diff options
Diffstat (limited to 't')
| -rw-r--r-- | t/app/controller/photo.t | 71 | ||||
| -rw-r--r-- | t/app/controller/token.t | 4 | ||||
| -rw-r--r-- | t/app/model/user.t | 16 |
3 files changed, 84 insertions, 7 deletions
diff --git a/t/app/controller/photo.t b/t/app/controller/photo.t index 842daa0dc..e1bf35fcf 100644 --- a/t/app/controller/photo.t +++ b/t/app/controller/photo.t @@ -13,7 +13,7 @@ my $mech = FixMyStreet::TestMech->new; my $sample_file = path(__FILE__)->parent->child("sample.jpg"); ok $sample_file->exists, "sample file $sample_file exists"; -my $westminster = $mech->create_body_ok(2527, 'Liverpool City Council'); +my $body = $mech->create_body_ok(2527, 'Liverpool City Council'); subtest "Check multiple upload worked" => sub { $mech->get_ok('/around'); @@ -112,4 +112,73 @@ subtest "Check photo uploading URL and endpoints work" => sub { }; }; +subtest "Check no access to update photos on hidden reports" => sub { + my $UPLOAD_DIR = tempdir( CLEANUP => 1 ); + + my ($report) = $mech->create_problems_for_body(1, $body->id, 'Title'); + my $update = $mech->create_comment_for_problem($report, $report->user, $report->name, 'Text', $report->anonymous, 'confirmed', 'confirmed', { photo => $report->photo }); + + FixMyStreet::override_config { + PHOTO_STORAGE_BACKEND => 'FileSystem', + PHOTO_STORAGE_OPTIONS => { + UPLOAD_DIR => $UPLOAD_DIR, + }, + }, sub { + my $image_path = path('t/app/controller/sample.jpg'); + $image_path->copy( path($UPLOAD_DIR, '74e3362283b6ef0c48686fb0e161da4043bbcc97.jpeg') ); + + $mech->get_ok('/photo/c/' . $update->id . '.0.jpeg'); + + $report->update({ state => 'hidden' }); + $report->get_photoset->delete_cached(plus_updates => 1); + + my $res = $mech->get('/photo/c/' . $update->id . '.0.jpeg'); + is $res->code, 404, 'got 404'; + }; +}; + +subtest 'non_public photos only viewable by correct people' => sub { + my $UPLOAD_DIR = tempdir( CLEANUP => 1 ); + path(FixMyStreet->path_to('web/photo'))->remove_tree({ keep_root => 1 }); + + my ($report) = $mech->create_problems_for_body(1, $body->id, 'Title', { + non_public => 1, + }); + + FixMyStreet::override_config { + PHOTO_STORAGE_BACKEND => 'FileSystem', + PHOTO_STORAGE_OPTIONS => { + UPLOAD_DIR => $UPLOAD_DIR, + }, + }, sub { + my $image_path = path('t/app/controller/sample.jpg'); + $image_path->copy( path($UPLOAD_DIR, '74e3362283b6ef0c48686fb0e161da4043bbcc97.jpeg') ); + + $mech->log_out_ok; + my $i = '/photo/' . $report->id . '.0.jpeg'; + my $res = $mech->get($i); + is $res->code, 404, 'got 404'; + + $mech->log_in_ok('test@example.com'); + $i = '/photo/' . $report->id . '.0.jpeg'; + $mech->get_ok($i); + my $image_file = FixMyStreet->path_to("web$i"); + ok !-e $image_file, 'File not cached out'; + + my $user = $mech->log_in_ok('someoneelse@example.com'); + $i = '/photo/' . $report->id . '.0.jpeg'; + $res = $mech->get($i); + is $res->code, 404, 'got 404'; + + $user->update({ from_body => $body }); + $user->user_body_permissions->create({ body => $body, permission_type => 'report_inspect' }); + $i = '/photo/' . $report->id . '.0.jpeg'; + $mech->get_ok($i); + + $user->update({ from_body => undef, is_superuser => 1 }); + $i = '/photo/' . $report->id . '.0.jpeg'; + $mech->get_ok($i); + }; +}; + done_testing(); diff --git a/t/app/controller/token.t b/t/app/controller/token.t index 858838865..f7dec1a31 100644 --- a/t/app/controller/token.t +++ b/t/app/controller/token.t @@ -1,5 +1,4 @@ use FixMyStreet::TestMech; -use FixMyStreet::App; my $mech = FixMyStreet::TestMech->new; my $user = $mech->create_user_ok('bob@example.com', name => 'Bob'); @@ -8,7 +7,6 @@ subtest 'Zurich special case for C::Tokens->problem_confirm' => sub { FixMyStreet::override_config { ALLOWED_COBRANDS => ['zurich'], }, sub { - my $c = FixMyStreet::App->new; my $zurich = $mech->create_body_ok( 1, 'Zurich' ); my ($report) = $mech->create_problems_for_body( 1, $zurich->id, @@ -19,7 +17,7 @@ subtest 'Zurich special case for C::Tokens->problem_confirm' => sub { }); is $report->get_extra_metadata('email_confirmed'), undef, 'email_confirmed not yet set (sanity)'; - my $token = $c->model('DB::Token')->create({ scope => 'problem', data => $report->id }); + my $token = FixMyStreet::DB->resultset('Token')->create({ scope => 'problem', data => $report->id }); $mech->get_ok('/P/' . $token->token); $report->discard_changes; diff --git a/t/app/model/user.t b/t/app/model/user.t index 5a9c898a2..cbc0fe6cf 100644 --- a/t/app/model/user.t +++ b/t/app/model/user.t @@ -1,5 +1,8 @@ use FixMyStreet::TestMech; use FixMyStreet::DB; +use Catalyst::Test 'FixMyStreet::App'; +use HTTP::Request::Common; +use Test::Exception; my $mech = FixMyStreet::TestMech->new(); $mech->log_in_ok('test@example.com'); @@ -63,9 +66,16 @@ FixMyStreet::override_config { $mech->content_like(qr/may_show_name[^>c]*>/); }; -END { - done_testing(); -} +subtest 'Check non-existent methods on user object die' => sub { + my $c = ctx_request(POST '/auth', { username => 'test@example.com', password_sign_in => 'secret' }); + throws_ok( + sub { $c->user->is_super_user }, + qr/Can't locate object method 'is_super_user'/, + 'attempt to call non-existent method' + ); +}; + +done_testing(); sub create_update { my ($problem, %params) = @_; |