github.com/haalcala/mattermost-server-change-repo/v5@v5.33.2/app/authorization_test.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package app 5 6 import ( 7 "fmt" 8 "testing" 9 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 13 "github.com/mattermost/mattermost-server/v5/model" 14 "github.com/mattermost/mattermost-server/v5/plugin/plugintest/mock" 15 "github.com/mattermost/mattermost-server/v5/store/storetest/mocks" 16 ) 17 18 func TestCheckIfRolesGrantPermission(t *testing.T) { 19 th := Setup(t) 20 defer th.TearDown() 21 22 cases := []struct { 23 roles []string 24 permissionId string 25 shouldGrant bool 26 }{ 27 {[]string{model.SYSTEM_ADMIN_ROLE_ID}, model.PERMISSION_MANAGE_SYSTEM.Id, true}, 28 {[]string{model.SYSTEM_ADMIN_ROLE_ID}, "non-existent-permission", false}, 29 {[]string{model.CHANNEL_USER_ROLE_ID}, model.PERMISSION_READ_CHANNEL.Id, true}, 30 {[]string{model.CHANNEL_USER_ROLE_ID}, model.PERMISSION_MANAGE_SYSTEM.Id, false}, 31 {[]string{model.SYSTEM_ADMIN_ROLE_ID, model.CHANNEL_USER_ROLE_ID}, model.PERMISSION_MANAGE_SYSTEM.Id, true}, 32 {[]string{model.CHANNEL_USER_ROLE_ID, model.SYSTEM_ADMIN_ROLE_ID}, model.PERMISSION_MANAGE_SYSTEM.Id, true}, 33 {[]string{model.TEAM_USER_ROLE_ID, model.TEAM_ADMIN_ROLE_ID}, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, true}, 34 {[]string{model.TEAM_ADMIN_ROLE_ID, model.TEAM_USER_ROLE_ID}, model.PERMISSION_MANAGE_SLASH_COMMANDS.Id, true}, 35 } 36 37 for _, testcase := range cases { 38 require.Equal(t, th.App.RolesGrantPermission(testcase.roles, testcase.permissionId), testcase.shouldGrant) 39 } 40 41 } 42 43 func TestChannelRolesGrantPermission(t *testing.T) { 44 testPermissionInheritance(t, func(t *testing.T, th *TestHelper, testData permissionInheritanceTestData) { 45 require.Equal(t, testData.shouldHavePermission, th.App.RolesGrantPermission([]string{testData.channelRole.Name}, testData.permission.Id), "row: %+v\n", testData.truthTableRow) 46 }) 47 } 48 49 func TestHasPermissionToTeam(t *testing.T) { 50 th := Setup(t).InitBasic() 51 defer th.TearDown() 52 53 assert.True(t, th.App.HasPermissionToTeam(th.BasicUser.Id, th.BasicTeam.Id, model.PERMISSION_LIST_TEAM_CHANNELS)) 54 th.RemoveUserFromTeam(th.BasicUser, th.BasicTeam) 55 assert.False(t, th.App.HasPermissionToTeam(th.BasicUser.Id, th.BasicTeam.Id, model.PERMISSION_LIST_TEAM_CHANNELS)) 56 57 assert.True(t, th.App.HasPermissionToTeam(th.SystemAdminUser.Id, th.BasicTeam.Id, model.PERMISSION_LIST_TEAM_CHANNELS)) 58 th.LinkUserToTeam(th.SystemAdminUser, th.BasicTeam) 59 assert.True(t, th.App.HasPermissionToTeam(th.SystemAdminUser.Id, th.BasicTeam.Id, model.PERMISSION_LIST_TEAM_CHANNELS)) 60 th.RemovePermissionFromRole(model.PERMISSION_LIST_TEAM_CHANNELS.Id, model.TEAM_USER_ROLE_ID) 61 assert.True(t, th.App.HasPermissionToTeam(th.SystemAdminUser.Id, th.BasicTeam.Id, model.PERMISSION_LIST_TEAM_CHANNELS)) 62 th.RemoveUserFromTeam(th.SystemAdminUser, th.BasicTeam) 63 assert.True(t, th.App.HasPermissionToTeam(th.SystemAdminUser.Id, th.BasicTeam.Id, model.PERMISSION_LIST_TEAM_CHANNELS)) 64 } 65 66 func TestSessionHasPermissionToChannel(t *testing.T) { 67 th := Setup(t).InitBasic() 68 defer th.TearDown() 69 70 session := model.Session{ 71 UserId: th.BasicUser.Id, 72 } 73 74 t.Run("basic user can access basic channel", func(t *testing.T) { 75 assert.True(t, th.App.SessionHasPermissionToChannel(session, th.BasicChannel.Id, model.PERMISSION_ADD_REACTION)) 76 }) 77 78 t.Run("does not panic if fetching channel causes an error", func(t *testing.T) { 79 // Regression test for MM-29812 80 // Mock the channel store so getting the channel returns with an error, as per the bug report. 81 mockStore := mocks.Store{} 82 mockChannelStore := mocks.ChannelStore{} 83 mockChannelStore.On("Get", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("arbitrary error")) 84 mockChannelStore.On("GetAllChannelMembersForUser", mock.Anything, mock.Anything, mock.Anything).Return(th.App.Srv().Store.Channel().GetAllChannelMembersForUser(th.BasicUser.Id, false, false)) 85 mockChannelStore.On("ClearCaches").Return() 86 mockStore.On("Channel").Return(&mockChannelStore) 87 mockStore.On("FileInfo").Return(th.App.Srv().Store.FileInfo()) 88 mockStore.On("License").Return(th.App.Srv().Store.License()) 89 mockStore.On("Post").Return(th.App.Srv().Store.Post()) 90 mockStore.On("Role").Return(th.App.Srv().Store.Role()) 91 mockStore.On("System").Return(th.App.Srv().Store.System()) 92 mockStore.On("Team").Return(th.App.Srv().Store.Team()) 93 mockStore.On("User").Return(th.App.Srv().Store.User()) 94 mockStore.On("Webhook").Return(th.App.Srv().Store.Webhook()) 95 mockStore.On("Close").Return(nil) 96 th.App.Srv().Store = &mockStore 97 98 // If there's an error returned from the GetChannel call the code should continue to cascade and since there 99 // are no session level permissions in this test case, the permission should be denied. 100 assert.False(t, th.App.SessionHasPermissionToChannel(session, th.BasicUser.Id, model.PERMISSION_ADD_REACTION)) 101 }) 102 } 103 104 func TestHasPermissionToCategory(t *testing.T) { 105 th := Setup(t).InitBasic() 106 defer th.TearDown() 107 session, err := th.App.CreateSession(&model.Session{UserId: th.BasicUser.Id, Props: model.StringMap{}}) 108 require.Nil(t, err) 109 110 categories, err := th.App.GetSidebarCategories(th.BasicUser.Id, th.BasicTeam.Id) 111 require.Nil(t, err) 112 113 _, err = th.App.GetSession(session.Token) 114 require.Nil(t, err) 115 require.True(t, th.App.SessionHasPermissionToCategory(*session, th.BasicUser.Id, th.BasicTeam.Id, categories.Order[0])) 116 117 categories2, err := th.App.GetSidebarCategories(th.BasicUser2.Id, th.BasicTeam.Id) 118 require.Nil(t, err) 119 require.False(t, th.App.SessionHasPermissionToCategory(*session, th.BasicUser.Id, th.BasicTeam.Id, categories2.Order[0])) 120 }