From 2bb7f7793ee4e676a09e8f0e2bde19bd50a8f683 Mon Sep 17 00:00:00 2001
From: Michael Grauer <michael.grauer@kitware.com>
Date: Fri, 1 Mar 2013 15:10:29 -0500
Subject: [PATCH] ENH: refs #953. created testing to fail on
 itemListPermissions bug.

---
 core/tests/databaseDataset/default.xml        |   5 +
 .../controllers/ApiCallGroupMethodsTest.php   | 104 -----------------
 .../controllers/ApiCallItemMethodsTest.php    |  38 +++---
 .../tests/controllers/ApiCallMethodsTest.php  | 108 ++++++++++++++++++
 4 files changed, 138 insertions(+), 117 deletions(-)

diff --git a/core/tests/databaseDataset/default.xml b/core/tests/databaseDataset/default.xml
index e01688441..fbd7bf196 100644
--- a/core/tests/databaseDataset/default.xml
+++ b/core/tests/databaseDataset/default.xml
@@ -168,6 +168,7 @@
   <itempolicyuser item_id="1006" user_id="1" policy='2' />
   <item2folder item_id="1006" folder_id='1014' />
 
+
   <user user_id="4" firstname="community2001" lastname="Member"
     admin="0" email="community2001@member.com" password="35fd8ba86ba403ffcc00feac5355ad20" creation="2011-01-27 12:11:02" folder_id="1006" />
   <user2group group_id="3005" user_id="4" />
@@ -178,6 +179,10 @@
     admin="0" email="community2001@admin.com" password="35fd8ba86ba403ffcc00feac5355ad20" creation="2011-01-27 12:11:02" folder_id="1006" />
   <user2group group_id="3003" user_id="6" />
 
+  <itempolicyuser item_id="1006" user_id="4" policy='0' />
+  <itempolicyuser item_id="1006" user_id="5" policy='1' />
+  
+
   <newuserinvitation newuserinvitation_id="1001" email="dummy@dummy.com" auth_key="12345" inviter_id="4" community_id="2001" group_id="3003" date_creation="2011-01-27 12:11:02" />
   <pendinguser pendinguser_id="1001" email="dummy@dummy.com" auth_key="12345" password="abcdef" firstname="Dummy" lastname="Dummy" date_creation="2011-01-27 12:11:02" />
 </dataset>
diff --git a/modules/api/tests/controllers/ApiCallGroupMethodsTest.php b/modules/api/tests/controllers/ApiCallGroupMethodsTest.php
index 9aa2afe3c..260e6e683 100644
--- a/modules/api/tests/controllers/ApiCallGroupMethodsTest.php
+++ b/modules/api/tests/controllers/ApiCallGroupMethodsTest.php
@@ -27,110 +27,6 @@ public function setUp()
     parent::setUp();
     }
 
-  /**
-   * helper function to test simple invalid cases:
-   * will test all invalid users sending in all required valid params
-   * will also test all combinations of invalid params with a valid user
-   * for each required param
-   * @param type $method
-   * @param type $validUser
-   * @param type $invalidUsers
-   * @param type $requiredParams
-   */
-  protected function exerciseInvalidCases($method, $validUser, $invalidUsers, $requiredParams)
-    {
-    // test all invalid users with valid params
-    foreach($invalidUsers as $invalidUser)
-      {
-      $this->resetAll();
-      if($invalidUser != null)
-        {
-        $this->params['token'] = $this->_loginAsUser($invalidUser);
-        }
-      $this->params['method'] = $method;
-      foreach($requiredParams as $requiredParam)
-        {
-        $this->params[$requiredParam['name']] = $requiredParam['valid'];
-        }
-      $resp = $this->_callJsonApi();
-      $this->_assertStatusFail($resp, MIDAS_INVALID_POLICY);
-      }
-
-    // test valid user with all combinations of missing/invalid/valid params
-    // will not test a case of valid user and all valid params
-
-    $numParams = sizeof($requiredParams);
-    // create an int array that is initially all 0
-    $requiredParamStates = array_fill(0, $numParams, 0);
-    $allTwosSum = 2 * $numParams;
-
-    while(array_sum($requiredParamStates) < $allTwosSum)
-      {
-      $this->resetAll();
-      $this->params['token'] = $this->_loginAsUser($validUser);
-      $this->params['method'] = $method;
-      $skipTestCase = false;
-      foreach($requiredParams as $ind => $requiredParam)
-        {
-        // find the state corresponding to this param
-        $state = $requiredParamStates[$ind];
-        // 0s mean the param is missing (not sent)
-        if($state == 1)
-          {
-          // 1s mean an invalid form of the param is sent
-          if(!array_key_exists('invalid', $requiredParam))
-            {
-            // some params may not have an invalid form
-            // skip this test case as it would repeat the case of the missing param
-            $skipTestCase = true;
-            break;
-            }
-          $this->params[$requiredParam['name']] = $requiredParam['invalid'];
-          }
-        elseif($state == 2)
-          {
-          // 2s mean a valid form of the param is sent
-          $this->params[$requiredParam['name']] = $requiredParam['valid'];
-          }
-        elseif($state < 0 || $state > 2)
-          {
-          throw new Exception("left most param state is invalid value: ".$state);
-          }
-        }
-      if(!$skipTestCase)
-        {
-        $resp = $this->_callJsonApi();
-        $this->_assertStatusFail($resp, MIDAS_INVALID_PARAMETER);
-        }
-
-      // now increment the parameter states
-      // add 1 to the right most value
-      $incrementIndex = $numParams - 1;
-      $rightMost = $requiredParamStates[$incrementIndex];
-      $rightMost += 1;
-      $requiredParamStates[$incrementIndex] = $rightMost;
-      while($rightMost == 3)
-        {
-        // if the right most goes to 3, set it to 0
-        // and repeat the process one index to the left, stop moving
-        // to the left when the last increment doesn't go to 3,
-        // i.e. there are no more carry bits
-        $rightMost = 0;
-        $requiredParamStates[$incrementIndex] = $rightMost;
-        if($incrementIndex > 0)
-          {
-          $incrementIndex -= 1;
-          $rightMost = $requiredParamStates[$incrementIndex];
-          $rightMost += 1;
-          $requiredParamStates[$incrementIndex] = $rightMost;
-          }
-        else
-          {
-          throw new Exception("left most param state is 3");
-          }
-        }
-      }
-    }
 
   /** Test adding and removing a user from a group */
   public function testGroupUserAddRemove()
diff --git a/modules/api/tests/controllers/ApiCallItemMethodsTest.php b/modules/api/tests/controllers/ApiCallItemMethodsTest.php
index 7d10d6ddd..d44fd2a74 100644
--- a/modules/api/tests/controllers/ApiCallItemMethodsTest.php
+++ b/modules/api/tests/controllers/ApiCallItemMethodsTest.php
@@ -1851,22 +1851,34 @@ public function testItemListPermissions()
     $readItem = $itemModel->load('1004');
     $writeItem = $itemModel->load('1005');
     $adminItem = $itemModel->load('1006');
-    $nonAdmins = array($readItem, $writeItem);
 
     $params = array('method' => 'midas.item.list.permissions',
                     'token' => $this->_loginAsUser($userDao));
-
-    // try to list permissions without admin, should fail
-    foreach($nonAdmins as $item)
-      {
-      $this->resetAll();
-      $params['item_id'] = $item->getItemId();
-      $this->params = $params;
-      $resp = $this->_callJsonApi();
-      $this->_assertStatusFail($resp, MIDAS_INVALID_POLICY);
-      }
-
-    // now with admin perms
+    $invalidItemId = -10;
+
+    // test with item the user has admin over
+    $requiredParams = array(
+      array('name' => 'item_id', 'valid' => $adminItem->getItemId(), 'invalid' => $invalidItemId));
+
+    $memberUser = $userModel->load('4');
+    $modUser = $userModel->load('5');
+
+    // first assert that these invalid users have the expected rights
+    $this->assertFalse($itemModel->policyCheck($adminItem, null, MIDAS_POLICY_READ), 'anonymous user should not have read access to admin item');
+    $this->assertFalse($itemModel->policyCheck($adminItem, null, MIDAS_POLICY_WRITE), 'anonymous user should not have write access to admin item');
+    $this->assertFalse($itemModel->policyCheck($adminItem, null, MIDAS_POLICY_ADMIN), 'anonymous user should not have admin access to admin item');
+    $this->assertTrue($itemModel->policyCheck($adminItem, $memberUser, MIDAS_POLICY_READ), 'member user should have read access to admin item');
+    $this->assertFalse($itemModel->policyCheck($adminItem, $memberUser, MIDAS_POLICY_WRITE), 'member user should not have write access to admin item');
+    $this->assertFalse($itemModel->policyCheck($adminItem, $memberUser, MIDAS_POLICY_ADMIN), 'member user should not have admin access to admin item');
+    $this->assertTrue($itemModel->policyCheck($adminItem, $modUser, MIDAS_POLICY_READ), 'moderator user should have read access to admin item');
+    $this->assertTrue($itemModel->policyCheck($adminItem, $modUser, MIDAS_POLICY_WRITE), 'moderator user should have write access to admin item');
+    $this->assertFalse($itemModel->policyCheck($adminItem, $modUser, MIDAS_POLICY_ADMIN), 'moderator user should not have admin access to admin item');
+
+    $invalidUsers = array($memberUser, $modUser, null);
+    $this->exerciseInvalidCases($params['method'], $userDao, $invalidUsers, $requiredParams);
+
+    // now with admin perms which are valid
+    $this->assertTrue($itemModel->policyCheck($adminItem, $userDao, MIDAS_POLICY_ADMIN), 'admin user should have admin access to admin item');
 
     // first check both privacy statuses
     $privacyCodes = array("Public" => MIDAS_PRIVACY_PUBLIC, "Private" => MIDAS_PRIVACY_PRIVATE);
diff --git a/modules/api/tests/controllers/ApiCallMethodsTest.php b/modules/api/tests/controllers/ApiCallMethodsTest.php
index 0d6acb068..659d085d1 100644
--- a/modules/api/tests/controllers/ApiCallMethodsTest.php
+++ b/modules/api/tests/controllers/ApiCallMethodsTest.php
@@ -314,4 +314,112 @@ protected function assertPolicyuserNonexistence($testFolders, $testItems, $user)
       }
     }
 
+  /**
+   * helper function to test simple invalid cases:
+   * will test all invalid users sending in all required valid params
+   * will also test all combinations of invalid params with a valid user
+   * for each required param
+   * @param $method full name of api method
+   * @param type $validUser  userDao of a user authorized to make the api call
+   * @param type $invalidUsers  array of userDaos not authorized to call api
+   * @param type $requiredParams array of
+   * 'name' => name of param,
+   * 'valid' => a valid value for the param
+   * 'invalid' => an invalid value for the param, is optional
+   */
+  protected function exerciseInvalidCases($method, $validUser, $invalidUsers, $requiredParams)
+    {
+    // test all invalid users with valid params
+    foreach($invalidUsers as $invalidUser)
+      {
+      $this->resetAll();
+      if($invalidUser != null)
+        {
+        $this->params['token'] = $this->_loginAsUser($invalidUser);
+        }
+      $this->params['method'] = $method;
+      foreach($requiredParams as $requiredParam)
+        {
+        $this->params[$requiredParam['name']] = $requiredParam['valid'];
+        }
+      $resp = $this->_callJsonApi();
+      $this->_assertStatusFail($resp, MIDAS_INVALID_POLICY);
+      }
+
+    // test valid user with all combinations of missing/invalid/valid params
+    // will not test a case of valid user and all valid params
+
+    $numParams = sizeof($requiredParams);
+    // create an int array that is initially all 0
+    $requiredParamStates = array_fill(0, $numParams, 0);
+    $allTwosSum = 2 * $numParams;
+
+    while(array_sum($requiredParamStates) < $allTwosSum)
+      {
+      $this->resetAll();
+      $this->params['token'] = $this->_loginAsUser($validUser);
+      $this->params['method'] = $method;
+      $skipTestCase = false;
+      foreach($requiredParams as $ind => $requiredParam)
+        {
+        // find the state corresponding to this param
+        $state = $requiredParamStates[$ind];
+        // 0s mean the param is missing (not sent)
+        if($state == 1)
+          {
+          // 1s mean an invalid form of the param is sent
+          if(!array_key_exists('invalid', $requiredParam))
+            {
+            // some params may not have an invalid form
+            // skip this test case as it would repeat the case of the missing param
+            $skipTestCase = true;
+            break;
+            }
+          $this->params[$requiredParam['name']] = $requiredParam['invalid'];
+          }
+        elseif($state == 2)
+          {
+          // 2s mean a valid form of the param is sent
+          $this->params[$requiredParam['name']] = $requiredParam['valid'];
+          }
+        elseif($state < 0 || $state > 2)
+          {
+          throw new Exception("left most param state is invalid value: ".$state);
+          }
+        }
+      if(!$skipTestCase)
+        {
+        $resp = $this->_callJsonApi();
+        $this->_assertStatusFail($resp, MIDAS_INVALID_PARAMETER);
+        }
+
+      // now increment the parameter states
+      // add 1 to the right most value
+      $incrementIndex = $numParams - 1;
+      $rightMost = $requiredParamStates[$incrementIndex];
+      $rightMost += 1;
+      $requiredParamStates[$incrementIndex] = $rightMost;
+      while($rightMost == 3)
+        {
+        // if the right most goes to 3, set it to 0
+        // and repeat the process one index to the left, stop moving
+        // to the left when the last increment doesn't go to 3,
+        // i.e. there are no more carry bits
+        $rightMost = 0;
+        $requiredParamStates[$incrementIndex] = $rightMost;
+        if($incrementIndex > 0)
+          {
+          $incrementIndex -= 1;
+          $rightMost = $requiredParamStates[$incrementIndex];
+          $rightMost += 1;
+          $requiredParamStates[$incrementIndex] = $rightMost;
+          }
+        else
+          {
+          throw new Exception("left most param state is 3");
+          }
+        }
+      }
+    }
+
   }