1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
|
<?php
/**
* Piwik - free/libre analytics platform
*
* @link http://piwik.org
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*/
namespace Piwik\Plugins\UsersManager\tests\Integration;
use Piwik\Access;
use Piwik\Plugins\UsersManager\Model;
use Piwik\Plugins\UsersManager\UserAccessFilter;
use Piwik\Tests\Framework\Fixture;
use Piwik\Tests\Framework\Mock\FakeAccess;
use Piwik\Tests\Framework\TestCase\IntegrationTestCase;
class TestUserAccessFilter extends UserAccessFilter {
public function isNonSuperUserAllowedToSeeThisLogin($login)
{
return parent::isNonSuperUserAllowedToSeeThisLogin($login);
}
}
/**
* @group UsersManager
* @group UserAccessFilterTest
* @group UserAccessFilter
* @group Plugins
*/
class UserAccessFilterTest extends IntegrationTestCase
{
/**
* @var Model
*/
private $model;
/**
* @var Access
*/
private $access;
/**
* @var TestUserAccessFilter
*/
private $filter;
private $users = array(
'login2' => array('view' => array(1,3,5), 'admin' => array(2,6)),
'login3' => array('view' => array(), 'admin' => array()), // no access to any site
'login4' => array('view' => array(6), 'admin' => array()), // only access to one with view
'login5' => array('view' => array(), 'admin' => array(3)), // only access to one with admin
'login6' => array('view' => array(), 'admin' => array(6,3)), // access to a couple of sites with admin
'login7' => array('view' => array(2,1,6,3), 'admin' => array()), // access to a couple of sites with view
'login8' => array('view' => array(4,7), 'admin' => array(2,5)), // access to a couple of sites with admin and view
);
public function setUp()
{
parent::setUp();
// set up your test here if needed
$this->model = new Model();
$this->access = new FakeAccess();
$this->createManyWebsites();
$this->createManyUsers();
FakeAccess::clearAccess();
$this->filter = new TestUserAccessFilter($this->model, $this->access);
}
public function test_filterUser_WithSuperUserAccess_ShouldAlwaysReturnTrue()
{
$this->configureAcccessForLogin('login1');
foreach ($this->getAllLogins() as $login) {
$this->assertSame(array('login' => $login), $this->filter->filterUser(array('login' => $login)));
}
}
public function test_filterUser_WithViewUserAccess_ShouldOnlyReturnUserForOwnLogin()
{
$identity = 'login4';
$this->configureAcccessForLogin($identity);
$this->assertSame(array('login' => $identity), $this->filter->filterUser(array('login' => $identity)));
foreach ($this->getAllLogins() as $login) {
if ($login !== $identity) {
$this->assertNull($this->filter->filterUser(array('login' => $login)));
}
}
}
/**
* @dataProvider getIsUserAllowedToSeeThisLoginWithAdminAccess
*/
public function test_filterUser_WithAdminAccess_ShouldOnlyReturnUserForOwnLogin($expectedAllowed, $loginToSee)
{
$this->configureAcccessForLogin('login2');
if ($expectedAllowed) {
$this->assertSame(array('login' => $loginToSee), $this->filter->filterUser(array('login' => $loginToSee)));
} else {
$this->assertSame(null, $this->filter->filterUser(array('login' => $loginToSee)));
}
}
/**
* @dataProvider getIsUserAllowedToSeeThisLoginWithAdminAccess
*/
public function test_isNonSuperUserAllowedToSeeThisLogin_WithAdminAccess_IsAllowedToSeeAnyUserHavingAccessToSameAdminSites($expectedAllowed, $loginToSee)
{
$this->configureAcccessForLogin('login2');
$this->assertSame($expectedAllowed, $this->filter->isNonSuperUserAllowedToSeeThisLogin($loginToSee));
}
public function getIsUserAllowedToSeeThisLoginWithAdminAccess()
{
return array(
array($expectedAllowed = false, 'login1'), // not allowed to see this user as it has super user access
array($expectedAllowed = true, 'login2'), // it is the own user so visible anyway
array($expectedAllowed = false, 'login3'), // not allowed to see this user as this one does not have access to any site
array($expectedAllowed = true, 'login4'),
array($expectedAllowed = false, 'login5'), // this user doesn't share any site id where the user has admin access
array($expectedAllowed = true, 'login6'),
array($expectedAllowed = true, 'login7'),
array($expectedAllowed = true, 'login8'),
);
}
public function test_isNonSuperUserAllowedToSeeThisLogin_WithAdminAccess_IsAllowedToSeeAnyUserHavingAccessToSameAdminSites_UserHasAccessToOnlyOneAdminSite()
{
$this->configureAcccessForLogin('login5');
$this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login2'));
$this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login5'));
$this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login7'));
$this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login6'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login1')); // a user having view access only is not allowed to see any other user
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login3'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login4'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login8'));
}
public function test_isNonSuperUserAllowedToSeeThisLogin_WithOnlyViewAccess_IsAllowedToSeeOnlyOwnUser()
{
$this->configureAcccessForLogin('login7');
$this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login7')); // a view user is allowed to see itself
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login1')); // a user having view access only is not allowed to see any other user
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login2'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login3'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login4'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login5'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login6'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login8'));
}
public function test_isNonSuperUserAllowedToSeeThisLogin_WithNoAccess_IsStillAllowedToSeeAnyUser()
{
$this->configureAcccessForLogin('login3');
$this->assertTrue($this->filter->isNonSuperUserAllowedToSeeThisLogin('login3')); // a view user is allowed to see itself
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login1'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login2'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login4'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login5'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login7'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login6'));
$this->assertFalse($this->filter->isNonSuperUserAllowedToSeeThisLogin('login8'));
}
/**
* @dataProvider getTestFilterLogins
*/
public function test_filterLogins($expectedLogins, $loginIdentity, $logins)
{
$this->configureAcccessForLogin($loginIdentity);
$this->assertSame($expectedLogins, $this->filter->filterLogins($logins)); // a view user is allowed to see itself
}
/**
* @dataProvider getTestFilterLogins
*/
public function test_filterUsers($expectedLogins, $loginIdentity, $logins)
{
$this->configureAcccessForLogin($loginIdentity);
$users = array();
$expectedUsers = array();
foreach ($logins as $login) {
$user = array('login' => $login, 'alias' => 'test', 'password' => md5('pass'));
$users[] = $user;
if (in_array($login, $expectedLogins)) {
$expectedUsers[] = $user;
}
}
$this->assertSame($expectedUsers, $this->filter->filterUsers($users)); // a view user is allowed to see itself
}
/**
* @dataProvider getTestFilterLogins
*/
public function test_filterLoginIndexedArray($expectedLogins, $loginIdentity, $logins)
{
$this->configureAcccessForLogin($loginIdentity);
$testArray = array();
$expectedTestArray = array();
foreach ($logins as $login) {
$anything = array('foo' . $login);
$users[$login] = $anything;
if (in_array($login, $expectedLogins)) {
$expectedUsers[$login] = $anything;
}
}
$this->assertSame($expectedTestArray, $this->filter->filterLoginIndexedArray($testArray)); // a view user is allowed to see itself
}
public function getTestFilterLogins()
{
return array(
array($expectedLogins = $this->getAllLogins(), $identity = 'login1', $this->getAllLogins()), // a super user is allowed to see all logins
array($expectedLogins = array('login2', 'foobar'), $identity = 'login1', array('login2', 'foobar')), // for super users we do not even check if they actually exist
array($expectedLogins = $this->buildLogins(array(2,4)), $identity = 'login2', array('login2', 'foobar', 'login4', 'login3')), // should remove logins that do not actually exist when user has admin permission
array($expectedLogins = $this->buildLogins(array(2,4,6,7,8)), $identity = 'login2', $this->getAllLogins()), // an admin user can see users having access to the admin sites
array($expectedLogins = $this->buildLogins(array(3)), $identity = 'login3', $this->getAllLogins()), // a user with no access to any site can only see itself
array($expectedLogins = array('foobar'), $identity = 'foobar', array('foobar')), // doesn't check whether user exists when not having access to any site and user doesn't actually exist
array($expectedLogins = $this->buildLogins(array(4)), $identity = 'login4', $this->getAllLogins()), // a user with only view access to a site can only see itself
array($expectedLogins = $this->buildLogins(array(2,5,6,7)), $identity = 'login5', $this->getAllLogins()), // has access to one admin site
array($expectedLogins = $this->buildLogins(array(2,4,5,6,7)), $identity = 'login6', $this->getAllLogins()), // has access to multiple admin sites
array($expectedLogins = $this->buildLogins(array(7)), $identity = 'login7', $this->getAllLogins()), // has only access to multiple view sites
array($expectedLogins = $this->buildLogins(array(2,7,8)), $identity = 'login8', $this->getAllLogins()), // a user with only view access to a site can only see itself
array($expectedLogins = array(), $identity = 'login1', array()), // no users given, should return empty array for user with super user access
array($expectedLogins = array(), $identity = 'login2', array()), // no users given, should return empty array for user with admin access
array($expectedLogins = array(), $identity = 'login3', array()), // no users given, should return empty array for user with no access
array($expectedLogins = array(), $identity = 'login4', array()), // no users given, should return empty array for user with only view access
array($expectedLogins = array('anonymous'), $identity = 'anonymous', array('anonymous')), // anonymous user can see itself
);
}
public function test_getAllLogins_shouldBeUpToDate()
{
$this->assertSame($this->model->getUsersLogin(), $this->getAllLogins());
$this->assertNotEmpty($this->getAllLogins());
}
public function test_buildLogins()
{
$this->assertSame(array('login2', 'login3', 'login7'), $this->buildLogins(array(2,3,7)));
$this->assertSame(array(), $this->buildLogins(array()));
}
private function createManyWebsites()
{
for ($i = 0; $i < 10; $i++) {
Fixture::createWebsite('2014-01-01 00:00:00');
}
}
private function buildLogins($ids)
{
$logins = array();
foreach ($ids as $id) {
$logins[] = 'login' . $id;
}
return $logins;
}
private function getAllLogins()
{
$logins = $this->buildLogins(range(1,8));
array_unshift($logins, 'anonymous');
return $logins;
}
private function createManyUsers()
{
$this->model->addUser('login1', md5('pass'), 'email1@example.com', 'alias1', md5('token1'), '2008-01-01 00:00:00');
$this->model->addUser('login2', md5('pass'), 'email2@example.com', 'alias2', md5('token2'), '2008-01-01 00:00:00');
// login3 won't have access to any site
$this->model->addUser('login3', md5('pass'), 'email3@example.com', 'alias3', md5('token3'), '2008-01-01 00:00:00');
$this->model->addUser('login4', md5('pass'), 'email4@example.com', 'alias4', md5('token4'), '2008-01-01 00:00:00');
$this->model->addUser('login5', md5('pass'), 'email5@example.com', 'alias5', md5('token5'), '2008-01-01 00:00:00');
$this->model->addUser('login6', md5('pass'), 'email6@example.com', 'alias6', md5('token6'), '2008-01-01 00:00:00');
$this->model->addUser('login7', md5('pass'), 'email7@example.com', 'alias7', md5('token7'), '2008-01-01 00:00:00');
$this->model->addUser('login8', md5('pass'), 'email8@example.com', 'alias8', md5('token8'), '2008-01-01 00:00:00');
$this->model->addUser('anonymous', '', 'ano@example.com', 'anonymous', 'anonymous', '2008-01-01 00:00:00');
$this->model->setSuperUserAccess('login1', true); // we treat this one as our superuser
foreach ($this->users as $login => $permissions) {
foreach ($permissions as $access => $idSites) {
$this->model->addUserAccess($login, $access, $idSites);
}
}
}
private function configureAcccessForLogin($login)
{
$hasSuperUser = false;
$idSitesAdmin = array();
$idSitesView = array();
if ($login === 'login1') {
$hasSuperUser = true;
} elseif (isset($this->users[$login])) {
$idSitesAdmin = $this->users[$login]['admin'];
$idSitesView = $this->users[$login]['view'];
}
FakeAccess::clearAccess($hasSuperUser, $idSitesAdmin, $idSitesView, $login);
}
}
|
