1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
<?php
/*
* Copyright 2015-2016 Florian "Bluewind" Pritz <bluewind@server-speed.net>
*
* Licensed under AGPLv3
* (see COPYING for full license text)
*
*/
namespace test\tests\api_v2;
class test_api_permissions extends common {
public function __construct()
{
parent::__construct();
$this->startServer(23200);
$this->userCounter = 100;
}
public function test_callPrivateEndpointsWithoutApikey()
{
$endpoints = array(
"file/upload",
"file/history",
"file/delete",
"file/create_multipaste",
"user/apikeys",
"user/create_apikey",
"user/delete_apikey",
);
foreach ($endpoints as $endpoint) {
$ret = $this->CallEndpoint("POST", $endpoint, array(
));
$this->expectError("call $endpoint without apikey", $ret);
$this->t->is_deeply(array(
'status' => 'error',
'error_id' => 'api/not-authenticated',
'message' => 'Not authenticated. FileBin requires you to have an account, please go to the homepage at http://127.0.0.1:23200/ for more information.',
), $ret, "expected error");
}
}
public function test_callPrivateEndpointsWithUnsupportedAuthentication()
{
$endpoints = array(
"file/upload",
"file/history",
"file/delete",
"file/create_multipaste",
"user/apikeys",
// create_apikey is the only one that supports username/pw
//"user/create_apikey",
"user/delete_apikey",
);
foreach ($endpoints as $endpoint) {
$ret = $this->CallEndpoint("POST", $endpoint, array(
"username" => "apiv2testuser1",
"password" => "testpass1",
));
$this->expectError("call $endpoint without apikey", $ret);
$this->t->is_deeply(array(
'status' => 'error',
'error_id' => 'api/not-authenticated',
'message' => 'Not authenticated. FileBin requires you to have an account, please go to the homepage at http://127.0.0.1:23200/ for more information.',
), $ret, "expected error");
}
}
public function test_callEndpointsWithoutEnoughPermissions()
{
$testconfig = array(
array(
"have_level" => "basic",
"wanted_level" => "apikey",
"apikey" => $this->createUserAndApikey('basic'),
"endpoints" => array(
"file/delete",
"file/history",
),
),
array(
"have_level" => "apikey",
"wanted_level" => "full",
"apikey" => $this->createUserAndApikey(),
"endpoints" => array(
"user/apikeys",
"user/create_apikey",
"user/delete_apikey",
),
),
);
foreach ($testconfig as $test) {
foreach ($test['endpoints'] as $endpoint) {
$ret = $this->CallEndpoint("POST", $endpoint, array(
"apikey" => $test['apikey'],
));
$this->expectError("call $endpoint without enough permissions", $ret);
$this->t->is_deeply(array(
'status' => "error",
'error_id' => "api/insufficient-permissions",
'message' => "Access denied: Access level too low. Required: {$test['wanted_level']}; Have: {$test['have_level']}",
), $ret, "expected permission error");
}
}
}
}
|