From f9e3422fe4efd0eefb8cc4e700430d48ece52502 Mon Sep 17 00:00:00 2001
From: Andrew Longosz <alongosz@users.noreply.github.com>
Date: Fri, 27 Apr 2018 13:19:56 +0200
Subject: [PATCH] Fixed EZP-29087: Sending to trash should rely on
 content/remove policy (#2314)

* EZP-29087: Changed required policy to content/remove when trashing item.

* EZP-29087: Improved permission tests for TrashService::trash method
---
 Repository/Tests/BaseTest.php                 | 40 +++++++++++++
 .../Tests/TrashServiceAuthorizationTest.php   | 56 +++++++++++++------
 2 files changed, 78 insertions(+), 18 deletions(-)

diff --git a/Repository/Tests/BaseTest.php b/Repository/Tests/BaseTest.php
index 7290e010b..e6b03a0b1 100644
--- a/Repository/Tests/BaseTest.php
+++ b/Repository/Tests/BaseTest.php
@@ -514,6 +514,46 @@ public function createRoleWithPolicies($roleName, array $policiesData)
         return $roleService->loadRole($roleDraft->id);
     }
 
+    /**
+     * Create user and assign new role with the given policies.
+     *
+     * @param string $login
+     * @param array $policiesData list of policies in the form of <code>[ [ 'module' => 'name', 'function' => 'name'] ]</code>
+     *
+     * @return \eZ\Publish\API\Repository\Values\User\User
+     *
+     * @throws \Exception
+     */
+    public function createUserWithPolicies($login, array $policiesData)
+    {
+        $repository = $this->getRepository(false);
+        $roleService = $repository->getRoleService();
+        $userService = $repository->getUserService();
+
+        $repository->beginTransaction();
+        try {
+            $userCreateStruct = $userService->newUserCreateStruct(
+                $login,
+                "{$login}@test.local",
+                $login,
+                'eng-GB'
+            );
+            $userCreateStruct->setField('first_name', $login);
+            $userCreateStruct->setField('last_name', $login);
+            $user = $userService->createUser($userCreateStruct, [$userService->loadUserGroup(4)]);
+
+            $role = $this->createRoleWithPolicies(uniqid('role_for_' . $login . '_'), $policiesData);
+            $roleService->assignRoleToUser($role, $user);
+
+            $repository->commit();
+
+            return $user;
+        } catch (\Exception $ex) {
+            $repository->rollback();
+            throw $ex;
+        }
+    }
+
     /**
      * Traverse all errors for all fields in all Translations to find expected one.
      *
diff --git a/Repository/Tests/TrashServiceAuthorizationTest.php b/Repository/Tests/TrashServiceAuthorizationTest.php
index 79e6dcc6d..b78f19b1f 100644
--- a/Repository/Tests/TrashServiceAuthorizationTest.php
+++ b/Repository/Tests/TrashServiceAuthorizationTest.php
@@ -47,38 +47,58 @@ public function testLoadTrashItemThrowsUnauthorizedException()
     }
 
     /**
-     * Test for the trash() method.
+     * Test for the trash() method without proper permissions.
      *
-     * @see \eZ\Publish\API\Repository\TrashService::trash()
-     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
-     * @depends eZ\Publish\API\Repository\Tests\TrashServiceTest::testTrash
-     * @depends eZ\Publish\API\Repository\Tests\UserServiceTest::testLoadAnonymousUser
+     * @covers \eZ\Publish\API\Repository\TrashService::trash
+     *
+     * @expectedException \eZ\Publish\Core\Base\Exceptions\UnauthorizedException
+     * @expectedExceptionMessage User does not have access to 'remove' 'content'
      */
     public function testTrashThrowsUnauthorizedException()
     {
         $repository = $this->getRepository();
+        $trashService = $repository->getTrashService();
+        $locationService = $repository->getLocationService();
 
-        $anonymousUserId = $this->generateId('user', 10);
-        /* BEGIN: Inline */
-        // $anonymousUserId is the ID of the "Anonymous" user
-        // remoteId of the "Media" page main location
-        $mediaRemoteId = '75c715a51699d2d309a924eca6a95145';
+        // Load "Media" page location to be trashed
+        $mediaLocation = $locationService->loadLocationByRemoteId(
+            '75c715a51699d2d309a924eca6a95145'
+        );
 
-        $userService = $repository->getUserService();
+        // switch user context before testing TrashService::trash method
+        $repository->getPermissionResolver()->setCurrentUserReference(
+            $this->createUserWithPolicies('trash_test_user', [])
+        );
+        $trashService->trash($mediaLocation);
+    }
+
+    /**
+     * Test for the trash() method with proper minimal permission set.
+     *
+     * @depends testTrashThrowsUnauthorizedException
+     *
+     * @covers \eZ\Publish\API\Repository\TrashService::trash
+     */
+    public function testTrashRequiresContentRemovePolicy()
+    {
+        $repository = $this->getRepository();
         $trashService = $repository->getTrashService();
         $locationService = $repository->getLocationService();
 
-        // Load "Media" page location
+        // Load "Media" page location to be trashed
         $mediaLocation = $locationService->loadLocationByRemoteId(
-            $mediaRemoteId
+            '75c715a51699d2d309a924eca6a95145'
         );
 
-        // Set "Anonymous" as current user
-        $repository->setCurrentUser($userService->loadUser($anonymousUserId));
-
-        // This call will fail with an "UnauthorizedException"
+        $repository->getPermissionResolver()->setCurrentUserReference(
+            $this->createUserWithPolicies(
+                'trash_test_user',
+                [
+                    ['module' => 'content', 'function' => 'remove'],
+                ]
+            )
+        );
         $trashService->trash($mediaLocation);
-        /* END: Inline */
     }
 
     /**