2022-10-09 15:14:16 -07:00
|
|
|
<?php
|
|
|
|
|
|
2024-03-12 22:39:16 -04:00
|
|
|
namespace App\Tests\Integration\Api\Client\Server\Subuser;
|
2022-10-09 15:14:16 -07:00
|
|
|
|
2025-12-11 14:34:27 +01:00
|
|
|
use App\Enums\SubuserPermission;
|
2025-09-24 13:34:19 +02:00
|
|
|
use App\Models\Subuser;
|
|
|
|
|
use App\Models\User;
|
2024-03-12 22:39:16 -04:00
|
|
|
use App\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
|
2025-12-28 08:00:59 +07:00
|
|
|
use Illuminate\Support\Facades\Context;
|
2024-03-23 16:10:47 -04:00
|
|
|
use Illuminate\Support\Facades\Http;
|
2022-10-09 15:14:16 -07:00
|
|
|
|
|
|
|
|
class UpdateSubuserTest extends ClientApiIntegrationTestCase
|
|
|
|
|
{
|
|
|
|
|
/**
|
|
|
|
|
* Test that the correct permissions are applied to the account when making updates
|
|
|
|
|
* to a subusers permissions.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_correct_permissions_are_required_for_updating(): void
|
2022-10-09 15:14:16 -07:00
|
|
|
{
|
|
|
|
|
[$user, $server] = $this->generateTestAccount(['user.read']);
|
|
|
|
|
|
2024-03-23 16:10:47 -04:00
|
|
|
Http::fake();
|
|
|
|
|
|
2022-10-09 15:14:16 -07:00
|
|
|
$subuser = Subuser::factory()
|
|
|
|
|
->for(User::factory()->create())
|
|
|
|
|
->for($server)
|
|
|
|
|
->create([
|
|
|
|
|
'permissions' => ['control.start'],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->postJson(
|
|
|
|
|
$endpoint = "/api/client/servers/$server->uuid/users/{$subuser->user->uuid}",
|
|
|
|
|
$data = [
|
|
|
|
|
'permissions' => [
|
|
|
|
|
'control.start',
|
|
|
|
|
'control.stop',
|
|
|
|
|
],
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
->assertUnauthorized();
|
|
|
|
|
|
|
|
|
|
$this->actingAs($subuser->user)->postJson($endpoint, $data)->assertForbidden();
|
|
|
|
|
$this->actingAs($user)->postJson($endpoint, $data)->assertForbidden();
|
|
|
|
|
|
2025-12-28 08:00:59 +07:00
|
|
|
// When running the tests, the context is function-scoped instead of request-scoped, so we have to flush it
|
|
|
|
|
Context::flush();
|
|
|
|
|
|
2022-10-09 15:14:16 -07:00
|
|
|
$server->subusers()->where('user_id', $user->id)->update([
|
|
|
|
|
'permissions' => [
|
2025-12-11 14:34:27 +01:00
|
|
|
SubuserPermission::UserUpdate,
|
|
|
|
|
SubuserPermission::ControlStart,
|
|
|
|
|
SubuserPermission::ControlStop,
|
2022-10-09 15:14:16 -07:00
|
|
|
],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
$this->postJson($endpoint, $data)->assertOk();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Tests that permissions for the account are updated and any extraneous values
|
|
|
|
|
* we don't know about are removed.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_permissions_are_saved_to_account(): void
|
2022-10-09 15:14:16 -07:00
|
|
|
{
|
|
|
|
|
[$user, $server] = $this->generateTestAccount();
|
|
|
|
|
|
2024-03-12 22:39:16 -04:00
|
|
|
/** @var \App\Models\Subuser $subuser */
|
2022-10-09 15:14:16 -07:00
|
|
|
$subuser = Subuser::factory()
|
|
|
|
|
->for(User::factory()->create())
|
|
|
|
|
->for($server)
|
|
|
|
|
->create([
|
|
|
|
|
'permissions' => ['control.restart', 'websocket.connect', 'foo.bar'],
|
|
|
|
|
]);
|
|
|
|
|
|
2024-03-23 16:10:47 -04:00
|
|
|
Http::fake();
|
|
|
|
|
|
2022-10-09 15:14:16 -07:00
|
|
|
$this->actingAs($user)
|
|
|
|
|
->postJson("/api/client/servers/$server->uuid/users/{$subuser->user->uuid}", [
|
|
|
|
|
'permissions' => [
|
|
|
|
|
'control.start',
|
|
|
|
|
'control.stop',
|
|
|
|
|
'control.stop',
|
|
|
|
|
'foo.bar',
|
|
|
|
|
'power.fake',
|
|
|
|
|
],
|
|
|
|
|
])
|
|
|
|
|
->assertOk();
|
|
|
|
|
|
|
|
|
|
$subuser->refresh();
|
|
|
|
|
$this->assertEqualsCanonicalizing(
|
|
|
|
|
['control.start', 'control.stop', 'websocket.connect'],
|
|
|
|
|
$subuser->permissions
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Ensure a subuser cannot assign permissions to an account that they do not have
|
|
|
|
|
* themselves.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_user_cannot_assign_permissions_they_do_not_have(): void
|
2022-10-09 15:14:16 -07:00
|
|
|
{
|
2025-12-11 14:34:27 +01:00
|
|
|
[$user, $server] = $this->generateTestAccount([SubuserPermission::UserRead, SubuserPermission::UserUpdate]);
|
2022-10-09 15:14:16 -07:00
|
|
|
|
|
|
|
|
$subuser = Subuser::factory()
|
|
|
|
|
->for(User::factory()->create())
|
|
|
|
|
->for($server)
|
|
|
|
|
->create(['permissions' => ['foo.bar']]);
|
|
|
|
|
|
|
|
|
|
$this->actingAs($user)
|
|
|
|
|
->postJson("/api/client/servers/$server->uuid/users/{$subuser->user->uuid}", [
|
2025-12-11 14:34:27 +01:00
|
|
|
'permissions' => [SubuserPermission::UserRead, SubuserPermission::ControlConsole],
|
2022-10-09 15:14:16 -07:00
|
|
|
])
|
|
|
|
|
->assertForbidden();
|
|
|
|
|
|
|
|
|
|
$this->assertEqualsCanonicalizing(['foo.bar'], $subuser->refresh()->permissions);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test that a user cannot update thyself.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_user_cannot_update_self(): void
|
2022-10-09 15:14:16 -07:00
|
|
|
{
|
2025-12-11 14:34:27 +01:00
|
|
|
[$user, $server] = $this->generateTestAccount([SubuserPermission::UserRead, SubuserPermission::UserUpdate]);
|
2022-10-09 15:14:16 -07:00
|
|
|
|
|
|
|
|
$this->actingAs($user)
|
|
|
|
|
->postJson("/api/client/servers/$server->uuid/users/$user->uuid", [])
|
|
|
|
|
->assertForbidden();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Test that an error is returned if you attempt to update a subuser on a different account.
|
|
|
|
|
*/
|
2025-02-25 14:22:07 +01:00
|
|
|
public function test_cannot_update_subuser_for_different_server(): void
|
2022-10-09 15:14:16 -07:00
|
|
|
{
|
|
|
|
|
[$user, $server] = $this->generateTestAccount();
|
|
|
|
|
[$user2] = $this->generateTestAccount(['foo.bar']);
|
|
|
|
|
|
|
|
|
|
$this->actingAs($user)
|
|
|
|
|
->postJson("/api/client/servers/$server->uuid/users/$user2->uuid", [])
|
|
|
|
|
->assertNotFound();
|
|
|
|
|
}
|
|
|
|
|
}
|
