/
acl.feature
142 lines (124 loc) 路 5.57 KB
/
acl.feature
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
Feature: acl
Routes should check for permissions when a user sends a requests
Background:
Given user "admin" exists
And user "user0" exists
And user "user1" exists
And user "user2" exists
Given group "group0" exists
And group "group1" exists
Given user "user1" belongs to group "group1"
Scenario: Fetch the board list
Given Logging in using web as "user0"
When fetching the board list
Then the response should have a status code "200"
And the response Content-Type should be "application/json; charset=utf-8"
Scenario: Fetch board details of owned board
Given Logging in using web as "admin"
And creates a board named "MyPrivateAdminBoard" with color "fafafa"
When fetches the board named "MyPrivateAdminBoard"
Then the response should have a status code "200"
And the response Content-Type should be "application/json; charset=utf-8"
Scenario: Fetch board details of an other users board
Given Logging in using web as "admin"
And creates a board named "MyPrivateAdminBoard" with color "ff0000"
Given Logging in using web as "user0"
When fetches the board named "MyPrivateAdminBoard"
Then the response should have a status code "403"
And the response Content-Type should be "application/json; charset=utf-8"
Scenario: Share a board
Given Logging in using web as "user0"
And creates a board named "Shared board" with color "ff0000"
And shares the board with user "user1"
| permissionEdit | 0 |
| permissionShare | 0 |
| permissionManage | 0 |
And the response should have a status code 200
And shares the board with user "user2"
| permissionEdit | 1 |
| permissionShare | 1 |
| permissionManage | 1 |
And the response should have a status code 200
Given Logging in using web as "user2"
When fetches the board named "Shared board"
Then the current user should have "read" permissions on the board
And the current user should have "edit" permissions on the board
And the current user should have "share" permissions on the board
And the current user should have "manage" permissions on the board
And create a stack named "Stack"
And the response should have a status code 200
And create a card named "Test"
And the response should have a status code 200
Given Logging in using web as "user1"
When fetches the board named "Shared board"
And create a card named "Test"
And the response should have a status code 403
Then the current user should have "read" permissions on the board
And the current user should not have "edit" permissions on the board
And the current user should not have "share" permissions on the board
And the current user should not have "manage" permissions on the board
And create a stack named "Stack"
And the response should have a status code 403
Scenario: Reshare a board
Given Logging in using web as "user0"
And creates a board named "Reshared board" with color "ff0000"
And shares the board with user "user1"
| permissionEdit | 0 |
| permissionShare | 1 |
| permissionManage | 0 |
And the response should have a status code 200
Given Logging in using web as "user1"
When fetches the board named "Shared board"
And shares the board with user "user2"
| permissionEdit | 1 |
| permissionShare | 1 |
| permissionManage | 1 |
And the response should have a status code 200
Given Logging in using web as "user2"
When fetches the board named "Shared board"
Then the current user should have "read" permissions on the board
And the current user should not have "edit" permissions on the board
And the current user should have "share" permissions on the board
And the current user should not have "manage" permissions on the board
Scenario: Share a board multiple times
Given Logging in using web as "user0"
And creates a board named "Double shared board" with color "ff0000"
And shares the board with user "user1"
And shares the board with group "group1"
And creates a board named "Single shared board" with color "00ff00"
And shares the board with user "user1"
When Logging in using web as "user1"
And fetching the board list
Then the response should have a status code "200"
And the response should be a list of objects
And the response should contain an element with the properties
| property | value |
| title | Double shared board |
Scenario: Deleted board is inaccessible to share recipients
Given acting as user "user0"
When creates a board with example content
And remember the last card as "user0-card"
When post a comment with content "hello comment" on the card
And uploads an attachment to the last used card
And remember the last attachment as "user0-attachment"
And shares the board with user "user1"
Then the HTTP status code should be "200"
And delete the board
Given acting as user "user1"
When fetching the attachments for the card "user0-card"
Then the response should have a status code 403
When get the comments on the card
Then the response should have a status code 403
When update a comment with content "hello deleted" on the card
Then the response should have a status code 403
When delete the comment on the card
Then the response should have a status code 403
# 644
When post a comment with content "hello deleted" on the card
Then the response should have a status code 403
When get the card details
Then the response should have a status code 403
When fetching the attachment "user0-attachment" for the card "user0-card"
Then the response should have a status code 403
When deleting the attachment "user0-attachment" for the card "user0-card"
Then the response should have a status code 403