wiki.techinc.nl/tests/phpunit/includes/Rest/BasicAccess/MWBasicRequestAuthorizerTest.php

<?php

namespace MediaWiki\Tests\Rest\BasicAccess;

use GuzzleHttp\Psr7\Uri;
use MediaWiki\Permissions\PermissionManager;
use MediaWiki\Rest\BasicAccess\MWBasicAuthorizer;
use MediaWiki\Rest\Handler;
use MediaWiki\Rest\RequestData;
use MediaWiki\Rest\ResponseFactory;
use MediaWiki\Rest\Router;
use MediaWiki\Rest\Validator\Validator;
use MediaWikiTestCase;
use Psr\Container\ContainerInterface;
use User;
use Wikimedia\ObjectFactory;

/**
 * @group Database
 *
 * @covers \MediaWiki\Rest\BasicAccess\BasicAuthorizerBase
 * @covers \MediaWiki\Rest\BasicAccess\MWBasicAuthorizer
 * @covers \MediaWiki\Rest\BasicAccess\BasicRequestAuthorizer
 * @covers \MediaWiki\Rest\BasicAccess\MWBasicRequestAuthorizer
 */
class MWBasicRequestAuthorizerTest extends MediaWikiTestCase {
	private function createRouter( $userRights, $request ) {
		$user = User::newFromName( 'Test user' );
		$objectFactory = new ObjectFactory(
			$this->getMockForAbstractClass( ContainerInterface::class )
		);
		$permissionManager = $this->createMock( PermissionManager::class );
		// Don't allow the rights to everybody so that user rights kick in.
		$permissionManager->method( 'isEveryoneAllowed' )->willReturn( false );
		$permissionManager->method( 'userHasRight' )
			->will( $this->returnCallback( function ( $user, $action ) use ( $userRights ) {
				return isset( $userRights[$action] ) && $userRights[$action];
			} ) );

		global $IP;

		return new Router(
			[ "$IP/tests/phpunit/unit/includes/Rest/testRoutes.json" ],
			[],
			'/rest',
			new \EmptyBagOStuff(),
			new ResponseFactory( [] ),
			new MWBasicAuthorizer( $user, $permissionManager ),
			$objectFactory,
			new Validator( $objectFactory, $permissionManager, $request, $user )
		);
	}

	public function testReadDenied() {
		$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );
		$router = $this->createRouter( [ 'read' => false ], $request );
		$response = $router->execute( $request );
		$this->assertSame( 403, $response->getStatusCode() );

		$body = $response->getBody();
		$body->rewind();
		$data = json_decode( $body->getContents(), true );
		$this->assertSame( 'rest-read-denied', $data['error'] );
	}

	public function testReadAllowed() {
		$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );
		$router = $this->createRouter( [ 'read' => true ], $request );
		$response = $router->execute( $request );
		$this->assertSame( 200, $response->getStatusCode() );
	}

	public static function writeHandlerFactory() {
		return new class extends Handler {
			public function needsWriteAccess() {
				return true;
			}

			public function execute() {
				return '';
			}
		};
	}

	public function testWriteDenied() {
		$request = new RequestData( [
			'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )
		] );
		$router = $this->createRouter( [ 'read' => true, 'writeapi' => false ], $request );
		$response = $router->execute( $request );
		$this->assertSame( 403, $response->getStatusCode() );

		$body = $response->getBody();
		$body->rewind();
		$data = json_decode( $body->getContents(), true );
		$this->assertSame( 'rest-write-denied', $data['error'] );
	}

	public function testWriteAllowed() {
		$request = new RequestData( [
			'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )
		] );
		$router = $this->createRouter( [ 'read' => true, 'writeapi' => true ], $request );
		$response = $router->execute( $request );

		$this->assertSame( 200, $response->getStatusCode() );
	}
}
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`<?php`

			`namespace MediaWiki\Tests\Rest\BasicAccess;`

			`use GuzzleHttp\Psr7\Uri;`
Use UserIdentity instead of User in REST Change-Id: Ia6a517c6a64664be2363492108f9497fc949f299 2019-09-13 21:07:59 +00:00			`use MediaWiki\Permissions\PermissionManager;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use MediaWiki\Rest\BasicAccess\MWBasicAuthorizer;`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00			`use MediaWiki\Rest\Handler;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use MediaWiki\Rest\RequestData;`
			`use MediaWiki\Rest\ResponseFactory;`
			`use MediaWiki\Rest\Router;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`use MediaWiki\Rest\Validator\Validator;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use MediaWikiTestCase;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`use Psr\Container\ContainerInterface;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`use User;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`use Wikimedia\ObjectFactory;`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00
			`/**`
			`* @group Database`
			`*`
			`* @covers \MediaWiki\Rest\BasicAccess\BasicAuthorizerBase`
			`* @covers \MediaWiki\Rest\BasicAccess\MWBasicAuthorizer`
			`* @covers \MediaWiki\Rest\BasicAccess\BasicRequestAuthorizer`
			`* @covers \MediaWiki\Rest\BasicAccess\MWBasicRequestAuthorizer`
			`*/`
			`class MWBasicRequestAuthorizerTest extends MediaWikiTestCase {`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`private function createRouter( $userRights, $request ) {`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`$user = User::newFromName( 'Test user' );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$objectFactory = new ObjectFactory(`
			`$this->getMockForAbstractClass( ContainerInterface::class )`
			`);`
Use UserIdentity instead of User in REST Change-Id: Ia6a517c6a64664be2363492108f9497fc949f299 2019-09-13 21:07:59 +00:00			`$permissionManager = $this->createMock( PermissionManager::class );`
			`// Don't allow the rights to everybody so that user rights kick in.`
			`$permissionManager->method( 'isEveryoneAllowed' )->willReturn( false );`
			`$permissionManager->method( 'userHasRight' )`
			`->will( $this->returnCallback( function ( $user, $action ) use ( $userRights ) {`
			`return isset( $userRights[$action] ) && $userRights[$action];`
			`} ) );`

			`global $IP;`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`return new Router(`
			`[ "$IP/tests/phpunit/unit/includes/Rest/testRoutes.json" ],`
			`[],`
			`'/rest',`
			`new \EmptyBagOStuff(),`
Use TextFormatter in the REST API * Add ResponseFactory::createLocalizedHttpError(), which generates a JSON response body from a MessageValue * ResponseFactory::__construct() accepts an array of TextFormatter objects. For ease of testing, the array may be empty. The integrated ResponseFactory has a TextFormatter for English, and one for $wgContLang if that is different. * Use createLocalizedHttpError() to show helpful error messages for errors generated by Router. Change-Id: I897a0aee42227916c568333ab384966f1b87f599 2019-07-16 22:43:43 +00:00			`new ResponseFactory( [] ),`
Use UserIdentity instead of User in REST Change-Id: Ia6a517c6a64664be2363492108f9497fc949f299 2019-09-13 21:07:59 +00:00			`new MWBasicAuthorizer( $user, $permissionManager ),`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$objectFactory,`
Use UserIdentity instead of User in REST Change-Id: Ia6a517c6a64664be2363492108f9497fc949f299 2019-09-13 21:07:59 +00:00			`new Validator( $objectFactory, $permissionManager, $request, $user )`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`);`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`}`

			`public function testReadDenied() {`
			`$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => false ], $request );`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`$response = $router->execute( $request );`
			`$this->assertSame( 403, $response->getStatusCode() );`

			`$body = $response->getBody();`
			`$body->rewind();`
			`$data = json_decode( $body->getContents(), true );`
			`$this->assertSame( 'rest-read-denied', $data['error'] );`
			`}`

			`public function testReadAllowed() {`
			`$request = new RequestData( [ 'uri' => new Uri( '/rest/user/joe/hello' ) ] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => true ], $request );`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`$response = $router->execute( $request );`
			`$this->assertSame( 200, $response->getStatusCode() );`
			`}`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00
			`public static function writeHandlerFactory() {`
			`return new class extends Handler {`
			`public function needsWriteAccess() {`
			`return true;`
			`}`

			`public function execute() {`
			`return '';`
			`}`
			`};`
			`}`

			`public function testWriteDenied() {`
			`$request = new RequestData( [`
			`'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )`
			`] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => true, 'writeapi' => false ], $request );`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00			`$response = $router->execute( $request );`
			`$this->assertSame( 403, $response->getStatusCode() );`

			`$body = $response->getBody();`
			`$body->rewind();`
			`$data = json_decode( $body->getContents(), true );`
			`$this->assertSame( 'rest-write-denied', $data['error'] );`
			`}`

			`public function testWriteAllowed() {`
			`$request = new RequestData( [`
			`'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )`
			`] );`
rest: Use ParamValidator library, add BodyValidator Parameter validation is based on parameter definitions like those in the Action API, using the new ParamValidator library. Handlers should use the provided Handler methods to access parameters rather than fetching them directly from the RequestInterface. Body validation allows the handler to have the (non-form-data) body of a request parsed and validated. The only validator included in this patch ignores the body entirely; future patches may implement validation for JSON bodies based on JSON schemas, or the like. Bug: T223239 Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5 2019-06-12 19:51:59 +00:00			`$router = $this->createRouter( [ 'read' => true, 'writeapi' => true ], $request );`
REST: add write access checks to BasicAccess This is a stub implementation which just checks for the apiwrite permission. Change-Id: Ib84cd93e7f0f5e31cf620b2d30609035c4448c95 2019-07-09 02:39:06 +00:00			`$response = $router->execute( $request );`

			`$this->assertSame( 200, $response->getStatusCode() );`
			`}`
REST: basic read restrictions Protect private wikis by providing basic read restrictions, closely following the example of the action API. The BasicAccess module provides a narrow interface for this functionality, without exposing the whole session/user concept to the router. Also, add RouterTest and fix a bug in Router::getRelativePath() thus discovered. Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5 2019-06-26 02:33:35 +00:00			`}`