From c7280953dd2f00ad6c6a3513b0c93773e2055b35 Mon Sep 17 00:00:00 2001 From: snipe Date: Thu, 17 Jul 2025 20:08:32 +0100 Subject: [PATCH] Added/updated tests Signed-off-by: snipe --- tests/Feature/Users/Api/UpdateUserTest.php | 39 +++++++-- tests/Feature/Users/Ui/UpdateUserTest.php | 96 ++++++++++++++++++++-- 2 files changed, 122 insertions(+), 13 deletions(-) diff --git a/tests/Feature/Users/Api/UpdateUserTest.php b/tests/Feature/Users/Api/UpdateUserTest.php index e70471770f..a581256dbf 100644 --- a/tests/Feature/Users/Api/UpdateUserTest.php +++ b/tests/Feature/Users/Api/UpdateUserTest.php @@ -109,7 +109,7 @@ class UpdateUserTest extends TestCase 'password' => 'super-secret', 'password_confirmation' => 'super-secret', 'email' => 'mabel@onlymurderspod.com', - 'permissions' => '{"a.new.permission":"1"}', + //'permissions' => '{"a.new.permission":"1"}', 'activated' => true, 'phone' => '619-555-5555', 'jobtitle' => 'Host', @@ -136,7 +136,7 @@ class UpdateUserTest extends TestCase $this->assertEquals('mabel', $user->username, 'Username was not updated'); $this->assertTrue(Hash::check('super-secret', $user->password), 'Password was not updated'); $this->assertEquals('mabel@onlymurderspod.com', $user->email, 'Email was not updated'); - $this->assertArrayHasKey('a.new.permission', $user->decodePermissions(), 'Permissions were not updated'); + //$this->assertArrayHasKey('a.new.permission', $user->decodePermissions(), 'Permissions were not updated'); $this->assertTrue((bool) $user->activated, 'User not marked as activated'); $this->assertEquals('619-555-5555', $user->phone, 'Phone was not updated'); $this->assertEquals('Host', $user->jobtitle, 'Job title was not updated'); @@ -162,7 +162,7 @@ class UpdateUserTest extends TestCase public function testApiUsersCanBeActivatedWithNumber() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => 0]); $this->actingAsForApi($admin) @@ -175,7 +175,7 @@ class UpdateUserTest extends TestCase public function testApiUsersCanBeActivatedWithBooleanTrue() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => false]); $this->actingAsForApi($admin) @@ -188,7 +188,7 @@ class UpdateUserTest extends TestCase public function testApiUsersCanBeDeactivatedWithNumber() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => true]); $this->actingAsForApi($admin) @@ -201,7 +201,7 @@ class UpdateUserTest extends TestCase public function testApiUsersCanBeDeactivatedWithBooleanFalse() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => true]); $this->actingAsForApi($admin) @@ -212,6 +212,33 @@ class UpdateUserTest extends TestCase $this->assertEquals(0, $user->refresh()->activated); } + public function testEditingUsersCannotEditEscalationFieldsForAdmins() + { + $hashed_original = Hash::make('!!094850394680980380kfejlskjfl'); + $hashed_new = Hash::make('!ABCDEFGIJKL123!!!'); + $admin = User::factory()->editUsers()->create(); + $user = User::factory()->admin()->create(['username' => 'brandnewuser', 'email'=> 'brandnewemail@example.org', 'password' => $hashed_original, 'activated' => 1]); + + + $this->assertDatabaseHas('users', [ + 'id' => $user->id, + 'username' => 'brandnewuser', + 'email' => 'brandnewemail@example.org', + 'activated' => 1, + 'password' => $hashed_original, + ]); + + $this->actingAsForApi($admin) + ->patch(route('api.users.update', $user), [ + 'username' => 'testnewusername', + 'email' => 'testnewemail@example.org', + 'activated' => 0, + 'password' => $hashed_new, + ]); + + $this->assertEquals(0, $user->refresh()->activated); + + } public function testUsersScopedToCompanyDuringUpdateWhenMultipleFullCompanySupportEnabled() { $this->settings->enableMultipleFullCompanySupport(); diff --git a/tests/Feature/Users/Ui/UpdateUserTest.php b/tests/Feature/Users/Ui/UpdateUserTest.php index 4728531be6..2a82cde3ca 100644 --- a/tests/Feature/Users/Ui/UpdateUserTest.php +++ b/tests/Feature/Users/Ui/UpdateUserTest.php @@ -7,17 +7,18 @@ use App\Models\Company; use App\Models\User; use Error; use Tests\TestCase; +use Illuminate\Support\Facades\Hash; class UpdateUserTest extends TestCase { public function testPageRenders() { - $this->actingAs(User::factory()->superuser()->create()) + $this->actingAs(User::factory()->editUsers()->create()) ->get(route('users.edit', User::factory()->create()->id)) ->assertOk(); } - public function testCannotViewEditPageForSoftDeletedUser() + public function testCanViewEditPageForSoftDeletedUser() { $user = User::factory()->trashed()->create(); @@ -28,7 +29,7 @@ class UpdateUserTest extends TestCase public function testUsersCanBeActivatedWithNumber() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => 0]); $this->actingAs($admin) @@ -43,7 +44,7 @@ class UpdateUserTest extends TestCase public function testUsersCanBeActivatedWithBooleanTrue() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => false]); $this->actingAs($admin) @@ -58,7 +59,7 @@ class UpdateUserTest extends TestCase public function testUsersCanBeDeactivatedWithNumber() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => true]); $this->actingAs($admin) @@ -73,7 +74,7 @@ class UpdateUserTest extends TestCase public function testUsersCanBeDeactivatedWithBooleanFalse() { - $admin = User::factory()->superuser()->create(); + $admin = User::factory()->editUsers()->create(); $user = User::factory()->create(['activated' => true]); $this->actingAs($admin) @@ -88,7 +89,7 @@ class UpdateUserTest extends TestCase public function testUsersUpdatingThemselvesDoNotDeactivateTheirAccount() { - $admin = User::factory()->superuser()->create(['activated' => true]); + $admin = User::factory()->editUsers()->create(['activated' => true]); $this->actingAs($admin) ->put(route('users.update', $admin), [ @@ -99,6 +100,87 @@ class UpdateUserTest extends TestCase $this->assertEquals(1, $admin->refresh()->activated); } + public function testEditingUsersCannotEditEscalationFieldsForAdmins() + { + $admin = User::factory()->editUsers()->create(['activated' => true]); + $hashed_original = Hash::make('!!094850394680980380kfejlskjfl'); + $hashed_new = Hash::make('!ABCDEFGIJKL123!!!'); + $user = User::factory()->admin()->create(['username' => 'brandnewuser', 'email'=> 'brandnewemail@example.org', 'password' => $hashed_original, 'activated' => true]); + + $this->assertDatabaseHas('users', [ + 'id' => $user->id, + 'username' => 'brandnewuser', + 'email' => 'brandnewemail@example.org', + 'activated' => 1, + 'password' => $hashed_original, + ]); + + $this->actingAs($admin) + ->put(route('users.update', $user), [ + 'username' => 'testnewusername', + 'email' => 'testnewemail@example.org', + 'activated' => 0, + 'password' => 'super-secret', + ]); + + $this->assertDatabaseHas('users', [ + 'id' => $user->id, + 'username' => $user->username, + 'email' => $user->email, + 'activated' => $user->activated, + 'password' => $hashed_original, + ]); + + $this->assertEquals('brandnewuser', $user->refresh()->username); + $this->assertEquals('brandnewemail@example.org', $user->refresh()->email); + $this->assertEquals(1, $user->refresh()->activated); + $this->assertNotEquals(Hash::check('super-secret', $user->password), $user->refresh()->password); + $this->assertNotEquals('testnewusername', $user->refresh()->username); + $this->assertNotEquals('testnewemail@example.org', $user->refresh()->email); + $this->assertNotEquals(0, $user->refresh()->activated); + $this->assertNotEquals(Hash::check('super-secret', $user->password), $user->refresh()->password); + } + + public function testAdminUsersCannotEditFieldsForSuperAdmins() + { + $admin = User::factory()->admin()->create(['activated' => true]); + $hashed_original = Hash::make('my-awesome-password'); + $user = User::factory()->superuser()->create(['username' => 'brandnewuser', 'email'=> 'brandnewemail@example.org', 'password' => $hashed_original, 'activated' => true]); + + $this->assertDatabaseHas('users', [ + 'id' => $user->id, + 'username' => 'brandnewuser', + 'email' => 'brandnewemail@example.org', + 'activated' => 1, + 'password' => $hashed_original, + ]); + + $this->actingAs($admin) + ->put(route('users.update', $user), [ + 'username' => 'testnewusername', + 'email' => 'testnewemail@example.org', + 'activated' => 0, + 'password' => 'super-secret-new-password', + ]); + + $this->assertDatabaseHas('users', [ + 'id' => $user->id, + 'username' => $user->username, + 'email' => $user->email, + 'activated' => $user->activated, + 'password' => $hashed_original, + ]); + + $this->assertEquals('brandnewuser', $user->refresh()->username); + $this->assertEquals('brandnewemail@example.org', $user->refresh()->email); + $this->assertEquals(1, $user->refresh()->activated); + $this->assertTrue(Hash::check('my-awesome-password', $user->password), $user->refresh()->password); + $this->assertNotEquals('testnewusername', $user->refresh()->username); + $this->assertNotEquals('testnewemail@example.org', $user->refresh()->email); + $this->assertNotTrue(Hash::check('super-secret-new-password', $user->password), $user->refresh()->password); + } + + public function testMultiCompanyUserCannotBeMovedIfHasAssetInDifferentCompany() { $this->settings->enableMultipleFullCompanySupport();