Skip to content

Commit

Permalink
Add tighter control on project owner management (#3194)
Browse files Browse the repository at this point in the history
  • Loading branch information
imnasnainaec authored Oct 7, 2024
1 parent f34f053 commit f36a699
Show file tree
Hide file tree
Showing 5 changed files with 445 additions and 36 deletions.
193 changes: 166 additions & 27 deletions Backend.Tests/Controllers/UserRoleControllerTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,12 @@ public async Task Setup()
_projId = (await _projRepo.Create(new Project { Name = "UserRoleControllerTests" }))!.Id;
}

private UserRole RandomUserRole(Role role = Role.Harvester)
private ProjectRole ProjectRoleInProj(Role role = Role.Harvester)
{
return new ProjectRole { ProjectId = _projId, Role = role };
}

private UserRole UserRoleInProj(Role role = Role.Harvester)
{
return new UserRole { ProjectId = _projId, Role = role };
}
Expand All @@ -59,7 +64,7 @@ public async Task TestGetAllUserRoles()
var roles = new List<Role> { Role.Harvester, Role.Editor, Role.Administrator };
foreach (var role in roles)
{
await _userRoleRepo.Create(RandomUserRole(role));
await _userRoleRepo.Create(UserRoleInProj(role));
}

var getResult = await _userRoleController.GetProjectUserRoles(_projId);
Expand Down Expand Up @@ -97,14 +102,14 @@ public async Task TestHasPermissionNotAuthorized()
[Test]
public async Task TestGetCurrentPermissions()
{
var userRole = await _userRoleRepo.Create(RandomUserRole());
var userRole = await _userRoleRepo.Create(UserRoleInProj());
var user = await _userRepo.Create(new User());
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(user!.Id);
user.ProjectRoles[_projId] = userRole.Id;
await _userRepo.Update(user.Id, user);

await _userRoleRepo.Create(RandomUserRole());
await _userRoleRepo.Create(RandomUserRole());
await _userRoleRepo.Create(UserRoleInProj());
await _userRoleRepo.Create(UserRoleInProj());

var result = await _userRoleController.GetCurrentPermissions(_projId);
Assert.That(result, Is.InstanceOf<ObjectResult>());
Expand Down Expand Up @@ -179,7 +184,7 @@ public async Task TestGetCurrentPermissionsNotAuthorized()
[Test]
public async Task TestCreateUserRole()
{
var userRole = RandomUserRole();
var userRole = UserRoleInProj();
var id = (string)((ObjectResult)await _userRoleController.CreateUserRole(_projId, userRole)).Value!;
userRole.Id = id;
Assert.That(await _userRoleRepo.GetAllUserRoles(_projId), Does.Contain(userRole));
Expand All @@ -188,7 +193,7 @@ public async Task TestCreateUserRole()
[Test]
public async Task TestCreateUserRolesMissingProject()
{
var userRole = RandomUserRole();
var userRole = UserRoleInProj();
var result = await _userRoleController.CreateUserRole(MissingId, userRole);
Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());
}
Expand All @@ -197,20 +202,29 @@ public async Task TestCreateUserRolesMissingProject()
public async Task TestCreateUserRolesNoPermission()
{
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
var userRole = await _userRoleRepo.Create(RandomUserRole());
var userRole = await _userRoleRepo.Create(UserRoleInProj());
var result = await _userRoleController.CreateUserRole(_projId, userRole);
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestCreateUserRolesSecondOwner()
{
var firstOwner = await _userRoleController.CreateUserRole(_projId, UserRoleInProj(Role.Owner));
Assert.That(firstOwner, Is.InstanceOf<OkObjectResult>());
var secondOwner = await _userRoleController.CreateUserRole(_projId, UserRoleInProj(Role.Owner));
Assert.That(secondOwner, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestUpdateUserRole()
{
var userRole = RandomUserRole(Role.Harvester);
var userRole = UserRoleInProj(Role.Harvester);
await _userRoleRepo.Create(userRole);
var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
var userId = (await _userRepo.Create(user))!.Id;
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(userId);
var projectRole = new ProjectRole { ProjectId = _projId, Role = Role.Editor };
var projectRole = ProjectRoleInProj(Role.Editor);
await _userRoleController.UpdateUserRole(userId, projectRole);
var result = await _userRoleController.GetCurrentPermissions(_projId);

Expand All @@ -226,21 +240,20 @@ public async Task TestUpdateUserRole()
[Test]
public async Task TestUpdateUserRoleNoChange()
{
var userRole = RandomUserRole(Role.Harvester);
var userRole = UserRoleInProj(Role.Harvester);
await _userRoleRepo.Create(userRole);
var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
var userId = (await _userRepo.Create(user))!.Id;
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(userId);
var projectRole = new ProjectRole { ProjectId = _projId, Role = userRole.Role };
var result = await _userRoleController.UpdateUserRole(userId, projectRole);
var result = await _userRoleController.UpdateUserRole(userId, ProjectRoleInProj(userRole.Role));
Assert.That(((ObjectResult)result).StatusCode, Is.EqualTo(StatusCodes.Status304NotModified));
}

[Test]
public async Task TestCreateNewUpdateUserRole()
{
var userId = (await _userRepo.Create(new User()))!.Id;
var projectRole = new ProjectRole { ProjectId = _projId, Role = Role.Editor };
var projectRole = ProjectRoleInProj(Role.Editor);
var updateResult = await _userRoleController.UpdateUserRole(userId, projectRole);
var newUserRoleId = (string)((OkObjectResult)updateResult).Value!;
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.HttpContextWithUserId(userId);
Expand All @@ -258,12 +271,11 @@ public async Task TestCreateNewUpdateUserRole()
[Test]
public async Task TestUpdateUserRolesMissingIds()
{
var projectRole = new ProjectRole { ProjectId = _projId, Role = Role.Editor };

var projectRole = ProjectRoleInProj(Role.Editor);
var missingUserIdResult = await _userRoleController.UpdateUserRole(MissingId, projectRole);
Assert.That(missingUserIdResult, Is.InstanceOf<NotFoundObjectResult>());

var userRoleId = (await _userRoleRepo.Create(RandomUserRole(Role.Harvester))).Id;
var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Harvester))).Id;
projectRole.ProjectId = MissingId;
var missingProjIdResult = await _userRoleController.UpdateUserRole(userRoleId, projectRole);
Assert.That(missingProjIdResult, Is.InstanceOf<NotFoundObjectResult>());
Expand All @@ -273,15 +285,35 @@ public async Task TestUpdateUserRolesMissingIds()
public async Task TestUpdateUserRolesNoPermission()
{
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
var userRoleId = (await _userRoleRepo.Create(RandomUserRole(Role.Harvester))).Id;
var result = await _userRoleController.UpdateUserRole(userRoleId, new ProjectRole());
var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Harvester))).Id;
var result = await _userRoleController.UpdateUserRole(userRoleId, ProjectRoleInProj());
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestUpdateUserRolesToOwner()
{
var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Administrator))).Id;
var user = new User { ProjectRoles = { [_projId] = userRoleId } };
var userId = (await _userRepo.Create(user))!.Id;
var result = await _userRoleController.UpdateUserRole(userId, ProjectRoleInProj(Role.Owner));
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestUpdateUserRolesFromOwner()
{
var userRoleId = (await _userRoleRepo.Create(UserRoleInProj(Role.Owner))).Id;
var user = new User { ProjectRoles = { [_projId] = userRoleId } };
var userId = (await _userRepo.Create(user))!.Id;
var result = await _userRoleController.UpdateUserRole(userId, ProjectRoleInProj(Role.Administrator));
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestDeleteUserRole()
{
var userRole = RandomUserRole();
var userRole = UserRoleInProj();
await _userRoleRepo.Create(userRole);
var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
var userId = (await _userRepo.Create(user))!.Id;
Expand All @@ -305,16 +337,30 @@ public async Task TestDeleteUserRole()
public async Task TestDeleteUserRoleNoPermission()
{
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
var userRole = await _userRoleRepo.Create(RandomUserRole());
var result = await _userRoleController.DeleteUserRole(_projId, userRole.Id);
var userRole = await _userRoleRepo.Create(UserRoleInProj());
var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
var userId = (await _userRepo.Create(user))!.Id;
var result = await _userRoleController.DeleteUserRole(_projId, userId);
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestDeleteUserRoleOwner()
{
var userRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
var userId = (await _userRepo.Create(user))!.Id;
var result = await _userRoleController.DeleteUserRole(_projId, userId);
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestDeleteUserRoleMissingIds()
{
var userRole = await _userRoleRepo.Create(RandomUserRole());
var projectResult = await _userRoleController.DeleteUserRole(MissingId, userRole.Id);
var userRole = await _userRoleRepo.Create(UserRoleInProj());
var user = new User { ProjectRoles = { [_projId] = userRole.Id } };
var userId = (await _userRepo.Create(user))!.Id;
var projectResult = await _userRoleController.DeleteUserRole(MissingId, userId);
Assert.That(projectResult, Is.InstanceOf<NotFoundObjectResult>());

var wordResult = await _userRoleController.DeleteUserRole(_projId, MissingId);
Expand All @@ -324,9 +370,9 @@ public async Task TestDeleteUserRoleMissingIds()
[Test]
public async Task TestDeleteAllUserRoles()
{
await _userRoleRepo.Create(RandomUserRole());
await _userRoleRepo.Create(RandomUserRole());
await _userRoleRepo.Create(RandomUserRole());
await _userRoleRepo.Create(UserRoleInProj());
await _userRoleRepo.Create(UserRoleInProj());
await _userRoleRepo.Create(UserRoleInProj());

Assert.That(await _userRoleRepo.GetAllUserRoles(_projId), Has.Count.EqualTo(3));

Expand All @@ -348,5 +394,98 @@ public async Task TestDeleteAllUserRolesNoPermission()
var result = await _userRoleController.DeleteProjectUserRoles(_projId);
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestChangeOwnerNoPermission()
{
_userRoleController.ControllerContext.HttpContext = PermissionServiceMock.UnauthorizedHttpContext();
var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
var oldId = (await _userRepo.Create(oldOwner))!.Id;
var newId = (await _userRepo.Create(new()))!.Id;

var result = await _userRoleController.ChangeOwner(_projId, oldId, newId);
Assert.That(result, Is.InstanceOf<ForbidResult>());
}

[Test]
public async Task TestChangeOwnerSameId()
{
var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
var oldId = (await _userRepo.Create(oldOwner))!.Id;
var newId = (await _userRepo.Create(new()))!.Id;

var result = await _userRoleController.ChangeOwner(_projId, oldId, oldId);
Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());

result = await _userRoleController.ChangeOwner(_projId, newId, newId);
Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());
}

[Test]
public async Task TestChangeOwnerMissingProjectOrUser()
{
var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
var oldId = (await _userRepo.Create(oldOwner))!.Id;
var newId = (await _userRepo.Create(new()))!.Id;

var result = await _userRoleController.ChangeOwner(MissingId, oldId, newId);
Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());

result = await _userRoleController.ChangeOwner(_projId, MissingId, newId);
Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());

result = await _userRoleController.ChangeOwner(_projId, oldId, MissingId);
Assert.That(result, Is.InstanceOf<NotFoundObjectResult>());
}

[Test]
public async Task TestChangeOwnerOldUserNotOwner()
{
var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Editor));
var oldEditor = new User { ProjectRoles = { [_projId] = oldRole.Id } };
var oldEditorId = (await _userRepo.Create(oldEditor))!.Id;
var oldOtherId = (await _userRepo.Create(new()))!.Id;
var newId = (await _userRepo.Create(new()))!.Id;

var result = await _userRoleController.ChangeOwner(_projId, oldEditorId, newId);
Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());

result = await _userRoleController.ChangeOwner(_projId, oldOtherId, newId);
Assert.That(result, Is.InstanceOf<BadRequestObjectResult>());
}

[Test]
public async Task TestChangeOwnerNewRole()
{
var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
var oldId = (await _userRepo.Create(oldOwner))!.Id;
var newId = (await _userRepo.Create(new()))!.Id;

var result = await _userRoleController.ChangeOwner(_projId, oldId, newId);
Assert.That(result, Is.InstanceOf<OkObjectResult>());
Assert.That((await _userRoleRepo.GetUserRole(_projId, oldRole.Id))?.Role, Is.EqualTo(Role.Administrator));
var newRoleId = (await _userRepo.GetUser(newId))!.ProjectRoles[_projId];
Assert.That((await _userRoleRepo.GetUserRole(_projId, newRoleId))?.Role, Is.EqualTo(Role.Owner));
}

[Test]
public async Task TestChangeOwnerUpdateRole()
{
var oldRole = await _userRoleRepo.Create(UserRoleInProj(Role.Owner));
var oldOwner = new User { ProjectRoles = { [_projId] = oldRole.Id } };
var oldId = (await _userRepo.Create(oldOwner))!.Id;
var newRole = await _userRoleRepo.Create(UserRoleInProj());
var newOwner = new User { ProjectRoles = { [_projId] = newRole.Id } };
var newId = (await _userRepo.Create(newOwner))!.Id;

var result = await _userRoleController.ChangeOwner(_projId, oldId, newId);
Assert.That(result, Is.InstanceOf<OkObjectResult>());
Assert.That((await _userRoleRepo.GetUserRole(_projId, oldRole.Id))?.Role, Is.EqualTo(Role.Administrator));
Assert.That((await _userRoleRepo.GetUserRole(_projId, newRole.Id))?.Role, Is.EqualTo(Role.Owner));
}
}
}
Loading

0 comments on commit f36a699

Please sign in to comment.