namespace MediaWiki\Tests\Rest\BasicAccess;
use GuzzleHttp\Psr7\Uri;
-use MediaWiki\Permissions\PermissionManager;
+use MediaWiki\MediaWikiServices;
use MediaWiki\Rest\BasicAccess\MWBasicAuthorizer;
+use MediaWiki\Rest\Handler;
use MediaWiki\Rest\RequestData;
use MediaWiki\Rest\ResponseFactory;
use MediaWiki\Rest\Router;
-use MediaWiki\User\UserIdentity;
use MediaWikiTestCase;
use User;
class MWBasicRequestAuthorizerTest extends MediaWikiTestCase {
private function createRouter( $userRights ) {
$user = User::newFromName( 'Test user' );
-
- $pm = new class( $user, $userRights ) extends PermissionManager {
- private $testUser;
- private $testUserRights;
-
- public function __construct( $user, $userRights ) {
- $this->testUser = $user;
- $this->testUserRights = $userRights;
- }
-
- public function userHasRight( UserIdentity $user, $action = '' ) {
- if ( $user === $this->testUser ) {
- return $this->testUserRights[$action] ?? false;
- }
- return parent::userHasRight( $user, $action );
- }
- };
+ // Don't allow the rights to everybody so that user rights kick in.
+ $this->mergeMwGlobalArrayValue( 'wgGroupPermissions', [ '*' => $userRights ] );
+ $this->overrideUserPermissions(
+ $user,
+ array_keys( array_filter( $userRights ), function ( $value ) {
+ return $value === true;
+ } )
+ );
global $IP;
'/rest',
new \EmptyBagOStuff(),
new ResponseFactory(),
- new MWBasicAuthorizer( $user, $pm ) );
+ new MWBasicAuthorizer( $user, MediaWikiServices::getInstance()->getPermissionManager() ) );
}
public function testReadDenied() {
$response = $router->execute( $request );
$this->assertSame( 200, $response->getStatusCode() );
}
+
+ public static function writeHandlerFactory() {
+ return new class extends Handler {
+ public function needsWriteAccess() {
+ return true;
+ }
+
+ public function execute() {
+ return '';
+ }
+ };
+ }
+
+ public function testWriteDenied() {
+ $router = $this->createRouter( [ 'read' => true, 'writeapi' => false ] );
+ $request = new RequestData( [
+ 'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )
+ ] );
+ $response = $router->execute( $request );
+ $this->assertSame( 403, $response->getStatusCode() );
+
+ $body = $response->getBody();
+ $body->rewind();
+ $data = json_decode( $body->getContents(), true );
+ $this->assertSame( 'rest-write-denied', $data['error'] );
+ }
+
+ public function testWriteAllowed() {
+ $router = $this->createRouter( [ 'read' => true, 'writeapi' => true ] );
+ $request = new RequestData( [
+ 'uri' => new Uri( '/rest/mock/MWBasicRequestAuthorizerTest/write' )
+ ] );
+ $response = $router->execute( $request );
+
+ $this->assertSame( 200, $response->getStatusCode() );
+ }
}