From 37149ec831d15f1630dc3dc48ca44c0747a89fba Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Wed, 22 Mar 2017 22:07:14 -0400 Subject: [PATCH] Working on user ticket security checker --- api/BusinessLogic/Security/UserPrivilege.php | 1 + .../Security/UserToTicketChecker.php | 26 ++++++ .../Security/UserToTicketCheckerTest.php | 88 +++++++++++++++++++ 3 files changed, 115 insertions(+) create mode 100644 api/BusinessLogic/Security/UserToTicketChecker.php create mode 100644 api/Tests/BusinessLogic/Security/UserToTicketCheckerTest.php diff --git a/api/BusinessLogic/Security/UserPrivilege.php b/api/BusinessLogic/Security/UserPrivilege.php index 8344d31d..4f2fb281 100644 --- a/api/BusinessLogic/Security/UserPrivilege.php +++ b/api/BusinessLogic/Security/UserPrivilege.php @@ -12,4 +12,5 @@ namespace BusinessLogic\Security; class UserPrivilege { const CAN_VIEW_TICKETS = 'can_view_tickets'; const CAN_REPLY_TO_TICKETS = 'can_reply_tickets'; + const CAN_EDIT_TICKETS = 'can_edit_tickets'; } \ No newline at end of file diff --git a/api/BusinessLogic/Security/UserToTicketChecker.php b/api/BusinessLogic/Security/UserToTicketChecker.php new file mode 100644 index 00000000..3b0c54dc --- /dev/null +++ b/api/BusinessLogic/Security/UserToTicketChecker.php @@ -0,0 +1,26 @@ +admin === true || + (in_array($ticket->categoryId, $user->categories) && + in_array(UserPrivilege::CAN_VIEW_TICKETS, $user->permissions)); + + return $isEditing + ? $hasAccess && in_array(UserPrivilege::CAN_EDIT_TICKETS, $user->permissions) + : $hasAccess; + } +} \ No newline at end of file diff --git a/api/Tests/BusinessLogic/Security/UserToTicketCheckerTest.php b/api/Tests/BusinessLogic/Security/UserToTicketCheckerTest.php new file mode 100644 index 00000000..0a1eae4d --- /dev/null +++ b/api/Tests/BusinessLogic/Security/UserToTicketCheckerTest.php @@ -0,0 +1,88 @@ +userToTicketChecker = new UserToTicketChecker(); + } + + function testItReturnsTrueWhenTheUserIsAnAdmin() { + //-- Arrange + $user = new UserContext(); + $user->admin = true; + + $ticket = new Ticket(); + + //-- Act + $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, false, $this->heskSettings); + + //-- Assert + self::assertThat($result, self::isTrue()); + } + + function testItReturnsTrueWhenTheUserHasAccessToTheCategory() { + //-- Arrange + $user = new UserContext(); + $user->admin = false; + $user->categories = array(1); + $user->permissions = array(UserPrivilege::CAN_VIEW_TICKETS); + + $ticket = new Ticket(); + $ticket->categoryId = 1; + + //-- Act + $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, false, $this->heskSettings); + + //-- Assert + self::assertThat($result, self::isTrue()); + } + + function testItReturnsFalseWhenTheUserCannotViewTickets() { + //-- Arrange + $user = new UserContext(); + $user->admin = false; + $user->categories = array(1); + $user->permissions = array(); + + $ticket = new Ticket(); + $ticket->categoryId = 1; + + //-- Act + $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, false, $this->heskSettings); + + //-- Assert + self::assertThat($result, self::isFalse()); + } + + function testItReturnsFalseWhenTheUserCannotViewAndEditTicketsWhenEditFlagIsTrue() { + //-- Arrange + $user = new UserContext(); + $user->admin = false; + $user->categories = array(1); + $user->permissions = array(UserPrivilege::CAN_VIEW_TICKETS, 'something else'); + + $ticket = new Ticket(); + $ticket->categoryId = 1; + + //-- Act + $result = $this->userToTicketChecker->isTicketWritableToUser($user, $ticket, true, $this->heskSettings); + + //-- Assert + self::assertThat($result, self::isFalse()); + } + + //-- TODO Category Manager +}