From ea33395cc20d7b19b735aca469dd21bfd9d7e23b Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Wed, 22 Feb 2017 13:03:03 -0800 Subject: [PATCH] CRM-20159 - Add test case for permissions in CRM-18112 There are a few different edge-cases for the "edit api keys" permission used in CRM-18112. This improves test coverage. --- tests/phpunit/api/v3/ContactTest.php | 69 ++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/tests/phpunit/api/v3/ContactTest.php b/tests/phpunit/api/v3/ContactTest.php index 59936149f4..961d0e0a5b 100644 --- a/tests/phpunit/api/v3/ContactTest.php +++ b/tests/phpunit/api/v3/ContactTest.php @@ -452,6 +452,75 @@ class api_v3_ContactTest extends CiviUnitTestCase { $this->callAPIFailure('contact', 'create', $params); } + /** + * Check that permissions on API key are restricted (CRM-18112). + */ + public function testCreateApiKey() { + $config = CRM_Core_Config::singleton(); + $contactId = $this->individualCreate(array( + 'first_name' => 'A', + 'last_name' => 'B', + )); + + // Allow edit -- because permissions aren't being checked + $config->userPermissionClass->permissions = array(); + $result = $this->callAPISuccess('Contact', 'create', array( + 'id' => $contactId, + 'api_key' => 'original', + )); + $this->assertEquals('original', $result['values'][$contactId]['api_key']); + + // Allow edit -- because we have adequate permission + $config->userPermissionClass->permissions = array('access CiviCRM', 'edit all contacts', 'edit api keys'); + $result = $this->callAPISuccess('Contact', 'create', array( + 'check_permissions' => 1, + 'id' => $contactId, + 'api_key' => 'abcd1234', + )); + $this->assertEquals('abcd1234', $result['values'][$contactId]['api_key']); + + // Disallow edit -- because we don't have permission + $config->userPermissionClass->permissions = array('access CiviCRM', 'edit all contacts'); + $result = $this->callAPIFailure('Contact', 'create', array( + 'check_permissions' => 1, + 'id' => $contactId, + 'api_key' => 'defg4321', + )); + $this->assertRegExp(';Permission denied to modify api key;', $result['error_message']); + + // Return everything -- because permissions are not being checked + $config->userPermissionClass->permissions = array(); + $result = $this->callAPISuccess('Contact', 'create', array( + 'id' => $contactId, + 'first_name' => 'A2', + )); + $this->assertEquals('A2', $result['values'][$contactId]['first_name']); + $this->assertEquals('B', $result['values'][$contactId]['last_name']); + $this->assertEquals('abcd1234', $result['values'][$contactId]['api_key']); + + // Return everything -- because we have adequate permission + $config->userPermissionClass->permissions = array('access CiviCRM', 'edit all contacts', 'edit api keys'); + $result = $this->callAPISuccess('Contact', 'create', array( + 'check_permissions' => 1, + 'id' => $contactId, + 'first_name' => 'A3', + )); + $this->assertEquals('A3', $result['values'][$contactId]['first_name']); + $this->assertEquals('B', $result['values'][$contactId]['last_name']); + $this->assertEquals('abcd1234', $result['values'][$contactId]['api_key']); + + // Restricted return -- because we don't have permission + $config->userPermissionClass->permissions = array('access CiviCRM', 'edit all contacts'); + $result = $this->callAPISuccess('Contact', 'create', array( + 'check_permissions' => 1, + 'id' => $contactId, + 'first_name' => 'A4', + )); + $this->assertEquals('A4', $result['values'][$contactId]['first_name']); + $this->assertEquals('B', $result['values'][$contactId]['last_name']); + $this->assertTrue(empty($result['values'][$contactId]['api_key'])); + } + /** * Check with complete array + custom field. * -- 2.25.1