opensupports/tests/system/apikey-permissions.rb

206 lines
7.5 KiB
Ruby

describe '/system/apikey-permissions' do
request('/user/logout')
Scripts.login($staff[:email], $staff[:password], true)
apikeycanCreateUsersToken = Scripts.createAPIKey('create users',canCreateUsers=1, canCreateTickets=0, canCheckTickets=0, shouldReturnTicketNumber=0)['data']
apikeycanCreateTickets = Scripts.createAPIKey('create tickets',canCreateUsers=0, canCreateTickets=1, canCheckTickets=0, shouldReturnTicketNumber=0)['data']
apikeycanCheckTickets = Scripts.createAPIKey('comment tickets',canCreateUsers=0, canCreateTickets=0, canCheckTickets=1, shouldReturnTicketNumber=0)['data']
apikeycanReturnTickets = Scripts.createAPIKey('create and return tickets',canCreateUsers=0, canCreateTickets=1, canCheckTickets=0, shouldReturnTicketNumber=1)['data']
request('/system/disable-mandatory-login', {
"csrf_userid" => $csrf_userid,
"csrf_token" => $csrf_token,
"password" => "staff"
})
request('/system/edit-settings', {
"csrf_userid" => $csrf_userid,
"csrf_token" => $csrf_token,
"recaptcha-private" => "THISISVALID"
})
request('/user/logout')
it 'should fail ticket create if the apikey does not have create ticket permission' do
result = request('/ticket/create', {
language: 'en',
email: 'valid@os4.com',
name: 'validname',
title: 'try of title Ticket',
content: 'try of content Ticket',
departmentId: 1,
captcha: 'invalid captcha',
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
result = request('/ticket/create', {
language: 'en',
email: 'valid@os4.com',
name: 'validname',
title: 'try of title Ticket',
content: 'try of content Ticket',
departmentId: 1,
captcha: 'THISISVALID',
apiKey: apikeycanCheckTickets,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
end
it 'should create ticket if the apikey has the correct permission' do
result = request('/ticket/create', {
language: 'en',
email: 'valid@os4.com',
title: 'ticket created with apikeycanCreateTickets',
name: 'validname',
content: 'content of Ticket apikeycanCreateTickets',
departmentId: 1,
captcha: 'INVALID',
apiKey: apikeycanCreateTickets,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
})
(result['status']).should.equal('success')
(result['data']).should.equal(nil)
result = request('/ticket/create', {
language: 'en',
email: 'valid@os4.com',
title: 'ticket created with apikeycanReturnTickets',
name: 'validname',
content: 'content of Ticket apikeycanReturnTickets',
departmentId: 1,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
captcha: 'INVALID',
apiKey: apikeycanReturnTickets
})
ticket = $database.getRow('ticket','ticket created with apikeycanReturnTickets','title')
(result['status']).should.equal('success')
(result['data']['ticketNumber']).should.equal(ticket['ticket_number'])
end
it 'should fail comment ticket if the apikey permission is wrong' do
ticket = $database.getRow('ticket','ticket created with apikeycanReturnTickets','title')
author = $database.getRow('user',ticket['author_id'],'id')
result = request('/ticket/check', {
email: author['email'],
content: 'some comment content',
ticketNumber: ticket['ticket_number'],
captcha: 'INVALID',
apiKey: apikeycanReturnTickets
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
result = request('/ticket/check', {
email: author['email'],
content: 'some comment content',
ticketNumber: ticket['ticket_number'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
captcha: 'INVALID',
apiKey: apikeycanCreateUsersToken
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
result = request('/ticket/check', {
email: author['email'],
content: 'some comment content',
ticketNumber: ticket['ticket_number'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
captcha: 'INVALID',
apiKey: apikeycanCreateTickets
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
end
it 'should success comment ticket if the apikey permission is correct' do
ticket = $database.getRow('ticket','ticket created with apikeycanReturnTickets','title')
author = $database.getRow('user',ticket['author_id'],'id')
result = request('/ticket/check', {
email: author['email'],
content: 'some comment content',
ticketNumber: ticket['ticket_number'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
captcha: 'INVALID',
apiKey: apikeycanCheckTickets
})
(result['status']).should.equal('success')
end
it 'should fail signing up user if the apikey permission is wrong' do
request('/user/logout')
result = request('/user/signup', {
name: 'Petyr Baelish',
email: 'littlefinger@got.com',
password: 'Catelyn<3',
captcha: 'INVALID',
apiKey: apikeycanCreateTickets
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
result = request('/user/signup', {
name: 'Petyr Baelish',
email: 'littlefinger@got.com',
password: 'Catelyn<3',
captcha: 'INVALID',
apiKey: apikeycanCheckTickets
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
result = request('/user/signup', {
name: 'Petyr Baelish',
email: 'littlefinger@got.com',
password: 'Catelyn<3',
captcha: 'INVALID',
apiKey: apikeycanReturnTickets
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_CAPTCHA')
end
it 'should success signing up user if the apikey permission is correct' do
result = request('/user/signup', {
name: 'Petyr Baelish',
email: 'littlefinger@got.com',
password: 'Catelyn<3',
captcha: 'INVALID',
apiKey: apikeycanCreateUsersToken
})
(result['status']).should.equal('success')
Scripts.login($staff[:email], $staff[:password], true)
request('/system/edit-settings', {
"csrf_userid" => $csrf_userid,
"csrf_token" => $csrf_token,
"recaptcha-private" => ""
})
request('/user/logout')
end
end