From 2a8adc5bd062a23d210a253b3e57b11989987ade Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 14:34:49 -0500 Subject: [PATCH 01/11] Fixing missing user check --- src/Core/Tool/Authorizer/FormAuthorizer.php | 2 +- src/Core/Tool/Authorizer/LayerAuthorizer.php | 2 +- src/Core/Tool/Authorizer/MediaAuthorizer.php | 2 +- src/Core/Tool/Authorizer/PostAuthorizer.php | 6 +++++- src/Core/Tool/Authorizer/RoleAuthorizer.php | 4 ++-- src/Core/Tool/Authorizer/SetAuthorizer.php | 2 +- src/Core/Tool/Authorizer/TagAuthorizer.php | 2 +- src/Core/Tool/Authorizer/TosAuthorizer.php | 4 ++-- src/Core/Tool/Authorizer/UserAuthorizer.php | 2 +- 9 files changed, 15 insertions(+), 11 deletions(-) diff --git a/src/Core/Tool/Authorizer/FormAuthorizer.php b/src/Core/Tool/Authorizer/FormAuthorizer.php index 516b171b99..43f1e6aa8f 100644 --- a/src/Core/Tool/Authorizer/FormAuthorizer.php +++ b/src/Core/Tool/Authorizer/FormAuthorizer.php @@ -83,7 +83,7 @@ public function isAllowed(Entity $entity, $privilege) } // If a form is not disabled, then *anyone* can view it. - if ($privilege === 'read' && !$this->isFormDisabled($entity)) { + if ($user->getId() and $privilege === 'read' && !$this->isFormDisabled($entity)) { return true; } diff --git a/src/Core/Tool/Authorizer/LayerAuthorizer.php b/src/Core/Tool/Authorizer/LayerAuthorizer.php index c318b5ea72..9ac22e8198 100644 --- a/src/Core/Tool/Authorizer/LayerAuthorizer.php +++ b/src/Core/Tool/Authorizer/LayerAuthorizer.php @@ -54,7 +54,7 @@ public function isAllowed(Entity $entity, $privilege) // If a post is active then *anyone* can view it. // Only an admin can view inactive layers or create/edit/update layers - if ($privilege === 'read' && $this->isLayerActive($entity)) { + if ($user->getId() and $privilege === 'read' && $this->isLayerActive($entity)) { return true; } diff --git a/src/Core/Tool/Authorizer/MediaAuthorizer.php b/src/Core/Tool/Authorizer/MediaAuthorizer.php index daab9db3df..ed3745a11f 100644 --- a/src/Core/Tool/Authorizer/MediaAuthorizer.php +++ b/src/Core/Tool/Authorizer/MediaAuthorizer.php @@ -58,7 +58,7 @@ public function isAllowed(Entity $entity, $privilege) } // All users are allowed to view and create new media files. - if (in_array($privilege, ['read', 'create', 'search'])) { + if ($user->getId() and in_array($privilege, ['read', 'create', 'search'])) { return true; } diff --git a/src/Core/Tool/Authorizer/PostAuthorizer.php b/src/Core/Tool/Authorizer/PostAuthorizer.php index e106acce4d..bb08da23cc 100644 --- a/src/Core/Tool/Authorizer/PostAuthorizer.php +++ b/src/Core/Tool/Authorizer/PostAuthorizer.php @@ -121,7 +121,11 @@ public function isAllowed(Entity $entity, $privilege) } // All users are allowed to create and search posts. - if (in_array($privilege, ['create', 'search'])) { + if (in_array($privilege, ['create'])) { + return true; + } + + if ($user->getId() and in_array($privilege, ['search'])) { return true; } diff --git a/src/Core/Tool/Authorizer/RoleAuthorizer.php b/src/Core/Tool/Authorizer/RoleAuthorizer.php index 08a5965d7d..20b8a3da18 100644 --- a/src/Core/Tool/Authorizer/RoleAuthorizer.php +++ b/src/Core/Tool/Authorizer/RoleAuthorizer.php @@ -42,11 +42,11 @@ public function isAllowed(Entity $entity, $privilege) return true; } - if ($privilege === 'read') { + if ($user->getId() and $privilege === 'read') { return true; } // All users are allowed to search forms. - if ($privilege === 'search') { + if ($user->getId() and $privilege === 'search') { return true; } diff --git a/src/Core/Tool/Authorizer/SetAuthorizer.php b/src/Core/Tool/Authorizer/SetAuthorizer.php index bd7020801f..87d3116538 100644 --- a/src/Core/Tool/Authorizer/SetAuthorizer.php +++ b/src/Core/Tool/Authorizer/SetAuthorizer.php @@ -92,7 +92,7 @@ public function isAllowed(Entity $entity, $privilege) } // Finally, all users can search sets - if ($privilege === 'search') { + if ($user->getId() and $privilege === 'search') { return true; } diff --git a/src/Core/Tool/Authorizer/TagAuthorizer.php b/src/Core/Tool/Authorizer/TagAuthorizer.php index 98ac514fd6..82bd962b77 100644 --- a/src/Core/Tool/Authorizer/TagAuthorizer.php +++ b/src/Core/Tool/Authorizer/TagAuthorizer.php @@ -78,7 +78,7 @@ public function isAllowed(Entity $entity, $privilege) return true; } - if ($privilege === 'search') { + if ($user->getId() and $privilege === 'search') { return true; } diff --git a/src/Core/Tool/Authorizer/TosAuthorizer.php b/src/Core/Tool/Authorizer/TosAuthorizer.php index bf100d476e..3d831b4e63 100644 --- a/src/Core/Tool/Authorizer/TosAuthorizer.php +++ b/src/Core/Tool/Authorizer/TosAuthorizer.php @@ -54,11 +54,11 @@ public function isAllowed(Entity $entity, $privilege) return false; } - if ($privilege === 'create') { + if ($user->getId() and $privilege === 'create') { return true; } - if ($privilege === 'search') { + if ($user->getId() and $privilege === 'search') { return true; } diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php index ea617dde4e..e15434d17c 100644 --- a/src/Core/Tool/Authorizer/UserAuthorizer.php +++ b/src/Core/Tool/Authorizer/UserAuthorizer.php @@ -86,7 +86,7 @@ public function isAllowed(Entity $entity, $privilege) } // Regular user can always read - if (in_array($privilege, ['read', 'search'])) { + if ($user->getId() and in_array($privilege, ['read', 'search'])) { return true; } From c1e5b9c41426ac8179ecba85f2588ec8d2a4478e Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 14:39:02 -0500 Subject: [PATCH 02/11] reverting form change --- src/Core/Tool/Authorizer/FormAuthorizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/FormAuthorizer.php b/src/Core/Tool/Authorizer/FormAuthorizer.php index 43f1e6aa8f..516b171b99 100644 --- a/src/Core/Tool/Authorizer/FormAuthorizer.php +++ b/src/Core/Tool/Authorizer/FormAuthorizer.php @@ -83,7 +83,7 @@ public function isAllowed(Entity $entity, $privilege) } // If a form is not disabled, then *anyone* can view it. - if ($user->getId() and $privilege === 'read' && !$this->isFormDisabled($entity)) { + if ($privilege === 'read' && !$this->isFormDisabled($entity)) { return true; } From cdc686d8f2d36ee73332044c85c2b022c9aaef40 Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 14:40:31 -0500 Subject: [PATCH 03/11] revert change to post --- src/Core/Tool/Authorizer/PostAuthorizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/PostAuthorizer.php b/src/Core/Tool/Authorizer/PostAuthorizer.php index bb08da23cc..cc21ad7e0d 100644 --- a/src/Core/Tool/Authorizer/PostAuthorizer.php +++ b/src/Core/Tool/Authorizer/PostAuthorizer.php @@ -125,7 +125,7 @@ public function isAllowed(Entity $entity, $privilege) return true; } - if ($user->getId() and in_array($privilege, ['search'])) { + if (in_array($privilege, ['search'])) { return true; } From 4006b3db05d26e17b87a2be2f2194c0e320b060b Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 15:06:30 -0500 Subject: [PATCH 04/11] reverting tags --- src/Core/Tool/Authorizer/TagAuthorizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/TagAuthorizer.php b/src/Core/Tool/Authorizer/TagAuthorizer.php index 82bd962b77..98ac514fd6 100644 --- a/src/Core/Tool/Authorizer/TagAuthorizer.php +++ b/src/Core/Tool/Authorizer/TagAuthorizer.php @@ -78,7 +78,7 @@ public function isAllowed(Entity $entity, $privilege) return true; } - if ($user->getId() and $privilege === 'search') { + if ($privilege === 'search') { return true; } From 369c857995a36c628df74441ae54ee504d3104d9 Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 15:06:53 -0500 Subject: [PATCH 05/11] reverting posts --- src/Core/Tool/Authorizer/PostAuthorizer.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/Core/Tool/Authorizer/PostAuthorizer.php b/src/Core/Tool/Authorizer/PostAuthorizer.php index cc21ad7e0d..e106acce4d 100644 --- a/src/Core/Tool/Authorizer/PostAuthorizer.php +++ b/src/Core/Tool/Authorizer/PostAuthorizer.php @@ -121,11 +121,7 @@ public function isAllowed(Entity $entity, $privilege) } // All users are allowed to create and search posts. - if (in_array($privilege, ['create'])) { - return true; - } - - if (in_array($privilege, ['search'])) { + if (in_array($privilege, ['create', 'search'])) { return true; } From 0bceb331daddd35b6a762eafb86445e1bc333d04 Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 15:07:34 -0500 Subject: [PATCH 06/11] remove set --- src/Core/Tool/Authorizer/SetAuthorizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/SetAuthorizer.php b/src/Core/Tool/Authorizer/SetAuthorizer.php index 87d3116538..bd7020801f 100644 --- a/src/Core/Tool/Authorizer/SetAuthorizer.php +++ b/src/Core/Tool/Authorizer/SetAuthorizer.php @@ -92,7 +92,7 @@ public function isAllowed(Entity $entity, $privilege) } // Finally, all users can search sets - if ($user->getId() and $privilege === 'search') { + if ($privilege === 'search') { return true; } From 56a5ea6ce2aee076fb0e9e9c32147c5ccdee1b0e Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 15:20:10 -0500 Subject: [PATCH 07/11] changing user auth --- src/Core/Tool/Authorizer/UserAuthorizer.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php index e15434d17c..dda81db933 100644 --- a/src/Core/Tool/Authorizer/UserAuthorizer.php +++ b/src/Core/Tool/Authorizer/UserAuthorizer.php @@ -85,11 +85,6 @@ public function isAllowed(Entity $entity, $privilege) return true; } - // Regular user can always read - if ($user->getId() and in_array($privilege, ['read', 'search'])) { - return true; - } - // Users should always be allowed to register if ($privilege === 'register') { return true; From f33813b78f28800ebca5c3e5aef59aae1fb87699 Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 16:07:48 -0500 Subject: [PATCH 08/11] Revert media --- src/Core/Tool/Authorizer/MediaAuthorizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/MediaAuthorizer.php b/src/Core/Tool/Authorizer/MediaAuthorizer.php index ed3745a11f..daab9db3df 100644 --- a/src/Core/Tool/Authorizer/MediaAuthorizer.php +++ b/src/Core/Tool/Authorizer/MediaAuthorizer.php @@ -58,7 +58,7 @@ public function isAllowed(Entity $entity, $privilege) } // All users are allowed to view and create new media files. - if ($user->getId() and in_array($privilege, ['read', 'create', 'search'])) { + if (in_array($privilege, ['read', 'create', 'search'])) { return true; } From 2e44dd4b3f16dc0b47872cfada25f2372efc4566 Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 16:09:13 -0500 Subject: [PATCH 09/11] Remove search from media --- src/Core/Tool/Authorizer/MediaAuthorizer.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/MediaAuthorizer.php b/src/Core/Tool/Authorizer/MediaAuthorizer.php index daab9db3df..976502807d 100644 --- a/src/Core/Tool/Authorizer/MediaAuthorizer.php +++ b/src/Core/Tool/Authorizer/MediaAuthorizer.php @@ -58,7 +58,11 @@ public function isAllowed(Entity $entity, $privilege) } // All users are allowed to view and create new media files. - if (in_array($privilege, ['read', 'create', 'search'])) { + if ($user->getId() and in_array($privilege, ['search'])) { + return true; + } + + if (in_array($privilege, ['read', 'create'])) { return true; } From 4fee6f8b8d89c30bfabca4fc9d425b4cae71c568 Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 17:16:46 -0500 Subject: [PATCH 10/11] Adding read perm --- src/Core/Tool/Authorizer/UserAuthorizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php index dda81db933..55bc604f3b 100644 --- a/src/Core/Tool/Authorizer/UserAuthorizer.php +++ b/src/Core/Tool/Authorizer/UserAuthorizer.php @@ -81,7 +81,7 @@ public function isAllowed(Entity $entity, $privilege) } // Regular user should be able to update and read_full only self - if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full'])) { + if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full', read])) { return true; } From e220d2d9ffde178aae7d1c34bc3a1d349cb5e09f Mon Sep 17 00:00:00 2001 From: will Date: Wed, 14 Feb 2018 17:30:46 -0500 Subject: [PATCH 11/11] fixing tests --- src/Core/Tool/Authorizer/UserAuthorizer.php | 2 +- tests/integration/users.feature | 12 ++---------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php index 55bc604f3b..e1558b9ff8 100644 --- a/src/Core/Tool/Authorizer/UserAuthorizer.php +++ b/src/Core/Tool/Authorizer/UserAuthorizer.php @@ -81,7 +81,7 @@ public function isAllowed(Entity $entity, $privilege) } // Regular user should be able to update and read_full only self - if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full', read])) { + if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full', 'read'])) { return true; } diff --git a/tests/integration/users.feature b/tests/integration/users.feature index d1cdc0fc66..1d2da89595 100644 --- a/tests/integration/users.feature +++ b/tests/integration/users.feature @@ -158,21 +158,13 @@ Feature: Testing the Users API And the "email" property equals "robbie@ushahidi.com" Then the guzzle status code should be 200 - Scenario: Finding a User as anonymous user gives partial details + Scenario: Finding a User as anonymous user does not give details Given that I want to find a "User" And that its "id" is "1" And that the request "Authorization" header is "Bearer testanon" When I request "/users" + Then the guzzle status code should be 403 Then the response is JSON - And the response has a "id" property - And the type of the "id" property is "numeric" - And the response has a "realname" property - And the response does not have a "email" property - And the response does not have a "logins" property - And the response does not have a "failed_attempts" property - And the response does not have a "last_login" property - And the response does not have a "last_attempt" property - Then the guzzle status code should be 200 Scenario: Finding a non-existent user Given that I want to find a "User"