mirror_php/humhub
1
0
Fork 0
mirror of https://github.com/humhub/humhub.git synced 2025-01-17 06:08:21 +01:00
Code Issues Projects Releases Wiki Activity

Fix: Prevent Internal Server Error in ApprovalController for guest users.

Browse Source 
Fix: Added Group validation to prevent adding registration group behavior to admin group
This commit is contained in:
buddh4 2019-10-21 21:22:22 +02:00
parent 2d065f58ca
commit 75c123badf
7 changed files with 192 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
protected/humhub/modules/admin/controllers/ApprovalController.php
View File

@ -8,6 +8,7 @@
namespace humhub\modules\admin\controllers;
use humhub\components\access\ControllerAccess;
use humhub\modules\admin\models\UserApprovalSearch;
use Yii;
use yii\helpers\Html;
@ -44,6 +45,7 @@ class ApprovalController extends Controller
public function getAccessRules()
{
return [
[ControllerAccess::RULE_LOGGED_IN_ONLY],
['checkCanApproveUsers'],
];
}

142
protected/humhub/modules/admin/tests/codeception/functional/ApprovalCest.php Normal file
View File

@ -0,0 +1,142 @@
<?php
namespace admin\functional;
use humhub\modules\admin\permissions\ManageModules;
use humhub\modules\admin\permissions\ManageSpaces;
use humhub\modules\admin\permissions\SeeAdminInformation;
use humhub\modules\user\models\Invite;
use tests\codeception\_pages\AdminPage;
use admin\FunctionalTester;
use Yii;
class ApprovalCest
{
public function testApproveByAdmin(FunctionalTester $I)
{
$I->wantTo('ensure that admins can approve users');
$settingsManager = Yii::$app->getModule('user')->settings;
$settingsManager->set('auth.needApproval', 1);
$settingsManager->set('auth.anonymousRegistration', 1);
$settingsManager->set('auth.allowGuestAccess', 0);
$this->register($I);
$I->amAdmin();
$this->approveUser($I);
}
public function testApproveByGroupManager(FunctionalTester $I)
{
$I->wantTo('ensure that group manager can approve users');
$settingsManager = Yii::$app->getModule('user')->settings;
$settingsManager->set('auth.needApproval', 1);
$settingsManager->set('auth.anonymousRegistration', 1);
$settingsManager->set('auth.allowGuestAccess', 0);
$this->register($I);
// User1 is group manager of the User group which is the only gorup available at registration
$I->amUser1();
$this->approveUser($I);
}
public function testApproveNotAllowedByOtherGroupManager(FunctionalTester $I)
{
$I->wantTo('ensure that group manager can not approve users of another group');
$settingsManager = Yii::$app->getModule('user')->settings;
$settingsManager->set('auth.needApproval', 1);
$settingsManager->set('auth.anonymousRegistration', 1);
$settingsManager->set('auth.allowGuestAccess', 0);
$this->register($I);
// User2
$I->amUser2();
$I->amOnDashboard();
$I->see('New approval requests');
$I->click('Click here to review');
$I->see('Pending user approvals');
$I->dontSee('approvalTest@test.de');
// This user was created by fixtures
$I->see('unnapproved@example.com');
// Try to approve the user of another group
$I->amOnRoute('/admin/approval/approve', ['id' => 8]);
$I->seeResponseCodeIs(404);
}
public function testApproveNotAllowedByNormalUser(FunctionalTester $I)
{
$I->wantTo('ensure that normal users have no access to the approval page');
$settingsManager = Yii::$app->getModule('user')->settings;
$settingsManager->set('auth.needApproval', 1);
$settingsManager->set('auth.anonymousRegistration', 1);
$settingsManager->set('auth.allowGuestAccess', 0);
$this->register($I);
// User2
$I->amUser3();
$I->amOnDashboard();
$I->dontSee('New approval requests');
$I->amOnRoute('/admin/approval');
$I->seeResponseCodeIs(403);
$I->amOnRoute('/admin/approval/approve', ['id' => 8]);
$I->seeResponseCodeIs(403);
}
private function register(FunctionalTester $I)
{
$I->amOnRoute('/user/auth/login');
$I->see('Sign up');
$I->fillField('#register-email', 'approvalTest@test.de');
$I->click('Register');
$I->see('Registration successful!');
$invte = Invite::find()->all()[0];
$I->amOnRoute('/user/registration', ['token' => $invte->token]);
$I->see('Account registration');
$I->fillField(['name' => 'User[username]'], 'approvalTest');
$I->fillField(['name' => 'Password[newPassword]'], 'approva1TestPassword');
$I->fillField(['name' => 'Password[newPasswordConfirm]'], 'approva1TestPassword');
$I->fillField(['name' => 'Profile[firstname]'], 'approval');
$I->fillField(['name' => 'Profile[lastname]'], 'test');
$I->click('Create account');
$I->see('Your account has been successfully created!');
$I->see('After activating your account by the administrator');
}
private function approveUser(FunctionalTester $I)
{
$I->amOnDashboard();
$I->see('New approval requests');
$I->click('Click here to review');
$I->see('Pending user approvals');
$I->see('approvalTest@test.de');
$I->amOnRoute('/admin/approval/approve', ['id' => 8]);
$I->see('Accept user: approval test');
$I->click('Send & save');
$I->logout();
$I->amUser('approvalTest', 'approva1TestPassword');
$I->seeElement('#wallStream');
}
}

10
protected/humhub/modules/user/models/Group.php
View File

@ -58,9 +58,17 @@ class Group extends ActiveRecord
[['space_id', 'sort_order'], 'integer'],
[['description'], 'string'],
[['name'], 'string', 'max' => 45],
['show_at_registration', 'validateShowAtRegistration'],
];
}
public function validateShowAtRegistration($attribute, $params)
{
if($this->is_admin_group && $this->show_at_registration) {
$this->addError($attribute, 'Admin group can\'t be a registration group!');
}
}
/**
* @inheritdoc
*/
@ -328,7 +336,7 @@ class Group extends ActiveRecord
return $groups;
}
} else {
$groups = self::find()->where(['show_at_registration' => '1'])->orderBy('name ASC')->all();
$groups = self::find()->where(['show_at_registration' => 1, 'is_admin_group' => 0])->orderBy('name ASC')->all();
}
return $groups;

1
protected/humhub/modules/user/tests/codeception/fixtures/UserFullFixture.php
View File

@ -21,6 +21,7 @@ class UserFullFixture extends ActiveFixture
'humhub\modules\content\tests\codeception\fixtures\ContentContainerFixture',
'humhub\modules\user\tests\codeception\fixtures\UserPasswordFixture',
'humhub\modules\user\tests\codeception\fixtures\UserFollowFixture',
InviteFixture::class,
'humhub\modules\user\tests\codeception\fixtures\GroupFixture'
];

6
protected/humhub/modules/user/tests/codeception/fixtures/data/group.php
View File

@ -18,7 +18,7 @@
* GNU Affero General Public License for more details.
*/
return [
['id' => '1', 'space_id' => 1, 'name' => 'Administrator', 'description' => 'Administrator Group', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'ldap_dn' => null, 'is_admin_group' => 1],
['id' => '2', 'space_id' => 1, 'name' => 'Users', 'description' => 'Example Group by Installer', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'ldap_dn' => null],
['id' => '3', 'space_id' => 1, 'name' => 'Moderators', 'description' => 'Example Moderator group', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'ldap_dn' => null]
['id' => '1', 'space_id' => 1, 'name' => 'Administrator', 'description' => 'Administrator Group', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'ldap_dn' => null, 'show_at_registration' => 0, 'is_admin_group' => 1],
['id' => '2', 'space_id' => 1, 'name' => 'Users', 'description' => 'Example Group by Installer', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'ldap_dn' => null, 'show_at_registration' => 1],
['id' => '3', 'space_id' => 1, 'name' => 'Moderators', 'description' => 'Example Moderator group', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'ldap_dn' => null, 'show_at_registration' => 0]
];

2
protected/humhub/modules/user/tests/codeception/fixtures/data/group_user.php
View File

@ -19,7 +19,7 @@
*/
return [
['id' => 1, 'user_id' => 1, 'group_id' => 1, 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null],
['id' => 2, 'user_id' => 2, 'group_id' => 2, 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null],
['id' => 2, 'user_id' => 2, 'group_id' => 2, 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null, 'is_group_manager' => 1],
['id' => 3, 'user_id' => 3, 'group_id' => 3, 'is_group_manager' => '1', 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null],
['id' => 4, 'user_id' => 6, 'group_id' => 3, 'created_at' => '2014-08-30 14:03:49', 'created_by' => null, 'updated_at' => null, 'updated_by' => null]
];

34
protected/humhub/modules/user/tests/codeception/unit/GroupTest.php Normal file
View File

@ -0,0 +1,34 @@
<?php
namespace tests\codeception\unit;
use tests\codeception\_support\HumHubDbTestCase;
use humhub\modules\user\models\Group;
class GroupTest extends HumHubDbTestCase
{
public function testRegistrationGroups()
{
$groups = Group::getRegistrationGroups();
$this->assertCount(1, $groups);
$this->assertEquals('Users', $groups[0]->name);
$adminGroup = Group::getAdminGroup();
$this->assertEquals(1, $adminGroup->is_admin_group);
$adminGroup->show_at_registration = 1;
$this->assertFalse($adminGroup->save());
// Force save
$adminGroup->save(false);
// Update moderator group
Group::findOne(['id' => 3])->updateAttributes(['show_at_registration' => 1]);
// Make sure the admin group is not contained in registration groups even if show_at_registration is set
$groups = Group::getRegistrationGroups();
$this->assertCount(2, $groups);
$this->assertEquals('Moderators', $groups[0]->name);
$this->assertEquals('Users', $groups[1]->name);
}
}