wiki.techinc.nl/tests/phpunit/includes/Rest/BasicAccess/MWBasicRequestAuthorizerTest.php

<?php

namespace MediaWiki\Tests\Rest\BasicAccess;

use GuzzleHttp\Psr7\Uri;
use MediaWiki\MediaWikiServices;
use MediaWiki\Rest\BasicAccess\MWBasicAuthorizer;
use MediaWiki\Rest\Handler;
use MediaWiki\Rest\RequestData;
use MediaWiki\Rest\ResponseFactory;
use MediaWiki\Rest\Router;
use MediaWiki\Rest\Validator\Validator;
use MediaWikiTestCase;
use Psr\Container\ContainerInterface;
use User;
use Wikimedia\ObjectFactory;

/**
 * @group Database
 *
 * @covers \MediaWiki\Rest\BasicAccess\BasicAuthorizerBase
 * @covers \MediaWiki\Rest\BasicAccess\MWBasicAuthorizer
 * @covers \MediaWiki\Rest\BasicAccess\BasicRequestAuthorizer
 * @covers \MediaWiki\Rest\BasicAccess\MWBasicRequestAuthorizer
 */
class MWBasicRequestAuthorizerTest extends MediaWikiTestCase {
	private function createRouter( $userRights, $request ) {
		$user = User::newFromName( 'Test user' );
		// Don't allow the rights to everybody so that user rights kick in.
		$this->mergeMwGlobalArrayValue( 'wgGroupPermissions', [ '*' => $userRights ] );
		$this->overrideUserPermissions(
			$user,
			array_keys( array_filter( $userRights ), function ( $value ) {
				return $value === true;
			} )
		);

		global $IP;

		$objectFactory = new ObjectFactory(
			$this->getMockForAbstractClass( ContainerInterface::class )
		);

		return new Router(
			[ "$IP/tests/phpunit/unit/includes/Rest/testRoutes.json" ],
			[],
			'/rest',
			new \EmptyBagOStuff(),
			new ResponseFactory(),
			new MWBasicAuthorizer( $user, MediaWikiServices::getInstance()->getPermissionManager() ),
			$objectFactory,
			new Validator( $objectFactory, $request, $user )
		);
	}

	public function testReadDenied() {
		$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );
		$router = $this->createRouter( [ 'read' => false ], $request );
		$response = $router->execute( $request );
		$this->assertSame( 403, $response->getStatusCode() );

		$body = $response->getBody();
		$body->rewind();
		$data = json_decode( $body->getContents(), true );
		$this->assertSame( 'rest-read-denied', $data['error'] );
	}

	public function testReadAllowed() {
		$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );
		$router = $this->createRouter( [ 'read' => true ], $request );
		$response = $router->execute( $request );
		$this->assertSame( 200, $response->getStatusCode() );
	}

	public static function writeHandlerFactory() {
		return new class extends Handler {
			public function needsWriteAccess() {
				return true;
			}

			public function execute() {
				return '';
			}
		};
	}

	public function testWriteDenied() {
		$request = new RequestData( [
			'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )
		] );
		$router = $this->createRouter( [ 'read' => true, 'writeapi' => false ], $request );
		$response = $router->execute( $request );
		$this->assertSame( 403, $response->getStatusCode() );

		$body = $response->getBody();
		$body->rewind();
		$data = json_decode( $body->getContents(), true );
		$this->assertSame( 'rest-write-denied', $data['error'] );
	}

	public function testWriteAllowed() {
		$request = new RequestData( [
			'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )
		] );
		$router = $this->createRouter( [ 'read' => true, 'writeapi' => true ], $request );
		$response = $router->execute( $request );

		$this->assertSame( 200, $response->getStatusCode() );
	}
}
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`<?php`

			`namespace MediaWiki\Tests\Rest\BasicAccess;`

			`use GuzzleHttp\Psr7\Uri;`
Convert PermissionManager constructor to use ServiceOptions. Change-Id: I36a3a2f338506ef14cc5d65b8bee2961a92d60da 2019-08-21 05:28:47 +00:00			`use MediaWiki\MediaWikiServices;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use MediaWiki\Rest\BasicAccess\MWBasicAuthorizer;`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00			`use MediaWiki\Rest\Handler;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use MediaWiki\Rest\RequestData;`
			`use MediaWiki\Rest\ResponseFactory;`
			`use MediaWiki\Rest\Router;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`use MediaWiki\Rest\Validator\Validator;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use MediaWikiTestCase;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`use Psr\Container\ContainerInterface;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use User;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`use Wikimedia\ObjectFactory;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00
			`/**`
			`* @group Database`
			`*`
			`* @covers \MediaWiki\Rest\BasicAccess\BasicAuthorizerBase`
			`* @covers \MediaWiki\Rest\BasicAccess\MWBasicAuthorizer`
			`* @covers \MediaWiki\Rest\BasicAccess\BasicRequestAuthorizer`
			`* @covers \MediaWiki\Rest\BasicAccess\MWBasicRequestAuthorizer`
			`*/`
			`class MWBasicRequestAuthorizerTest extends MediaWikiTestCase {`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`private function createRouter( $userRights, $request ) {`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`$user = User::newFromName( 'Test user' );`
Convert PermissionManager constructor to use ServiceOptions. Change-Id: I36a3a2f338506ef14cc5d65b8bee2961a92d60da 2019-08-21 05:28:47 +00:00			`// Don't allow the rights to everybody so that user rights kick in.`
			`$this->mergeMwGlobalArrayValue( 'wgGroupPermissions', [ '*' => $userRights ] );`
			`$this->overrideUserPermissions(`
			`$user,`
			`array_keys( array_filter( $userRights ), function ( $value ) {`
			`return $value === true;`
			`} )`
			`);`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00
			`global $IP;`

rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$objectFactory = new ObjectFactory(`
			`$this->getMockForAbstractClass( ContainerInterface::class )`
			`);`

REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`return new Router(`
			`[ "$IP/tests/phpunit/unit/includes/Rest/testRoutes.json" ],`
			`[],`
			`'/rest',`
			`new \EmptyBagOStuff(),`
			`new ResponseFactory(),`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`new MWBasicAuthorizer( $user, MediaWikiServices::getInstance()->getPermissionManager() ),`
			`$objectFactory,`
			`new Validator( $objectFactory, $request, $user )`
			`);`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`}`

			`public function testReadDenied() {`
			`$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => false ], $request );`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`$response = $router->execute( $request );`
			`$this->assertSame( 403, $response->getStatusCode() );`

			`$body = $response->getBody();`
			`$body->rewind();`
			`$data = json_decode( $body->getContents(), true );`
			`$this->assertSame( 'rest-read-denied', $data['error'] );`
			`}`

			`public function testReadAllowed() {`
			`$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => true ], $request );`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`$response = $router->execute( $request );`
			`$this->assertSame( 200, $response->getStatusCode() );`
			`}`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00
			`public static function writeHandlerFactory() {`
			`return new class extends Handler {`
			`public function needsWriteAccess() {`
			`return true;`
			`}`

			`public function execute() {`
			`return '';`
			`}`
			`};`
			`}`

			`public function testWriteDenied() {`
			`$request = new RequestData( [`
			`'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )`
			`] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => true, 'writeapi' => false ], $request );`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00			`$response = $router->execute( $request );`
			`$this->assertSame( 403, $response->getStatusCode() );`

			`$body = $response->getBody();`
			`$body->rewind();`
			`$data = json_decode( $body->getContents(), true );`
			`$this->assertSame( 'rest-write-denied', $data['error'] );`
			`}`

			`public function testWriteAllowed() {`
			`$request = new RequestData( [`
			`'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )`
			`] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => true, 'writeapi' => true ], $request );`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00			`$response = $router->execute( $request );`

			`$this->assertSame( 200, $response->getStatusCode() );`
			`}`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`}`