BookStackApp_BookStack/tests/Api/RolesApiTest.php

<?php

namespace Tests\Api;

use BookStack\Activity\ActivityType;
use BookStack\Users\Models\Role;
use BookStack\Users\Models\User;
use Tests\TestCase;

class RolesApiTest extends TestCase
{
    use TestsApi;

    protected string $baseEndpoint = '/api/roles';

    protected array $endpointMap = [
        ['get', '/api/roles'],
        ['post', '/api/roles'],
        ['get', '/api/roles/1'],
        ['put', '/api/roles/1'],
        ['delete', '/api/roles/1'],
    ];

    public function test_user_roles_manage_permission_needed_for_all_endpoints()
    {
        $this->actingAsApiEditor();
        foreach ($this->endpointMap as [$method, $uri]) {
            $resp = $this->json($method, $uri);
            $resp->assertStatus(403);
            $resp->assertJson($this->permissionErrorResponse());
        }
    }

    public function test_index_endpoint_returns_expected_role_and_count()
    {
        $this->actingAsApiAdmin();
        /** @var Role $firstRole */
        $firstRole = Role::query()->orderBy('id', 'asc')->first();

        $resp = $this->getJson($this->baseEndpoint . '?count=1&sort=+id');
        $resp->assertJson(['data' => [
            [
                'id'                => $firstRole->id,
                'display_name'      => $firstRole->display_name,
                'description'       => $firstRole->description,
                'mfa_enforced'      => $firstRole->mfa_enforced,
                'external_auth_id'  => $firstRole->external_auth_id,
                'permissions_count' => $firstRole->permissions()->count(),
                'users_count'       => $firstRole->users()->count(),
                'created_at'        => $firstRole->created_at->toJSON(),
                'updated_at'        => $firstRole->updated_at->toJSON(),
            ],
        ]]);

        $resp->assertJson(['total' => Role::query()->count()]);
    }

    public function test_create_endpoint()
    {
        $this->actingAsApiAdmin();
        /** @var Role $role */
        $role = Role::query()->first();

        $resp = $this->postJson($this->baseEndpoint, [
            'display_name' => 'My awesome role',
            'description'  => 'My great role description',
            'mfa_enforced' => true,
            'external_auth_id' => 'auth_id',
            'permissions'  => [
                'content-export',
                'page-view-all',
                'page-view-own',
                'users-manage',
            ]
        ]);

        $resp->assertStatus(200);
        $resp->assertJson([
            'display_name' => 'My awesome role',
            'description'  => 'My great role description',
            'mfa_enforced' => true,
            'external_auth_id' => 'auth_id',
            'permissions'  => [
                'content-export',
                'page-view-all',
                'page-view-own',
                'users-manage',
            ]
        ]);

        $this->assertDatabaseHas('roles', [
            'display_name' => 'My awesome role',
            'description'  => 'My great role description',
            'mfa_enforced' => true,
            'external_auth_id' => 'auth_id',
        ]);

        /** @var Role $role */
        $role = Role::query()->where('display_name', '=', 'My awesome role')->first();
        $this->assertActivityExists(ActivityType::ROLE_CREATE, null, $role->logDescriptor());
        $this->assertEquals(4, $role->permissions()->count());
    }

    public function test_create_name_and_description_validation()
    {
        $this->actingAsApiAdmin();
        /** @var User $existingUser */
        $existingUser = User::query()->first();

        $resp = $this->postJson($this->baseEndpoint, [
            'description' => 'My new role',
        ]);
        $resp->assertStatus(422);
        $resp->assertJson($this->validationResponse(['display_name' => ['The display name field is required.']]));

        $resp = $this->postJson($this->baseEndpoint, [
            'name' => 'My great role with a too long desc',
            'description' => str_repeat('My great desc', 20),
        ]);
        $resp->assertStatus(422);
        $resp->assertJson($this->validationResponse(['description' => ['The description may not be greater than 180 characters.']]));
    }

    public function test_read_endpoint()
    {
        $this->actingAsApiAdmin();
        $role = $this->users->editor()->roles()->first();
        $resp = $this->getJson($this->baseEndpoint . "/{$role->id}");

        $resp->assertStatus(200);
        $resp->assertJson([
            'display_name' => $role->display_name,
            'description'  => $role->description,
            'mfa_enforced' => $role->mfa_enforced,
            'external_auth_id' => $role->external_auth_id,
            'permissions'  => $role->permissions()->orderBy('name', 'asc')->pluck('name')->toArray(),
            'users' => $role->users()->get()->map(function (User $user) {
                return [
                    'id' => $user->id,
                    'name' => $user->name,
                    'slug' => $user->slug,
                ];
            })->toArray(),
        ]);
    }

    public function test_update_endpoint()
    {
        $this->actingAsApiAdmin();
        $role = $this->users->editor()->roles()->first();
        $resp = $this->putJson($this->baseEndpoint . "/{$role->id}", [
            'display_name' => 'My updated role',
            'description'  => 'My great role description',
            'mfa_enforced' => true,
            'external_auth_id' => 'updated_auth_id',
            'permissions'  => [
                'content-export',
                'page-view-all',
                'page-view-own',
                'users-manage',
            ]
        ]);

        $resp->assertStatus(200);
        $resp->assertJson([
            'id'           => $role->id,
            'display_name' => 'My updated role',
            'description'  => 'My great role description',
            'mfa_enforced' => true,
            'external_auth_id' => 'updated_auth_id',
            'permissions'  => [
                'content-export',
                'page-view-all',
                'page-view-own',
                'users-manage',
            ]
        ]);

        $role->refresh();
        $this->assertEquals(4, $role->permissions()->count());
        $this->assertActivityExists(ActivityType::ROLE_UPDATE);
    }

    public function test_update_endpoint_does_not_remove_info_if_not_provided()
    {
        $this->actingAsApiAdmin();
        $role = $this->users->editor()->roles()->first();
        $resp = $this->putJson($this->baseEndpoint . "/{$role->id}", []);
        $permissionCount = $role->permissions()->count();

        $resp->assertStatus(200);
        $this->assertDatabaseHas('roles', [
            'id'           => $role->id,
            'display_name' => $role->display_name,
            'description'  => $role->description,
            'external_auth_id' => $role->external_auth_id,
        ]);

        $role->refresh();
        $this->assertEquals($permissionCount, $role->permissions()->count());
    }

    public function test_delete_endpoint()
    {
        $this->actingAsApiAdmin();
        $role = $this->users->editor()->roles()->first();

        $resp = $this->deleteJson($this->baseEndpoint . "/{$role->id}");

        $resp->assertStatus(204);
        $this->assertActivityExists(ActivityType::ROLE_DELETE, null, $role->logDescriptor());
    }

    public function test_delete_endpoint_fails_deleting_system_role()
    {
        $this->actingAsApiAdmin();
        $adminRole = Role::getSystemRole('admin');

        $resp = $this->deleteJson($this->baseEndpoint . "/{$adminRole->id}");

        $resp->assertStatus(500);
        $resp->assertJson($this->errorResponse('This role is a system role and cannot be deleted', 500));
    }

    public function test_delete_endpoint_fails_deleting_default_registration_role()
    {
        $this->actingAsApiAdmin();
        $role = $this->users->attachNewRole($this->users->editor());
        $this->setSettings(['registration-role' => $role->id]);

        $resp = $this->deleteJson($this->baseEndpoint . "/{$role->id}");

        $resp->assertStatus(500);
        $resp->assertJson($this->errorResponse('This role cannot be deleted while set as the default registration role', 500));
    }
}