[civicrm-core.git] / tests / phpunit / CRM / Event / BAO / EventPermissionsTest.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 5                                                  |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2019                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 * Class CRM_Event_BAO_EventPermissionsTest
 * @group headless
 */
class CRM_Event_BAO_EventPermissionsTest extends CiviUnitTestCase {

  public function setUp() {
    parent::setUp();
    $this->_contactId = $this->createLoggedInUser();
    $this->createOwnEvent();
    $this->createOtherEvent();
  }

  public function createOwnEvent() {
    $event = $this->eventCreate(array(
      'created_id' => $this->_contactId,
    ));
    $this->_ownEventId = $event['id'];
  }

  public function createOtherEvent() {
    $this->_otherContactId = $this->_contactId + 1;
    $event = $this->eventCreate(array(
      'created_id' => $this->_otherContactId,
    ));
    $this->_otherEventId = $event['id'];
  }

  private function setViewOwnEventPermissions() {
    CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info'];
  }

  private function setViewAllEventPermissions() {
    CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'view event participants'];
  }

  private function setEditAllEventPermissions() {
    CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'edit all events'];
  }

  private function setDeleteAllEventPermissions() {
    CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'delete in CiviEvent'];
  }

  public function testViewOwnEvent() {
    self::setViewOwnEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
    $this->assertTrue($permissions);
    // Now check that caching is actually working
    \Civi::$statics['CRM_Event_BAO_Event']['permission']['view'][$this->_ownEventId] = FALSE;
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
    $this->assertFalse($permissions);
  }

  public function testEditOwnEvent() {
    self::setViewOwnEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::EDIT);
    $this->assertTrue($permissions);
  }

  /**
   * This requires the same permissions as testDeleteOtherEvent()
   */
  public function testDeleteOwnEvent() {
    // Check that you can't delete your own event without "Delete in CiviEvent" permission
    self::setViewOwnEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::DELETE);
    $this->assertFalse($permissions);
  }

  public function testViewOtherEventDenied() {
    $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
    self::setViewOwnEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::VIEW);
    $this->assertFalse($permissions);
  }

  public function testViewOtherEventAllowed() {
    $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
    self::setViewAllEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::VIEW);
    $this->assertTrue($permissions);
  }

  public function testEditOtherEventDenied() {
    $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
    self::setViewAllEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::EDIT);
    $this->assertFalse($permissions);
  }

  public function testEditOtherEventAllowed() {
    $this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
    self::setEditAllEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::EDIT);
    $this->assertTrue($permissions);
  }

  public function testDeleteOtherEventAllowed() {
    self::setDeleteAllEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
    $this->assertTrue($permissions);
  }

  public function testDeleteOtherEventDenied() {
    // FIXME: This test could be improved, but for now it checks that we can't delete if we don't have "Delete in CiviEvent"
    self::setEditAllEventPermissions();
    unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
    $permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
    $this->assertFalse($permissions);
  }

}
Commit	Line	Data
92f5ef6b AF	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
	4	\| CiviCRM version 5 \|
	5	+--------------------------------------------------------------------+
6b83d5bd	6	\| Copyright CiviCRM LLC (c) 2004-2019 \|
92f5ef6b AF	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
	26	*/
	27
	28	/**
	29	* Class CRM_Event_BAO_EventPermissionsTest
	30	* @group headless
	31	*/
	32	class CRM_Event_BAO_EventPermissionsTest extends CiviUnitTestCase {
	33
	34	public function setUp() {
	35	parent::setUp();
	36	$this->_contactId = $this->createLoggedInUser();
d0853f7d MWMC	37	$this->createOwnEvent();
	38	$this->createOtherEvent();
	39	}
	40
	41	public function createOwnEvent() {
92f5ef6b AF	42	$event = $this->eventCreate(array(
	43	'created_id' => $this->_contactId,
	44	));
d0853f7d MWMC	45	$this->_ownEventId = $event['id'];
	46	}
	47
	48	public function createOtherEvent() {
	49	$this->_otherContactId = $this->_contactId + 1;
	50	$event = $this->eventCreate(array(
	51	'created_id' => $this->_otherContactId,
	52	));
	53	$this->_otherEventId = $event['id'];
	54	}
	55
	56	private function setViewOwnEventPermissions() {
	57	CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info'];
	58	}
	59
	60	private function setViewAllEventPermissions() {
	61	CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'view event participants'];
	62	}
	63
	64	private function setEditAllEventPermissions() {
	65	CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'edit all events'];
	66	}
	67
	68	private function setDeleteAllEventPermissions() {
	69	CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'access CiviEvent', 'view event info', 'delete in CiviEvent'];
	70	}
	71
	72	public function testViewOwnEvent() {
	73	self::setViewOwnEventPermissions();
	74	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	75	$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
	76	$this->assertTrue($permissions);
	77	// Now check that caching is actually working
	78	\Civi::$statics['CRM_Event_BAO_Event']['permission']['view'][$this->_ownEventId] = FALSE;
	79	$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::VIEW);
	80	$this->assertFalse($permissions);
92f5ef6b AF	81	}
	82
	83	public function testEditOwnEvent() {
d0853f7d MWMC	84	self::setViewOwnEventPermissions();
	85	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	86	$this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
	87	$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::EDIT);
	88	$this->assertTrue($permissions);
	89	}
	90
	91	/**
	92	* This requires the same permissions as testDeleteOtherEvent()
	93	*/
	94	public function testDeleteOwnEvent() {
	95	// Check that you can't delete your own event without "Delete in CiviEvent" permission
	96	self::setViewOwnEventPermissions();
	97	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	98	$permissions = CRM_Event_BAO_Event::checkPermission($this->_ownEventId, CRM_Core_Permission::DELETE);
	99	$this->assertFalse($permissions);
	100	}
	101
	102	public function testViewOtherEventDenied() {
	103	$this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
	104	self::setViewOwnEventPermissions();
1580a51e	105	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
d0853f7d MWMC	106	$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::VIEW);
	107	$this->assertFalse($permissions);
	108	}
	109
	110	public function testViewOtherEventAllowed() {
	111	$this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
	112	self::setViewAllEventPermissions();
	113	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	114	$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::VIEW);
1580a51e	115	$this->assertTrue($permissions);
92f5ef6b AF	116	}
92f5ef6b AF	117
d0853f7d MWMC	118	public function testEditOtherEventDenied() {
	119	$this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
	120	self::setViewAllEventPermissions();
	121	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	122	$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::EDIT);
	123	$this->assertFalse($permissions);
	124	}
	125
	126	public function testEditOtherEventAllowed() {
	127	$this->_loggedInUser = CRM_Core_Session::singleton()->get('userID');
	128	self::setEditAllEventPermissions();
	129	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	130	$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::EDIT);
	131	$this->assertTrue($permissions);
	132	}
	133
	134	public function testDeleteOtherEventAllowed() {
	135	self::setDeleteAllEventPermissions();
	136	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	137	$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
	138	$this->assertTrue($permissions);
	139	}
	140
	141	public function testDeleteOtherEventDenied() {
	142	// FIXME: This test could be improved, but for now it checks that we can't delete if we don't have "Delete in CiviEvent"
	143	self::setEditAllEventPermissions();
	144	unset(\Civi::$statics['CRM_Event_BAO_Event']['permissions']);
	145	$permissions = CRM_Event_BAO_Event::checkPermission($this->_otherEventId, CRM_Core_Permission::DELETE);
	146	$this->assertFalse($permissions);
	147	}
	148
92f5ef6b	149	}