api-platform / core / 14304969316

coverage: 7.281% (-1.2%) from 8.52%
14304969316

push

github

soyuka 
Merge 4.1

13 of 244 new or added lines in 12 files covered. (5.33%)

222 existing lines in 2 files now uncovered.

10878 of 149412 relevant lines covered (7.28%)

6.5 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/tests/Functional/GraphQl/SecurityTest.php
1 
<?php
2 









3



/*










4



 * This file is part of the API Platform project.










5



 *










6



 * (c) Kévin Dunglas <dunglas@gmail.com>










7



 *










8



 * For the full copyright and license information, please view the LICENSE










9



 * file that was distributed with this source code.










10



 */










11












12



declare(strict_types=1);










13












14



namespace ApiPlatform\Tests\Functional\GraphQl;










15












16



use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;










17



use ApiPlatform\Tests\Fixtures\TestBundle\Document\SecuredDummy as DocumentSecuredDummy;










18



use ApiPlatform\Tests\Fixtures\TestBundle\Document\SecuredDummyCollection as DocumentSecuredDummyCollection;










19



use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummy;










20



use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummyCollection;










21



use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummyCollectionParent;










22



use ApiPlatform\Tests\RecreateSchemaTrait;










23



use ApiPlatform\Tests\SetupClassResourcesTrait;










24












25



final class SecurityTest extends ApiTestCase










26



{










27



    use RecreateSchemaTrait;










28



    use SetupClassResourcesTrait;










29



    protected static ?bool $alwaysBootKernel = false;










30












31



    /**










32



     * @return class-string[]










33



     */










34



    public static function getResources(): array










35



    {











NEW


36



        return [SecuredDummy::class, SecuredDummyCollection::class, SecuredDummyCollectionParent::class];




×







37



    }










38












39



    public function testQueryItem(): void










40



    {











NEW


41



        $resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;




×








NEW


42



        $this->recreateSchema([$resource]);




×








NEW


43



        $this->loadFixtures($resource);




×








NEW


44



        $client = self::createClient();




×








NEW


45



        $response = $client->request('POST', '/graphql', ['json' => [




×








NEW


46



            'query' => <<<QUERY




×







47



    {










48



      securedDummy(id: "/secured_dummies/1") {










49



        title










50



        description










51



      }










52



    }











NEW


53



QUERY,




×








NEW


54



        ]]);




×







55















NEW


56



        $d = $response->toArray();




×








NEW


57



        $this->assertEquals('Access Denied.', $d['errors'][0]['message']);




×







58



    }










59














60



    public function testCreateItemUnauthorized(): void










61



    {











NEW


62



        $resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;




×








NEW


63



        $this->recreateSchema([$resource]);




×








NEW


64



        $client = self::createClient();




×








NEW


65



        $response = $client->request('POST', '/graphql', ['json' => [




×








NEW


66



            'query' => <<<QUERY




×







67



mutation {










68



    createSecuredDummy(input: {owner: "me", title: "Hi", description: "Desc", adminOnlyProperty: "secret", clientMutationId: "auth"}) {










69



        securedDummy {










70



            title










71



            owner










72



        }










73



    }










74



}











NEW


75



QUERY,




×








NEW


76



        ]]);




×







77















NEW


78



        $d = $response->toArray();




×








NEW


79



        $this->assertEquals('Only admins can create a secured dummy.', $d['errors'][0]['message']);




×







80



    }










81














82



    public function testQueryItemWithNode(): void










83



    {











NEW


84



        $resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;




×








NEW


85



        $this->recreateSchema([$resource]);




×








NEW


86



        $this->loadFixtures($resource);




×








NEW


87



        $client = self::createClient();




×








NEW


88



        $response = $client->request('POST', '/graphql', ['json' => [




×








NEW


89



            'query' => <<<QUERY




×







90



    {










91



      node(id: "/secured_dummies/1") {










92



        ... on SecuredDummy {










93



            title










94



        }










95



      }










96



    }











NEW


97



QUERY,




×








NEW


98



        ]]);




×







99















NEW


100



        $d = $response->toArray();




×








NEW


101



        $this->assertEquals('Access Denied.', $d['errors'][0]['message']);




×







102



    }










103














104



    public function loadFixtures(string $resourceClass): void










105



    {











NEW


106



        $container = static::$kernel->getContainer();




×








NEW


107



        $registry = $this->isMongoDB() ? $container->get('doctrine_mongodb') : $container->get('doctrine');




×








NEW


108



        $manager = $registry->getManager();




×








NEW


109



        $s = new $resourceClass();




×








NEW


110



        $s->setTitle('Secured Dummy 1');




×








NEW


111



        $s->setDescription('Description 1');




×








NEW


112



        $s->setAdminOnlyProperty('admin secret');




×








NEW


113



        $s->setOwnerOnlyProperty('owner secret');




×








NEW


114



        $s->setAttributeBasedProperty('attribute based secret');




×








NEW


115



        $s->setOwner('user1');




×







116















NEW


117



        $manager->persist($s);




×








NEW


118



        $manager->flush();




×







119



    }










120














121



    public function testQueryCollection(): void










122



    {











NEW


123



        $resource = $this->isMongoDB() ? DocumentSecuredDummyCollection::class : SecuredDummyCollection::class;




×








NEW


124



        $this->recreateSchema([$resource, $resource.'Parent']);




×








NEW


125



        $this->loadFixturesQueryCollection($resource);




×








NEW


126



        $client = self::createClient();




×







127















NEW


128



        $response = $client->request('POST', '/graphql', ['headers' => ['Authorization' => 'Basic ZHVuZ2xhczprZXZpbg=='], 'json' => [




×








NEW


129



            'query' => <<<QUERY




×







130



    {










131



        securedDummyCollectionParents {










132



            edges {










133



              node {










134



               child {










135



                  title, ownerOnlyProperty, owner










136



                }










137



              }










138



            }










139



        }










140



    }











NEW


141



QUERY,




×








NEW


142



        ]]);




×







143















NEW


144



        $d = $response->toArray();




×








NEW


145



        $this->assertNull($d['data']['securedDummyCollectionParents']['edges'][1]['node']['child']['ownerOnlyProperty']);




×







146



    }










147














148



    public function loadFixturesQueryCollection(string $resourceClass): void










149



    {











NEW


150



        $parentResourceClass = $resourceClass.'Parent';




×








NEW


151



        $container = static::$kernel->getContainer();




×








NEW


152



        $registry = $this->isMongoDB() ? $container->get('doctrine_mongodb') : $container->get('doctrine');




×








NEW


153



        $manager = $registry->getManager();




×








NEW


154



        $s = new $resourceClass();




×








NEW


155



        $s->title = 'Foo';




×








NEW


156



        $s->ownerOnlyProperty = 'Foo by dunglas';




×








NEW


157



        $s->owner = 'dunglas';




×








NEW


158



        $manager->persist($s);




×








NEW


159



        $p = new $parentResourceClass();




×








NEW


160



        $p->child = $s;




×








NEW


161



        $manager->persist($p);




×








NEW


162



        $s = new $resourceClass();




×








NEW


163



        $s->title = 'Bar';




×








NEW


164



        $s->ownerOnlyProperty = 'Bar by admin';




×








NEW


165



        $s->owner = 'admin';




×








NEW


166



        $manager->persist($s);




×








NEW


167



        $p = new $parentResourceClass();




×








NEW


168



        $p->child = $s;




×








NEW


169



        $manager->persist($p);




×








NEW


170



        $s = new $resourceClass();




×








NEW


171



        $s->title = 'Baz';




×








NEW


172



        $s->ownerOnlyProperty = 'Baz by dunglas';




×








NEW


173



        $s->owner = 'dunglas';




×








NEW


174



        $manager->persist($s);




×








NEW


175



        $p = new $parentResourceClass();




×








NEW


176



        $p->child = $s;




×








NEW


177



        $manager->persist($p);




×








NEW


178



        $s = new $resourceClass();




×








NEW


179



        $s->ownerOnlyProperty = 'Bat by admin';




×








NEW


180



        $s->owner = 'admin';




×








NEW


181



        $s->title = 'Bat';




×








NEW


182



        $manager->persist($s);




×








NEW


183



        $p = new $parentResourceClass();




×








NEW


184



        $p->child = $s;




×








NEW


185



        $manager->persist($p);




×








NEW


186



        $manager->flush();




×







187



    }










188



}
























    

  • 

    •