feat(tests): Add link security behat tests

KDederichs · KDederichs · commit 7b1bbb2f8380 · 2023-01-14T16:15:34.000+01:00
diff --git a/features/authorization/deny.feature b/features/authorization/deny.feature
@@ -210,3 +210,21 @@ Feature: Authorization checking
     Then the response status code should be 200
     And the response should contain "ownerOnlyProperty"
     And the JSON node "ownerOnlyProperty" should be equal to the string "updated"
+
+  Scenario: An user can get related linked dummies for an secured dummy they own
+    Given there are 1 SecuredDummy objects owned by dunglas with related dummies
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies/4/related"
+    Then the response status code should be 200
+    And the response should contain "securedDummy"
+    And the JSON node "hydra:member[0].id" should be equal to 1"
+
+  Scenario: An user can not get related linked dummies for an secured dummy they do not own
+    Given there are 1 SecuredDummy objects owned by someone with related dummies
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies/5/related"
+    Then the response status code should be 403
diff --git a/tests/Behat/DoctrineContext.php b/tests/Behat/DoctrineContext.php
@@ -77,6 +77,7 @@
 use ApiPlatform\Tests\Fixtures\TestBundle\Document\Program as ProgramDocument;
 use ApiPlatform\Tests\Fixtures\TestBundle\Document\Question as QuestionDocument;
 use ApiPlatform\Tests\Fixtures\TestBundle\Document\RelatedDummy as RelatedDummyDocument;
+use ApiPlatform\Tests\Fixtures\TestBundle\Document\RelatedLinkedDummy as RelatedLinkedDummyDocument;
 use ApiPlatform\Tests\Fixtures\TestBundle\Document\RelatedOwnedDummy as RelatedOwnedDummyDocument;
 use ApiPlatform\Tests\Fixtures\TestBundle\Document\RelatedOwningDummy as RelatedOwningDummyDocument;
 use ApiPlatform\Tests\Fixtures\TestBundle\Document\RelatedSecuredDummy as RelatedSecuredDummyDocument;
@@ -156,6 +157,7 @@
 use ApiPlatform\Tests\Fixtures\TestBundle\Entity\Question;
 use ApiPlatform\Tests\Fixtures\TestBundle\Entity\RamseyUuidDummy;
 use ApiPlatform\Tests\Fixtures\TestBundle\Entity\RelatedDummy;
+use ApiPlatform\Tests\Fixtures\TestBundle\Entity\RelatedLinkedDummy;
 use ApiPlatform\Tests\Fixtures\TestBundle\Entity\RelatedOwnedDummy;
 use ApiPlatform\Tests\Fixtures\TestBundle\Entity\RelatedOwningDummy;
 use ApiPlatform\Tests\Fixtures\TestBundle\Entity\RelatedSecuredDummy;
@@ -1125,12 +1127,16 @@ public function thereAreSecuredDummyObjectsOwnedByWithRelatedDummies(int $nb, st
             $publicRelatedSecuredDummy = $this->buildRelatedSecureDummy();
             $this->manager->persist($publicRelatedSecuredDummy);
 
+            $relatedLinkedDummy = $this->buildRelatedLinkedDummy();
+            $this->manager->persist($relatedLinkedDummy);
+
             $securedDummy->addRelatedDummy($relatedDummy);
             $securedDummy->setRelatedDummy($relatedDummy);
             $securedDummy->addRelatedSecuredDummy($relatedSecuredDummy);
             $securedDummy->setRelatedSecuredDummy($relatedSecuredDummy);
             $securedDummy->addPublicRelatedSecuredDummy($publicRelatedSecuredDummy);
             $securedDummy->setPublicRelatedSecuredDummy($publicRelatedSecuredDummy);
+            $relatedLinkedDummy->setSecuredDummy($securedDummy);
 
             $this->manager->persist($securedDummy);
         }
@@ -2246,6 +2252,11 @@ private function buildRelatedToDummyFriend(): RelatedToDummyFriend|RelatedToDumm
         return $this->isOrm() ? new RelatedToDummyFriend() : new RelatedToDummyFriendDocument();
     }
 
+    private function buildRelatedLinkedDummy(): RelatedLinkedDummy|RelatedLinkedDummyDocument
+    {
+        return $this->isOrm() ? new RelatedLinkedDummy() : new RelatedLinkedDummyDocument();
+    }
+
     private function buildRelationEmbedder(): RelationEmbedder|RelationEmbedderDocument
     {
         return $this->isOrm() ? new RelationEmbedder() : new RelationEmbedderDocument();
diff --git a/tests/Fixtures/TestBundle/Document/RelatedLinkedDummy.php b/tests/Fixtures/TestBundle/Document/RelatedLinkedDummy.php
@@ -0,0 +1,59 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Document;
+
+use ApiPlatform\Metadata\ApiProperty;
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Link;
+use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
+
+#[ApiResource()]
+#[ApiResource(
+    uriTemplate: '/secured_dummies/{securedDummyId}/related',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and securedDummy.getOwner() == user"),
+    ]
+)]
+#[ODM\Document]
+class RelatedLinkedDummy
+{
+    #[ApiProperty(writable: false)]
+    #[ODM\Id(strategy: 'INCREMENT', type: 'int')]
+    private $id;
+
+    #[ODM\ReferenceOne(targetDocument: SecuredDummy::class)]
+    private SecuredDummy $securedDummy;
+
+    public function getId()
+    {
+        return $this->id;
+    }
+
+    public function setId($id): void
+    {
+        $this->id = $id;
+    }
+
+    public function getSecuredDummy(): SecuredDummy
+    {
+        return $this->securedDummy;
+    }
+
+    public function setSecuredDummy(SecuredDummy $securedDummy): void
+    {
+        $this->securedDummy = $securedDummy;
+    }
+}
diff --git a/tests/Fixtures/TestBundle/Entity/RelatedLinkedDummy.php b/tests/Fixtures/TestBundle/Entity/RelatedLinkedDummy.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\Entity;
+
+use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Link;
+use Doctrine\ORM\Mapping as ORM;
+use Doctrine\ORM\Mapping\Entity;
+
+#[ApiResource()]
+#[ApiResource(
+    uriTemplate: '/secured_dummies/{securedDummyId}/related',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and securedDummy.getOwner() == user"),
+    ]
+)]
+#[Entity]
+class RelatedLinkedDummy
+{
+    /**
+     * @var int
+     */
+    #[ORM\Column(type: 'integer')]
+    #[ORM\Id]
+    #[ORM\GeneratedValue(strategy: 'AUTO')]
+    private $id;
+
+    #[ORM\ManyToOne(targetEntity: SecuredDummy::class)]
+    private SecuredDummy $securedDummy;
+
+    public function getId()
+    {
+        return $this->id;
+    }
+
+    public function setId($id): void
+    {
+        $this->id = $id;
+    }
+
+    public function getSecuredDummy(): SecuredDummy
+    {
+        return $this->securedDummy;
+    }
+
+    public function setSecuredDummy(SecuredDummy $securedDummy): void
+    {
+        $this->securedDummy = $securedDummy;
+    }
+}
