From 709ffe270355f8882beaa7966b4901b0d5810645 Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Tue, 6 Dec 2016 17:04:39 +0000 Subject: [PATCH] Merged 5.2.0 (5.2.0) to HEAD (5.2) 132997 mward: Merged mward/5.2.n-repo1544-update-self (5.2.1) to 5.2.N (5.2.1) 132930 mward: REPO-1544: further tests (people can update themselves, except for 'enabled' flag) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@133374 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../alfresco/rest/api/tests/TestPeople.java | 80 +++++++++++++++---- .../api/tests/client/PublicApiClient.java | 7 +- 2 files changed, 69 insertions(+), 18 deletions(-) diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java index 244e6a6aec..fd5c2a1ffe 100644 --- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java +++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java @@ -776,14 +776,34 @@ public class TestPeople extends EnterpriseTestApi people.update("people", personId, null, null, "{\n" + " \"firstName\": \"Updated firstName\"\n" + "}", null, "Expected 401 response when updating " + personId, 401); } -// @Test -// public void testUpdatePersonNonSelfAndNonAdminDisallowed() throws PublicApiException -// { -// final String personId = account3PersonIt.next(); -// publicApiClient.setRequestContext(new RequestContext(account3.getId(), personId)); -// -// people.update("people", personId, null, null, "{\n" + " \"firstName\": \"Updated firstName\"\n" + "}", null, "Expected 403 response when updating " + personId, 403); -// } + @Test + public void testUpdatePersonNonSelfAndNonAdminDisallowed() throws PublicApiException + { + // TODO: this is bad, it seems that the test fixture isn't unique per test!? + final String personId = account1PersonIt.next(); + final String personToUpdateId = account1PersonIt.next(); + publicApiClient.setRequestContext(new RequestContext(account1.getId(), personId)); + + people.update(personToUpdateId, qjson("{ `firstName`:`Updated firstName` }"), 403); + + // TODO: temp fix, set back to orig firstName + publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin")); + people.update(personToUpdateId, qjson("{ `firstName`:`Bob` }"), 200); + } + + @Test + public void testUpdatePersonCanUpdateThemself() throws PublicApiException + { + final String personId = account1PersonIt.next(); + publicApiClient.setRequestContext(new RequestContext(account1.getId(), personId)); + + Person updatedPerson = people.update(personId, qjson("{ `firstName`: `Updated firstName` }"), 200); + assertEquals("Updated firstName", updatedPerson.getFirstName()); + + // TODO: temp fix, set back to orig firstName + publicApiClient.setRequestContext(new RequestContext(account1.getId(), account1Admin, "admin")); + people.update(personId, qjson("{ `firstName`:`Bill` }"), 200); + } @Test public void testUpdatePersonNonexistentPerson() throws PublicApiException @@ -928,24 +948,50 @@ public class TestPeople extends EnterpriseTestApi @Test public void testUpdatePersonEnabled() throws PublicApiException { + // Non-admin user ID final String personId = account3PersonIt.next(); - publicApiClient.setRequestContext(new RequestContext(account3.getId(), account3Admin, "admin")); - Boolean enabled = false; + // Use admin user credentials + publicApiClient.setRequestContext(new RequestContext(account3.getId(), account3Admin, "admin")); + + // Admin can toggle enabled flag: false + { + Boolean enabled = false; + Map params = Collections.singletonMap("fields", "enabled"); + Person updatedPerson = people.update(personId, qjson("{`enabled`:"+enabled+"}"), params, 200); - Map params = new HashMap<>(); - params.put("fields", "enabled"); + assertEquals(enabled, updatedPerson.isEnabled()); + } - HttpResponse response = people.update("people", personId, null, null, "{\n" + " \"enabled\": \"" + enabled + "\"\n" + "}", params, - "Expected 200 response when updating " + personId, 200); + // Admin can toggle enabled flag: true + { + Boolean enabled = true; + Map params = Collections.singletonMap("fields", "enabled"); + Person updatedPerson = people.update(personId, qjson("{`enabled`:"+enabled+"}"), params, 200); - Person updatedPerson = Person.parsePerson((JSONObject) response.getJsonResponse().get("entry")); + assertEquals(enabled, updatedPerson.isEnabled()); + } - assertEquals(enabled, updatedPerson.isEnabled()); + // Use non-admin user's own credentials + publicApiClient.setRequestContext(new RequestContext(account3.getId(), personId, "password")); + + // Non-admin cannot set enabled flag + { + boolean origEnabled = people.getPerson(personId).isEnabled(); + Boolean enabled = false; + // The test should change that we can't change this, otherwise it isn't effective + assertNotEquals(origEnabled, enabled); + + Map params = Collections.singletonMap("fields", "enabled"); + people.update(personId, qjson("{`enabled`:"+enabled+"}"), params, 403); + + Person me = people.getPerson(personId); + assertEquals("Enabled state shouldn't have changed, but did", origEnabled, me.isEnabled()); + } } @Test - public void testUpdatePersonDisableAdminNotAllowed() throws PublicApiException + public void testUpdatePersonAdminCannotBeDisabled() throws PublicApiException { publicApiClient.setRequestContext(new RequestContext(account3.getId(), account3Admin, "admin")); diff --git a/source/test-java/org/alfresco/rest/api/tests/client/PublicApiClient.java b/source/test-java/org/alfresco/rest/api/tests/client/PublicApiClient.java index 4fb6e8042d..f2e3264cf5 100644 --- a/source/test-java/org/alfresco/rest/api/tests/client/PublicApiClient.java +++ b/source/test-java/org/alfresco/rest/api/tests/client/PublicApiClient.java @@ -1103,7 +1103,12 @@ public class PublicApiClient public Person update(String personId, String json, int expectedStatus) throws PublicApiException { - HttpResponse response = update("people", personId, null, null, json, null, "Failed to update person", expectedStatus); + return update(personId, json, null, expectedStatus); + } + + public Person update(String personId, String json, Map params, int expectedStatus) throws PublicApiException + { + HttpResponse response = update("people", personId, null, null, json, params, "Failed to update person", expectedStatus); if (response != null && response.getJsonResponse() != null) { JSONObject entry = (JSONObject) response.getJsonResponse().get("entry");