Adds more code and tests for permissions checks

2013-08-09 16:39:09 +10:00
parent 4bb71273e2
commit 49f3c9e4b2
9 changed files with 390 additions and 107 deletions
--- a/src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs
+++ b/src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs
@@ -1,11 +1,14 @@
 using System;
 using System.Collections;
+using System.Globalization;
 using System.Linq;
 using System.Web.Http;
 using System.Web.Http.Controllers;
 using System.Web.Http.Filters;
 using Umbraco.Core;
 using Umbraco.Core.Models;
+using Umbraco.Core.Models.Membership;
+using Umbraco.Core.Services;
 using umbraco.BusinessLogic.Actions;

 namespace Umbraco.Web.WebApi.Filters
@@ -23,14 +26,51 @@ namespace Umbraco.Web.WebApi.Filters
    /// </remarks>
    internal sealed class EnsureUserPermissionForContentAttribute : ActionFilterAttribute
    {
-        private readonly bool _onlyCheckStartNode;
+        private int? _nodeId;
+        private readonly IUser _user;
+        private readonly IUserService _userService;
+        private readonly IContentService _contentService;
+        private IContentService ContentService
+        {
+            get { return _contentService ?? ApplicationContext.Current.Services.ContentService; }
+        }
+        private IUserService UserService
+        {
+            get { return _userService ?? ApplicationContext.Current.Services.UserService; }
+        }
+        private IUser User
+        {
+            get { return _user ?? UmbracoContext.Current.Security.CurrentUser; }
+        }
+
        private readonly string _paramName;
        private readonly char _permissionToCheck;

-        public EnsureUserPermissionForContentAttribute(bool onlyCheckStartNode)
+        /// <summary>
+        /// used for unit testing
+        /// </summary>
+        /// <param name="user"></param>
+        /// <param name="userService"></param>
+        /// <param name="contentService"></param>
+        /// <param name="nodeId"></param>
+        /// <param name="permissionToCheck"></param>
+        internal EnsureUserPermissionForContentAttribute(IUser user, IUserService userService, IContentService contentService, int nodeId, char permissionToCheck)
        {
-            _onlyCheckStartNode = onlyCheckStartNode;            
+            _user = user;
+            _userService = userService;
+            _contentService = contentService;
+            _nodeId = nodeId;
+            _permissionToCheck = permissionToCheck;
        }
+
+        /// <summary>
+        /// This constructor will only be able to test the start node access
+        /// </summary>
+        public EnsureUserPermissionForContentAttribute(int nodeId)
+        {
+            _nodeId = nodeId;
+        }
+
        public EnsureUserPermissionForContentAttribute(string paramName)
        {
            _paramName = paramName;
@@ -49,30 +89,36 @@ namespace Umbraco.Web.WebApi.Filters

        public override void OnActionExecuting(HttpActionContext actionContext)
        {
-            if (UmbracoContext.Current.UmbracoUser == null)
+            if (User == null)
+            {
+                throw new HttpResponseException(System.Net.HttpStatusCode.Unauthorized);
+            }
+            
+            if (_nodeId.HasValue == false)
+            {
+                if (actionContext.ActionArguments[_paramName] == null)
+                {
+                    throw new InvalidOperationException("No argument found for the current action with the name: " + _paramName);
+                }
+
+                _nodeId = (int)actionContext.ActionArguments[_paramName];    
+            }
+            
+            var contentItem = ContentService.GetById(_nodeId.Value);
+            if (contentItem == null)
+            {
+                throw new HttpResponseException(System.Net.HttpStatusCode.NotFound);
+            }
+
+            var hasPathAccess = User.HasPathAccess(contentItem);
+
+            if (hasPathAccess == false)
            {
                throw new HttpResponseException(System.Net.HttpStatusCode.Unauthorized);
            }

-            if (actionContext.ActionArguments[_paramName] == null)
-            {
-                throw new InvalidOperationException("No argument found for the current action with the name: " + _paramName);
-            }
-
-            var nodeId = (int)actionContext.ActionArguments[_paramName];
-
-            //var contentItem = ApplicationContext.Current.Services.ContentService.GetById(nodeId);
-
-            //var hasPathAccess = (Path.Contains("-20") || ("," + Path + ",").Contains("," + getUser().StartNodeId.ToString() + ","))
-
-            if (_onlyCheckStartNode)
-            {
-                //TODO: implement this as well!
-            }           
-            
-            //TODO: Change these calls to a service layer call and make sure we can mock it!
-            var permissions = UmbracoContext.Current.UmbracoUser.GetPermissions(nodeId);
-            if (permissions.ToCharArray().Contains(_permissionToCheck))
+            var permission = UserService.GetPermissions(User, _nodeId.Value).FirstOrDefault();
+            if (permission == null || permission.AssignedPermissions.Contains(_permissionToCheck.ToString(CultureInfo.InvariantCulture)))
            {
                base.OnActionExecuting(actionContext);
            }
--- a/src/Umbraco.Web/WebApi/Filters/FilterAllowedOutgoingContentAttribute.cs
+++ b/src/Umbraco.Web/WebApi/Filters/FilterAllowedOutgoingContentAttribute.cs
@@ -95,8 +95,6 @@ namespace Umbraco.Web.WebApi.Filters

        private void SetValueForResponse(ObjectContent objectContent, dynamic newVal)
        {
-            var t = objectContent.Value.GetType();
-            
            if (objectContent.Value is IEnumerable<ContentItemBasic>)
            {
                //objectContent.Value = DynamicCast(newVal, t);