TagRestController: add tests to ensure that other user's tags are unreachable

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf 2018-12-29 19:43:07 +01:00
parent 6708bf238d
commit 0ee9848231

View file

@ -7,6 +7,8 @@ use Wallabag\CoreBundle\Entity\Tag;
class TagRestControllerTest extends WallabagApiTestCase
{
private $otherUserTagLabel = 'bob';
public function testGetUserTags()
{
$this->client->request('GET', '/api/tags.json');
@ -19,6 +21,12 @@ class TagRestControllerTest extends WallabagApiTestCase
$this->assertArrayHasKey('id', $content[0]);
$this->assertArrayHasKey('label', $content[0]);
$tagLabels = array_map(function ($i) {
return $i['label'];
}, $content);
$this->assertNotContains($this->otherUserTagLabel, $tagLabels, 'There is a possible tag leak');
return end($content);
}
@ -53,6 +61,16 @@ class TagRestControllerTest extends WallabagApiTestCase
$this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag');
}
public function testDeleteOtherUserTag()
{
$em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
$tag = $em->getRepository('WallabagCoreBundle:Tag')->findOneByLabel($this->otherUserTagLabel);
$this->client->request('DELETE', '/api/tags/' . $tag->getId() . '.json');
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
}
public function dataForDeletingTagByLabel()
{
return [
@ -112,6 +130,13 @@ class TagRestControllerTest extends WallabagApiTestCase
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
}
public function testDeleteTagByLabelOtherUser()
{
$this->client->request('DELETE', '/api/tag/label.json', ['tag' => $this->otherUserTagLabel]);
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
}
/**
* @dataProvider dataForDeletingTagByLabel
*/
@ -180,4 +205,11 @@ class TagRestControllerTest extends WallabagApiTestCase
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
}
public function testDeleteTagsByLabelOtherUser()
{
$this->client->request('DELETE', '/api/tags/label.json', ['tags' => $this->otherUserTagLabel]);
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
}
}