Extend TestUserOrgs to cover permission cases (#14495)

6543 · web-flow · commit 3599d44399cf · 2021-01-28T22:40:41.000+01:00
* TestMyOrgs: add unauthorized test

* Extend TestUserOrgs, to cover permission cases
diff --git a/integrations/api_user_orgs_test.go b/integrations/api_user_orgs_test.go
@@ -19,15 +19,12 @@ func TestUserOrgs(t *testing.T) {
 	defer prepareTestEnv(t)()
 	adminUsername := "user1"
 	normalUsername := "user2"
-	session := loginUser(t, adminUsername)
-	token := getTokenForLoggedInUser(t, session)
-	urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", normalUsername, token)
-	req := NewRequest(t, "GET", urlStr)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	var orgs []*api.Organization
-	user3 := models.AssertExistsAndLoadBean(t, &models.User{Name: "user3"}).(*models.User)
+	privateMemberUsername := "user4"
+	unrelatedUsername := "user5"
 
-	DecodeJSON(t, resp, &orgs)
+	orgs := getUserOrgs(t, adminUsername, normalUsername)
+
+	user3 := models.AssertExistsAndLoadBean(t, &models.User{Name: "user3"}).(*models.User)
 
 	assert.Equal(t, []*api.Organization{
 		{
@@ -41,16 +38,46 @@ func TestUserOrgs(t *testing.T) {
 			Visibility:  "public",
 		},
 	}, orgs)
+
+	// user itself should get it's org's he is a member of
+	orgs = getUserOrgs(t, privateMemberUsername, privateMemberUsername)
+	assert.Len(t, orgs, 1)
+
+	// unrelated user should not get private org membership of privateMemberUsername
+	orgs = getUserOrgs(t, unrelatedUsername, privateMemberUsername)
+	assert.Len(t, orgs, 0)
+
+	// not authenticated call also should hide org membership
+	orgs = getUserOrgs(t, "", privateMemberUsername)
+	assert.Len(t, orgs, 0)
+}
+
+func getUserOrgs(t *testing.T, userDoer, userCheck string) (orgs []*api.Organization) {
+	var token = ""
+	session := emptyTestSession(t)
+	if len(userDoer) != 0 {
+		session = loginUser(t, userDoer)
+		token = getTokenForLoggedInUser(t, session)
+	}
+	urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", userCheck, token)
+	req := NewRequest(t, "GET", urlStr)
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &orgs)
+	return orgs
 }
 
 func TestMyOrgs(t *testing.T) {
 	defer prepareTestEnv(t)()
 
+	session := emptyTestSession(t)
+	req := NewRequest(t, "GET", "/api/v1/user/orgs")
+	resp := session.MakeRequest(t, req, http.StatusUnauthorized)
+
 	normalUsername := "user2"
-	session := loginUser(t, normalUsername)
+	session = loginUser(t, normalUsername)
 	token := getTokenForLoggedInUser(t, session)
-	req := NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
+	resp = session.MakeRequest(t, req, http.StatusOK)
 	var orgs []*api.Organization
 	DecodeJSON(t, resp, &orgs)
 	user3 := models.AssertExistsAndLoadBean(t, &models.User{Name: "user3"}).(*models.User)
