groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-05-13 15:01:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Test/Validate authentication of endpoints

Browse source
This commit is contained in:
Jan Böhmer 2026-05-11 22:46:00 +02:00
parent 7d27bff062
commit 47ab18175f
3 changed files with 536 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

152
tests/Controller/SelectApiControllerTest.php Normal file
View file

@ -0,0 +1,152 @@
<?php
declare(strict_types=1);
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2026 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace App\Tests\Controller;
use App\Entity\UserSystem\User;
use Doctrine\ORM\EntityManagerInterface;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Group;
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
/**
* Tests the SelectAPIController endpoints used by select2 widgets.
* These JSON endpoints back every structural-entity dropdown in the UI.
*/
#[Group('DB')]
#[Group('slow')]
final class SelectApiControllerTest extends WebTestCase
{
public static function endpointProvider(): \Generator
{
yield 'category' => ['/en/select_api/category'];
yield 'footprint' => ['/en/select_api/footprint'];
yield 'manufacturer' => ['/en/select_api/manufacturer'];
yield 'measurement_unit' => ['/en/select_api/measurement_unit'];
yield 'project' => ['/en/select_api/project'];
yield 'storage_location' => ['/en/select_api/storage_location'];
yield 'label_profiles' => ['/en/select_api/label_profiles'];
}
private function adminClient(): KernelBrowser
{
$client = static::createClient();
$em = static::getContainer()->get(EntityManagerInterface::class);
$admin = $em->getRepository(User::class)->findOneBy(['name' => 'admin']);
if ($admin === null) {
$this->markTestSkipped('Fixture user admin not found.');
}
$client->loginUser($admin);
return $client;
}
// -----------------------------------------------------------------------
// Response format
// -----------------------------------------------------------------------
#[DataProvider('endpointProvider')]
public function testEndpointReturns200WithJsonContentType(string $url): void
{
$client = $this->adminClient();
$client->request('GET', $url);
$this->assertResponseIsSuccessful();
$this->assertResponseHeaderSame('content-type', 'application/json');
}
#[DataProvider('endpointProvider')]
public function testEndpointReturnsValidJsonArray(string $url): void
{
$client = $this->adminClient();
$client->request('GET', $url);
$body = $client->getResponse()->getContent();
$decoded = json_decode($body, true);
$this->assertIsArray($decoded, "Response from $url is not a valid JSON array");
}
#[DataProvider('endpointProvider')]
public function testEachEntryHasTextAndValueKeys(string $url): void
{
$client = $this->adminClient();
$client->request('GET', $url);
$decoded = json_decode($client->getResponse()->getContent(), true);
// Some endpoints include an empty "select none" entry at index 0; all entries must have text + value
foreach ($decoded as $entry) {
$this->assertArrayHasKey('text', $entry, "Entry in $url missing 'text' key");
$this->assertArrayHasKey('value', $entry, "Entry in $url missing 'value' key");
}
}
// -----------------------------------------------------------------------
// Access control
// -----------------------------------------------------------------------
#[DataProvider('endpointProvider')]
public function testUnauthenticatedCanReadSelectApi(string $url): void
{
// The anonymous user (readonly group) has read access to structural entities,
// so these endpoints return 200 even without a session.
$client = static::createClient();
$client->request('GET', $url);
$this->assertResponseIsSuccessful();
}
#[DataProvider('endpointProvider')]
public function testNoreadUserIsDenied(string $url): void
{
$client = static::createClient();
$em = static::getContainer()->get(EntityManagerInterface::class);
$noread = $em->getRepository(User::class)->findOneBy(['name' => 'noread']);
if ($noread === null) {
$this->markTestSkipped('Fixture user noread not found.');
}
$client->loginUser($noread);
$client->followRedirects(false);
$client->request('GET', $url);
$response = $client->getResponse();
$this->assertTrue(
$response->getStatusCode() === 403 || $response->isRedirect(),
"Expected 403 or redirect for noread user on $url, got " . $response->getStatusCode()
);
}
#[DataProvider('endpointProvider')]
public function testEditorUserCanAccess(string $url): void
{
$client = static::createClient();
$em = static::getContainer()->get(EntityManagerInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['name' => 'user']);
if ($user === null) {
$this->markTestSkipped('Fixture user user not found.');
}
$client->loginUser($user);
$client->request('GET', $url);
$this->assertResponseIsSuccessful();
}
}