diff --git a/admin/inc/class.admin_cmd_acl.inc.php b/admin/inc/class.admin_cmd_acl.inc.php index 835e78ff40..9601df106c 100644 --- a/admin/inc/class.admin_cmd_acl.inc.php +++ b/admin/inc/class.admin_cmd_acl.inc.php @@ -64,7 +64,7 @@ class admin_cmd_acl extends admin_cmd $old_rights = (int)$GLOBALS['egw']->acl->get_specific_rights_for_account($account_id, $location, $app); - $new_rights = $old_rights + (($this->allow ? 1 : -1) * $rights); + $new_rights = max(0,$old_rights + (($this->allow ? 1 : -1) * $rights)); $this->set = $new_rights; $this->old = $old_rights; diff --git a/admin/tests/AclCommandTest.php b/admin/tests/AclCommandTest.php new file mode 100644 index 0000000000..dac9aeb894 --- /dev/null +++ b/admin/tests/AclCommandTest.php @@ -0,0 +1,316 @@ + array( + 'account_lid' => 'ACL Test Group', + 'account_members' => $GLOBALS['egw_info']['user']['account_id'] + )); + + if($group_id = $GLOBALS['egw']->accounts->name2id($group['set']['account_lid'])) + { + // Already exists, something went wrong + $GLOBALS['egw']->accounts->delete($group_id); + } + $group_cmd = new admin_cmd_edit_group($group); + $group_cmd->comment = 'Needed for unit test ' . $this->getName(); + $group_cmd->run(); + $this->group_id = $group_cmd->account; + $this->assertNotEmpty($this->group_id, 'Did not create test group account'); + + // Make a new user so we have clean ACL, and it doesn't matter if something + // goes wrong + $account = array( + 'account_lid' => 'acl_test', + 'account_firstname' => 'Alice', + 'account_middlename' => 'Charles Lima', + 'account_lastname' => 'Test', + 'account_primary_group' => $this->group_id, + 'account_groups' => array($this->group_id) + ); + + if(($account_id = $GLOBALS['egw']->accounts->name2id($account['account_lid']))) + { + // Delete if there in case something went wrong + $GLOBALS['egw']->accounts->delete($account_id); + } + + $command = new admin_cmd_edit_user(false, $account); + $command->comment = 'Needed for unit test ' . $this->getName(); + $command->run(); + $this->account_id = $command->account; + $this->assertNotEmpty($this->account_id, 'Did not create test user account'); + } + + public function tearDown() + { + // Delete the accounts we created + if($this->group_id) + { + $GLOBALS['egw']->accounts->delete($this->group_id); + } + if($this->account_id) + { + $GLOBALS['egw']->accounts->delete($this->account_id); + } + parent::tearDown(); + } + + /** + * Test giving a user access to another user's data + */ + public function testAddForUserWhenEmpty() + { + // Set up + $data = array( + 'allow' => true, + 'account' => $this->account_id, + 'app' => static::APP, + 'location' => $GLOBALS['egw_info']['user']['account_id'], + 'rights' => Acl::ADD, + 'comment' => 'Giving add rights as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check + $acl = new Acl($this->account_id); + $this->assertTrue($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals($data['rights'], $acl->get_specific_rights($data['location'], $data['app'])); + } + + /** + * Test removing access to another user's data + */ + public function testRemoveForUserToEmpty() + { + // Set up + $acl = new Acl($this->account_id); + $acl->add_repository(static::APP, $GLOBALS['egw_info']['user']['account_id'], $this->account_id, Acl::ADD); + $acl->read_repository(); + + $data = array( + 'allow' => false, + 'account' => $this->account_id, + 'app' => static::APP, + 'location' => $GLOBALS['egw_info']['user']['account_id'], + 'rights' => Acl::ADD, + 'comment' => 'Removing add rights as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check + $acl->read_repository(); + $this->assertFalse($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals(0, $acl->get_specific_rights($data['location'], $data['app'])); + } + + /** + * Test adding access when there are already permissions + */ + public function testAddForUser() + { + // Set up + $acl = new Acl($this->account_id); + $acl->add_repository(static::APP, $GLOBALS['egw_info']['user']['account_id'], $this->account_id, Acl::READ|Acl::ADD|Acl::EDIT); + $acl->read_repository(); + + // Run - remove delete + $data = array( + 'allow' => true, + 'account' => $this->account_id, + 'app' => static::APP, + 'location' => $GLOBALS['egw_info']['user']['account_id'], + 'rights' => Acl::DELETE, + 'comment' => 'Giving delete rights as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check + $acl = new Acl($this->account_id); + $this->assertTrue($acl->check($data['location'], Acl::READ, static::APP)); + $this->assertTrue($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertTrue($acl->check($data['location'], Acl::EDIT, static::APP)); + $this->assertTrue($acl->check($data['location'], Acl::DELETE, static::APP)); + $this->assertEquals(Acl::READ|Acl::ADD|Acl::EDIT|Acl::DELETE, $acl->get_specific_rights($data['location'], $data['app'])); + } + + /** + * Test removing access when there are already permissions, and leaving some + */ + public function testRemoveForUser() + { + // Set up + $acl = new Acl($this->account_id); + $acl->add_repository(static::APP, $GLOBALS['egw_info']['user']['account_id'], $this->account_id, Acl::READ|Acl::ADD|Acl::EDIT|Acl::DELETE); + $acl->read_repository(); + + // Run - remove delete + $data = array( + 'allow' => false, + 'account' => $this->account_id, + 'app' => static::APP, + 'location' => $GLOBALS['egw_info']['user']['account_id'], + 'rights' => Acl::DELETE, + 'comment' => 'Removing delete rights as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check + $acl = new Acl($this->account_id); + $this->assertTrue($acl->check($data['location'], Acl::READ, static::APP)); + $this->assertTrue($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertTrue($acl->check($data['location'], Acl::EDIT, static::APP)); + $this->assertFalse($acl->check($data['location'], Acl::DELETE, static::APP)); + $this->assertEquals(Acl::READ|Acl::ADD|Acl::EDIT, $acl->get_specific_rights($data['location'], $data['app'])); + } + + /** + * Test giving a group access to a user's data + */ + public function testAddForGroupWhenEmpty() + { + // Set up + $data = array( + 'allow' => true, + 'account' => $this->group_id, + 'app' => static::APP, + 'location' => $GLOBALS['egw_info']['user']['account_id'], + 'rights' => Acl::ADD, + 'comment' => 'Giving add rights to a group as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check group + $acl = new Acl($this->group_id); + $this->assertTrue($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals($data['rights'], $acl->get_specific_rights($data['location'], $data['app'])); + + // Check that user gets it too + $acl = new Acl($this->account_id); + $this->assertTrue($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals($data['rights'], $acl->get_rights($data['location'], $data['app'])); + } + + /** + * Test removing group access + */ + public function testRemoveForGroupToEmpty() + { + // Set up + $acl = new Acl($this->group_id); + $acl->add_repository(static::APP, $GLOBALS['egw_info']['user']['account_id'], $this->group_id, Acl::ADD); + $acl->read_repository(); + + $data = array( + 'allow' => false, + 'account' => $this->group_id, + 'app' => static::APP, + 'location' => $GLOBALS['egw_info']['user']['account_id'], + 'rights' => Acl::ADD, + 'comment' => 'Removing add rights from a group as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check group + $acl = new Acl($this->group_id); + $this->assertFalse($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals(0, $acl->get_specific_rights($data['location'], $data['app'])); + + // Check that user gets it too + $acl = new Acl($this->account_id); + $acl->read_repository(); + $this->assertFalse($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals(0, $acl->get_rights($data['location'], $data['app'])); + } + + + /** + * Test adding access to a non-numeric location, such as a category or a + * specific record. + */ + public function testAddForEntry() + { + // Set up + $data = array( + 'allow' => true, + 'account' => $this->account_id, + 'app' => static::APP, + 'location' => 'A' . $GLOBALS['egw_info']['user']['person_id'], + 'rights' => Acl::EDIT, + 'comment' => 'Adding edit rights as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check + $acl = new Acl($this->account_id); + $this->assertTrue($acl->check($data['location'], Acl::EDIT, static::APP)); + $this->assertEquals($data['rights'], $acl->get_specific_rights($data['location'], $data['app'])); + } + + /** + * Test removing access from a non-numeric location, such as a category or a + * specific record. + */ + public function testRemoveForEntry() + { + // Set up + $acl = new Acl($this->account_id); + $acl->add_repository(static::APP, 'A' . $GLOBALS['egw_info']['user']['person_id'], $this->account_id, Acl::ADD); + $acl->read_repository(); + + $data = array( + 'allow' => false, + 'account' => $this->account_id, + 'app' => static::APP, + 'location' => 'A' . $GLOBALS['egw_info']['user']['person_id'], + 'rights' => Acl::ADD, + 'comment' => 'Removing add rights as part of unit test ' . $this->getName() + ); + $command = new admin_cmd_acl($data); + $command->run(); + + // Check + $acl->read_repository(); + $this->assertFalse($acl->check($data['location'], Acl::ADD, static::APP)); + $this->assertEquals(0, $acl->get_specific_rights($data['location'], $data['app'])); + } +} diff --git a/admin/tests/CommandBase.php b/admin/tests/CommandBase.php new file mode 100644 index 0000000000..f98ddc6ab4 --- /dev/null +++ b/admin/tests/CommandBase.php @@ -0,0 +1,25 @@ +