return(permissions);
var ctx = new HttpActionContext();
var attribute = new EnsureUserPermissionForContentAttribute(1234);
//act/assert
Assert.Throws<HttpResponseException>(() => attribute.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F'));
Assert.Throws<HttpResponseException>(() => ContentController.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F'));
}
[Test]
@@ -83,11 +79,9 @@ namespace Umbraco.Tests.Controllers.WebApiEditors
var userService = MockRepository.GenerateStub<IUserService>();
var permissions = new List<EntityPermission>();
userService.Stub(x => x.GetPermissions(user, 1234)).Return(permissions);
var ctx = new HttpActionContext();
var attribute = new EnsureUserPermissionForContentAttribute(1234);
//act
var result = attribute.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
var result = ContentController.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
//assert
Assert.IsFalse(result);
@@ -110,12 +104,9 @@ namespace Umbraco.Tests.Controllers.WebApiEditors
new EntityPermission(9, 1234, new string[]{ "A", "B", "C" })
};
userService.Stub(x => x.GetPermissions(user, 1234)).Return(permissions);
var ctx = new HttpActionContext();
var attribute = new EnsureUserPermissionForContentAttribute(1234);
//act
var result = attribute.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
var result = ContentController.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
//assert
Assert.IsFalse(result);
@@ -138,12 +129,9 @@ namespace Umbraco.Tests.Controllers.WebApiEditors
new EntityPermission(9, 1234, new string[]{ "A", "F", "C" })
};
userService.Stub(x => x.GetPermissions(user, 1234)).Return(permissions);
var ctx = new HttpActionContext();
ctx.ActionArguments.Add("id", 1234);
var attribute = new EnsureUserPermissionForContentAttribute(1234);
//act
var result = attribute.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
var result = ContentController.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
//assert
Assert.IsTrue(result);
@@ -163,12 +151,9 @@ namespace Umbraco.Tests.Controllers.WebApiEditors
var userService = MockRepository.GenerateStub<IUserService>();
var permissions = new List<EntityPermission>();
userService.Stub(x => x.GetPermissions(user, 1234)).Return(permissions);
var ctx = new HttpActionContext();
ctx.ActionArguments.Add("id", 1234);
var attribute = new EnsureUserPermissionForContentAttribute(1234);
//act
var result = attribute.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
var result = ContentController.CheckPermissions(new Dictionary<string, object>(), user, userService, contentService, 1234, 'F');
//assert
Assert.IsTrue(result);