Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-qjx3-2g35-6hv8
* - included new permission to denied unauthorized access - included functional tests * - take out import permission * - change permission parameters from lead to user data * - change permission parameters from lead to user data --------- Co-authored-by: Lenon Leite <lenonleite@gmail.com> Co-authored-by: lenonleite <lenonleite@github.com> Co-authored-by: lenonleite <lenonleite@cience.com>
- Loading branch information
1 parent
e75b1ee
commit 22bdd07
Showing
8 changed files
with
360 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
app/bundles/LeadBundle/Tests/Functional/Controller/CompanyControllerTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
<?php | ||
|
||
namespace Mautic\LeadBundle\Tests\Functional\Controller; | ||
|
||
use Mautic\CoreBundle\Test\MauticMysqlTestCase; | ||
use Mautic\UserBundle\Entity\Role; | ||
use Mautic\UserBundle\Entity\User; | ||
|
||
class CompanyControllerTest extends MauticMysqlTestCase | ||
{ | ||
public const USERNAME = 'jhony'; | ||
|
||
public function testMergeAction(): void | ||
{ | ||
$this->client->request('GET', '/s/companies/merge/1'); | ||
$clientResponse = $this->client->getResponse(); | ||
$this->assertEquals(200, $clientResponse->getStatusCode()); | ||
} | ||
|
||
public function testMergeActionWithoutPermission(): void | ||
{ | ||
$this->createAndLoginUser(); | ||
$this->client->request('GET', '/s/companies/merge/1'); | ||
$clientResponse = $this->client->getResponse(); | ||
$this->assertEquals(403, $clientResponse->getStatusCode()); | ||
} | ||
|
||
private function createAndLoginUser(): User | ||
{ | ||
// Create non-admin role | ||
$role = $this->createRole(); | ||
// Create non-admin user | ||
$user = $this->createUser($role); | ||
|
||
$this->em->flush(); | ||
$this->em->detach($role); | ||
|
||
$this->loginUser(self::USERNAME); | ||
$this->client->setServerParameter('PHP_AUTH_USER', self::USERNAME); | ||
$this->client->setServerParameter('PHP_AUTH_PW', 'mautic'); | ||
|
||
return $user; | ||
} | ||
|
||
private function createRole(bool $isAdmin = false): Role | ||
{ | ||
$role = new Role(); | ||
$role->setName('Role'); | ||
$role->setIsAdmin($isAdmin); | ||
|
||
$this->em->persist($role); | ||
|
||
return $role; | ||
} | ||
|
||
private function createUser(Role $role): User | ||
{ | ||
$user = new User(); | ||
$user->setFirstName('Jhony'); | ||
$user->setLastName('Doe'); | ||
$user->setUsername(self::USERNAME); | ||
$user->setEmail('john.doe@email.com'); | ||
$encoder = self::$container->get('security.encoder_factory')->getEncoder($user); | ||
$user->setPassword($encoder->encodePassword('mautic', null)); | ||
$user->setRole($role); | ||
|
||
$this->em->persist($user); | ||
|
||
return $user; | ||
} | ||
} |
92 changes: 92 additions & 0 deletions
92
app/bundles/LeadBundle/Tests/Functional/Controller/LeadControllerTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
<?php | ||
|
||
namespace Mautic\LeadBundle\Tests\Functional\Controller; | ||
|
||
use Mautic\CoreBundle\Test\MauticMysqlTestCase; | ||
use Mautic\UserBundle\Entity\Role; | ||
use Mautic\UserBundle\Entity\User; | ||
use Symfony\Component\HttpFoundation\Request; | ||
|
||
class LeadControllerTest extends MauticMysqlTestCase | ||
{ | ||
public const USERNAME = 'jhony'; | ||
|
||
public function testAccessContactQuickAddWithPermission(): void | ||
{ | ||
$this->setAdminUser(); | ||
$this->client->request(Request::METHOD_GET, '/s/contacts/quickAdd'); | ||
$this->assertResponseStatusCodeSame(200, (string) $this->client->getResponse()->getStatusCode()); | ||
} | ||
|
||
private function setAdminUser(): void | ||
{ | ||
$this->loginUser('admin'); | ||
$this->client->setServerParameter('PHP_AUTH_USER', 'admin'); | ||
$this->client->setServerParameter('PHP_AUTH_PW', 'mautic'); | ||
} | ||
|
||
public function testAccessContactQuickAddWithNoPermission(): void | ||
{ | ||
$this->createAndLoginUser(); | ||
$this->client->request(Request::METHOD_GET, '/s/contacts/quickAdd'); | ||
$this->assertResponseStatusCodeSame(403, (string) $this->client->getResponse()->getStatusCode()); | ||
} | ||
|
||
public function testAccessContactBatchOwnersNoPermission(): void | ||
{ | ||
$this->createAndLoginUser(); | ||
$this->client->request(Request::METHOD_GET, '/s/contacts/batchOwners'); | ||
$this->assertResponseStatusCodeSame(403, (string) $this->client->getResponse()->getStatusCode()); | ||
} | ||
|
||
public function testAccessContactBatchOwnersPermission(): void | ||
{ | ||
$this->setAdminUser(); | ||
$this->client->request(Request::METHOD_GET, '/s/contacts/batchOwners'); | ||
$this->assertResponseStatusCodeSame(200, (string) $this->client->getResponse()->getStatusCode()); | ||
} | ||
|
||
private function createAndLoginUser(): User | ||
{ | ||
// Create non-admin role | ||
$role = $this->createRole(); | ||
// Create non-admin user | ||
$user = $this->createUser($role); | ||
|
||
$this->em->flush(); | ||
$this->em->detach($role); | ||
|
||
$this->loginUser(self::USERNAME); | ||
$this->client->setServerParameter('PHP_AUTH_USER', self::USERNAME); | ||
$this->client->setServerParameter('PHP_AUTH_PW', 'mautic'); | ||
|
||
return $user; | ||
} | ||
|
||
private function createRole(bool $isAdmin = false): Role | ||
{ | ||
$role = new Role(); | ||
$role->setName('Role'); | ||
$role->setIsAdmin($isAdmin); | ||
|
||
$this->em->persist($role); | ||
|
||
return $role; | ||
} | ||
|
||
private function createUser(Role $role): User | ||
{ | ||
$user = new User(); | ||
$user->setFirstName('Jhony'); | ||
$user->setLastName('Doe'); | ||
$user->setUsername(self::USERNAME); | ||
$user->setEmail('john.doe@email.com'); | ||
$encoder = self::$container->get('security.encoder_factory')->getEncoder($user); | ||
$user->setPassword($encoder->encodePassword('mautic', null)); | ||
$user->setRole($role); | ||
|
||
$this->em->persist($user); | ||
|
||
return $user; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
101 changes: 101 additions & 0 deletions
101
plugins/MauticSocialBundle/Tests/Functional/Controller/MonitoringControllerTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
<?php | ||
|
||
namespace MauticPlugin\MauticSocialBundle\Tests\Functional\Controller; | ||
|
||
use Mautic\CoreBundle\Test\MauticMysqlTestCase; | ||
use Mautic\UserBundle\Entity\Role; | ||
use Mautic\UserBundle\Entity\User; | ||
|
||
class MonitoringControllerTest extends MauticMysqlTestCase | ||
{ | ||
public const USERNAME = 'jhony'; | ||
|
||
public function testIndex(): void | ||
{ | ||
$this->client->request('GET', '/s/monitoring'); | ||
$response = $this->client->getResponse(); | ||
$this->assertEquals(200, $response->getStatusCode()); | ||
} | ||
|
||
public function testNew(): void | ||
{ | ||
$this->client->request('GET', '/s/monitoring/new'); | ||
$response = $this->client->getResponse(); | ||
$this->assertEquals(200, $response->getStatusCode()); | ||
} | ||
|
||
public function testEdit(): void | ||
{ | ||
$this->client->request('GET', '/s/monitoring/edit/1'); | ||
$response = $this->client->getResponse(); | ||
$this->assertEquals(200, $response->getStatusCode()); | ||
} | ||
|
||
public function testIndexWithoutPermission(): void | ||
{ | ||
$this->createAndLoginUser(); | ||
$this->client->request('GET', '/s/monitoring'); | ||
$response = $this->client->getResponse(); | ||
$this->assertEquals(403, $response->getStatusCode()); | ||
} | ||
|
||
public function testNewWithoutPermission(): void | ||
{ | ||
$this->createAndLoginUser(); | ||
$this->client->request('GET', '/s/monitoring/new'); | ||
$response = $this->client->getResponse(); | ||
$this->assertEquals(403, $response->getStatusCode()); | ||
} | ||
|
||
public function testEditWithoutPermission(): void | ||
{ | ||
$this->createAndLoginUser(); | ||
$this->client->request('GET', '/s/monitoring/edit/1'); | ||
$response = $this->client->getResponse(); | ||
$this->assertEquals(403, $response->getStatusCode()); | ||
} | ||
|
||
private function createAndLoginUser(): User | ||
{ | ||
// Create non-admin role | ||
$role = $this->createRole(); | ||
// Create non-admin user | ||
$user = $this->createUser($role); | ||
|
||
$this->em->flush(); | ||
$this->em->detach($role); | ||
|
||
$this->loginUser(self::USERNAME); | ||
$this->client->setServerParameter('PHP_AUTH_USER', self::USERNAME); | ||
$this->client->setServerParameter('PHP_AUTH_PW', 'mautic'); | ||
|
||
return $user; | ||
} | ||
|
||
private function createRole(bool $isAdmin = false): Role | ||
{ | ||
$role = new Role(); | ||
$role->setName('Role'); | ||
$role->setIsAdmin($isAdmin); | ||
|
||
$this->em->persist($role); | ||
|
||
return $role; | ||
} | ||
|
||
private function createUser(Role $role): User | ||
{ | ||
$user = new User(); | ||
$user->setFirstName('John'); | ||
$user->setLastName('Doe'); | ||
$user->setUsername(self::USERNAME); | ||
$user->setEmail('john.doe@email.com'); | ||
$encoder = self::$container->get('security.encoder_factory')->getEncoder($user); | ||
$user->setPassword($encoder->encodePassword('mautic', null)); | ||
$user->setRole($role); | ||
|
||
$this->em->persist($user); | ||
|
||
return $user; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.