This is an automated email from the ASF dual-hosted git repository.
enorman pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-launchpad-integration-tests.git
The following commit(s) were added to refs/heads/master by this push:
new a65f6db SLING-7886 AuthorizablePrivilegesInfo returns incorrect
information for non-admin user who has been granted sufficient privileges to do
User/Group Management activites SLING-7887 The CreateUserServlet should allow
non-admin users to create a user if sufficient privileges have been granted
a65f6db is described below
commit a65f6db6734fc04f288e307fc94c863ca1e69ee1
Author: Eric Norman <[email protected]>
AuthorDate: Thu Sep 6 22:34:16 2018 -0700
SLING-7886 AuthorizablePrivilegesInfo returns incorrect information for
non-admin user who has been granted sufficient privileges to do
User/Group Management activites
SLING-7887 The CreateUserServlet should allow non-admin users to create
a user if sufficient privileges have been granted
---
.../userManager/CreateGroupTest.java | 49 ++++++
.../userManager/CreateUserTest.java | 60 +++++++
.../userManager/RemoveAuthorizablesTest.java | 97 +++++++++++
.../userManager/UpdateGroupTest.java | 139 ++++++++++++++++
.../userManager/UpdateUserTest.java | 66 ++++++++
.../userManager/UserManagerTestUtil.java | 22 +++
.../userManager/UserPrivilegesInfoTest.java | 180 ++++++++++++++++++++-
7 files changed, 605 insertions(+), 8 deletions(-)
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateGroupTest.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateGroupTest.java
index dcb2eb6..7f261b6 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateGroupTest.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateGroupTest.java
@@ -37,7 +37,9 @@ import
org.apache.sling.launchpad.webapp.integrationtest.util.JsonUtil;
public class CreateGroupTest extends UserManagerTestUtil {
private static Random random = new Random(System.currentTimeMillis());
+ String testUserId = null;
String testGroupId = null;
+ String testGroupId2 = null;
@Override
public void tearDown() throws Exception {
@@ -47,6 +49,18 @@ public class CreateGroupTest extends UserManagerTestUtil {
List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
}
+ if (testGroupId2 != null) {
+ //remove the test group if it exists.
+ String postUrl = HTTP_BASE_URL +
"/system/userManager/group/" + testGroupId2 + ".delete.html";
+ List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
+ if (testUserId != null) {
+ //remove the test user if it exists.
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId + ".delete.html";
+ List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
super.tearDown();
}
@@ -69,6 +83,41 @@ public class CreateGroupTest extends UserManagerTestUtil {
assertEquals(testGroupId, jsonObj.getString("marker"));
}
+ public void testNotAuthorizedCreateGroup() throws IOException,
JsonException {
+ testUserId = createTestUser();
+ String postUrl = HTTP_BASE_URL +
"/system/userManager/group.create.html";
+
+ Credentials creds = new UsernamePasswordCredentials(testUserId,
"testPwd");
+
+ String testGroupId2 = "testGroup" + random.nextInt();
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair(":name", testGroupId2));
+ postParams.add(new NameValuePair("marker", testGroupId2));
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, postParams, null);
+ }
+
+ public void testAuthorizedCreateGroup() throws IOException,
JsonException {
+ testUserId = createTestUser();
+ grantUserManagementRights(testUserId);
+
+ String postUrl = HTTP_BASE_URL +
"/system/userManager/group.create.html";
+
+ Credentials creds = new UsernamePasswordCredentials("admin",
"admin");
+
+ testGroupId = "testGroup" + random.nextInt();
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair(":name", testGroupId));
+ postParams.add(new NameValuePair("marker", testGroupId));
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ //fetch the group profile json to verify the settings
+ String getUrl = HTTP_BASE_URL + "/system/userManager/group/" +
testGroupId + ".json";
+ String json = getAuthenticatedContent(creds, getUrl,
CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ JsonObject jsonObj = JsonUtil.parseObject(json);
+ assertEquals(testGroupId, jsonObj.getString("marker"));
+ }
+
/**
* Test for SLING-7831
*/
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateUserTest.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateUserTest.java
index 7a50492..85038c1 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateUserTest.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/CreateUserTest.java
@@ -44,6 +44,7 @@ import org.junit.Test;
public class CreateUserTest {
private static Random random = new Random(System.currentTimeMillis());
private String testUserId;
+ private String testUserId2;
private final UserManagerTestUtil H = new UserManagerTestUtil();
@@ -60,6 +61,12 @@ public class CreateUserTest {
List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
H.assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
}
+ if (testUserId2 != null) {
+ //remove the test user if it exists.
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId2 + ".delete.html";
+ List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ H.assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
H.tearDown();
}
@@ -107,6 +114,59 @@ public class CreateUserTest {
}
@Test
+ public void testNotAuthorizedCreateUser() throws IOException,
JsonException {
+ testUserId2 = H.createTestUser();
+
+ String testUserId3 = "testUser" + random.nextInt() +
System.currentTimeMillis();
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user.create.html";
+ final List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair(":name", testUserId3));
+ postParams.add(new NameValuePair("marker", testUserId3));
+ postParams.add(new NameValuePair("pwd", "testPwd"));
+ postParams.add(new NameValuePair("pwdConfirm", "testPwd"));
+ final Credentials creds = new
UsernamePasswordCredentials(testUserId2, "testPwd");
+ H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, postParams, null);
+ }
+
+ @Test
+ public void testAuthorizedCreateUser() throws IOException,
JsonException {
+ testUserId2 = H.createTestUser();
+ H.grantUserManagementRights(testUserId2);
+
+ testUserId = "testUser" + random.nextInt() +
System.currentTimeMillis();
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user.create.html";
+ final List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair(":name", testUserId));
+ postParams.add(new NameValuePair("marker", testUserId));
+ postParams.add(new NameValuePair("pwd", "testPwd"));
+ postParams.add(new NameValuePair("pwdConfirm", "testPwd"));
+ final Credentials creds = new
UsernamePasswordCredentials(testUserId2, "testPwd");
+ H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ {
+ // fetch the user profile json to verify the settings
+ final String getUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId + ".json";
+ final String json = H.getAuthenticatedContent(creds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ final JsonObject jsonObj = JsonUtil.parseObject(json);
+ assertEquals(testUserId, jsonObj.getString("marker"));
+ assertFalse(jsonObj.containsKey(":name"));
+ assertFalse(jsonObj.containsKey("pwd"));
+ assertFalse(jsonObj.containsKey("pwdConfirm"));
+ }
+
+ {
+ // fetch the session info to verify that the user can log in
+ final Credentials newUserCreds = new
UsernamePasswordCredentials(testUserId, "testPwd");
+ final String getUrl = HttpTest.HTTP_BASE_URL +
"/system/sling/info.sessionInfo.json";
+ final String json = H.getAuthenticatedContent(newUserCreds,
getUrl, HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ final JsonObject jsonObj = JsonUtil.parseObject(json);
+ assertEquals(testUserId, jsonObj.getString("userID"));
+ }
+ }
+
+ @Test
public void testCreateUserMissingUserId() throws IOException {
String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user.create.html";
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/RemoveAuthorizablesTest.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/RemoveAuthorizablesTest.java
index de29bd3..4524bda 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/RemoveAuthorizablesTest.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/RemoveAuthorizablesTest.java
@@ -34,6 +34,23 @@ import
org.apache.sling.launchpad.webapp.integrationtest.util.JsonUtil;
* Tests for the 'removeAuthorizable' Sling Post Operation
*/
public class RemoveAuthorizablesTest extends UserManagerTestUtil {
+ private String testUserId2;
+
+
+ /* (non-Javadoc)
+ * @see org.apache.sling.commons.testing.integration.HttpTest#tearDown()
+ */
+ @Override
+ public void tearDown() throws Exception {
+ if (testUserId2 != null) {
+ //remove the test user if it exists.
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId2 + ".delete.html";
+ List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
+
+ super.tearDown();
+ }
public void testRemoveUser() throws IOException {
String userId = createTestUser();
@@ -51,6 +68,46 @@ public class RemoveAuthorizablesTest extends
UserManagerTestUtil {
assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_NOT_FOUND, null); //make sure the profile request
returns some data
}
+ public void testNotAuthorizedRemoveUser() throws IOException {
+ //a user who is not authorized to do the action
+ testUserId2 = createTestUser();
+
+ String userId = createTestUser();
+
+ Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+
+ String getUrl = HTTP_BASE_URL + "/system/userManager/user/" +
userId + ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+
+ Credentials creds2 = new UsernamePasswordCredentials(testUserId2,
"testPwd");
+ String postUrl = HTTP_BASE_URL + "/system/userManager/user/" +
userId + ".delete.html";
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ assertAuthenticatedPostStatus(creds2, postUrl,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, postParams, null);
+
+ getUrl = HTTP_BASE_URL + "/system/userManager/user/" + userId +
".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+ }
+
+ public void testAuthorizedRemoveUser() throws IOException {
+ //a user who is authorized to do the action
+ testUserId2 = createTestUser();
+ grantUserManagementRights(testUserId2);
+
+ String userId = createTestUser();
+
+ Credentials creds = new UsernamePasswordCredentials(testUserId2,
"testPwd");
+
+ String getUrl = HTTP_BASE_URL + "/system/userManager/user/" +
userId + ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+
+ String postUrl = HTTP_BASE_URL + "/system/userManager/user/" +
userId + ".delete.html";
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ getUrl = HTTP_BASE_URL + "/system/userManager/user/" + userId +
".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_NOT_FOUND, null); //make sure the profile request
returns some data
+ }
+
/**
* Test for SLING-7831
*/
@@ -82,6 +139,46 @@ public class RemoveAuthorizablesTest extends
UserManagerTestUtil {
assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_NOT_FOUND, null); //make sure the profile request
returns some data
}
+ public void testNotAuthorizedRemoveGroup() throws IOException {
+ //a user who is not authorized to do the action
+ testUserId2 = createTestUser();
+
+ String groupId = createTestGroup();
+
+ Credentials creds = new UsernamePasswordCredentials("admin", "admin");
+
+ String getUrl = HTTP_BASE_URL + "/system/userManager/group/" +
groupId + ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+
+ Credentials creds2 = new UsernamePasswordCredentials(testUserId2,
"testPwd");
+ String postUrl = HTTP_BASE_URL + "/system/userManager/group/" +
groupId + ".delete.html";
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ assertAuthenticatedPostStatus(creds2, postUrl,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, postParams, null);
+
+ getUrl = HTTP_BASE_URL + "/system/userManager/group/" + groupId
+ ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+ }
+
+ public void testAuthorizedRemoveGroup() throws IOException {
+ //a user who is authorized to do the action
+ testUserId2 = createTestUser();
+ grantUserManagementRights(testUserId2);
+
+ String groupId = createTestGroup();
+
+ Credentials creds = new UsernamePasswordCredentials(testUserId2,
"testPwd");
+
+ String getUrl = HTTP_BASE_URL + "/system/userManager/group/" +
groupId + ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+
+ String postUrl = HTTP_BASE_URL + "/system/userManager/group/" +
groupId + ".delete.html";
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ getUrl = HTTP_BASE_URL + "/system/userManager/group/" + groupId
+ ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_NOT_FOUND, null); //make sure the profile request
returns some data
+ }
+
/**
* Test for SLING-7831
*/
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateGroupTest.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateGroupTest.java
index 45da8e9..72a01c3 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateGroupTest.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateGroupTest.java
@@ -40,6 +40,7 @@ public class UpdateGroupTest extends UserManagerTestUtil {
String testGroupId = null;
String testUserId = null;
+ String testUserId2 = null;
@Override
public void tearDown() throws Exception {
@@ -49,6 +50,12 @@ public class UpdateGroupTest extends UserManagerTestUtil {
List<NameValuePair> postParams = new ArrayList<NameValuePair>();
assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
}
+ if (testUserId2 != null) {
+ //remove the test user if it exists.
+ String postUrl = HTTP_BASE_URL + "/system/userManager/user/" +
testUserId2 + ".delete.html";
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
if (testGroupId != null) {
//remove the test group if it exists.
@@ -82,6 +89,48 @@ public class UpdateGroupTest extends UserManagerTestUtil {
assertEquals("http://www.apache.org/updated";,
jsonObj.getString("url"));
}
+ public void testNotAuthorizedUpdateGroup() throws IOException,
JsonException {
+ //a user who is not authorized to do the action
+ testUserId2 = createTestUser();
+
+ testGroupId = createTestGroup();
+
+ String postUrl = HTTP_BASE_URL + "/system/userManager/group/" +
testGroupId + ".update.html";
+
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("displayName", "My Updated
Test Group"));
+ postParams.add(new NameValuePair("url",
"http://www.apache.org/updated";));
+
+ Credentials creds = new
UsernamePasswordCredentials(testUserId2, "testPwd");
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, postParams, null);
+ }
+
+ public void testAuthorizedUpdateGroup() throws IOException,
JsonException {
+ //a user who is authorized to do the action
+ testUserId2 = createTestUser();
+ grantUserManagementRights(testUserId2);
+
+ testGroupId = createTestGroup();
+
+ String postUrl = HTTP_BASE_URL + "/system/userManager/group/" +
testGroupId + ".update.html";
+
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("displayName", "My Updated
Test Group"));
+ postParams.add(new NameValuePair("url",
"http://www.apache.org/updated";));
+
+ Credentials creds = new
UsernamePasswordCredentials(testUserId2, "testPwd");
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ //fetch the user profile json to verify the settings
+ String getUrl = HTTP_BASE_URL + "/system/userManager/group/" +
testGroupId + ".json";
+ assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+ String json = getAuthenticatedContent(creds, getUrl,
CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ JsonObject jsonObj = JsonUtil.parseObject(json);
+ assertEquals("My Updated Test Group",
jsonObj.getString("displayName"));
+ assertEquals("http://www.apache.org/updated";,
jsonObj.getString("url"));
+ }
+
/**
* Test for SLING-7831
*/
@@ -140,6 +189,96 @@ public class UpdateGroupTest extends UserManagerTestUtil {
}
+ public void testNotAuthorizedUpdateGroupMembers() throws IOException,
JsonException {
+ //a user who is authorized to do the action
+ testUserId2 = createTestUser();
+ grantUserManagementRights(testUserId2);
+
+ testGroupId = createTestGroup();
+ testUserId = createTestUser();
+
+ Credentials creds = new UsernamePasswordCredentials(testUserId2,
"testPwd");
+
+ // verify that the members array exists, but is empty
+ JsonArray members = getTestGroupMembers(creds);
+ assertEquals(0, members.size());
+
+ JsonArray memberships = getTestUserMemberships(creds);
+ assertEquals(0, memberships.size());
+
+ String postUrl = HTTP_BASE_URL + "/system/userManager/group/" +
testGroupId + ".update.html";
+
+ // add a group member
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair(":member", testUserId));
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ members = getTestGroupMembers(creds);
+ assertEquals(1, members.size());
+ assertEquals("/system/userManager/user/" + testUserId,
members.getString(0));
+
+ memberships = getTestUserMemberships(creds);
+ assertEquals(1, memberships.size());
+ assertEquals("/system/userManager/group/" + testGroupId,
memberships.getString(0));
+
+ // delete a group member
+ postParams.clear();
+ postParams.add(new NameValuePair(":member@Delete", testUserId));
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ members = getTestGroupMembers(creds);
+ assertEquals(0, members.size());
+
+ memberships = getTestUserMemberships(creds);
+ assertEquals(0, memberships.size());
+
+ }
+
+ public void testAuthorizedUpdateGroupMembers() throws IOException,
JsonException {
+ //a user who is authorized to do the action
+ testUserId2 = createTestUser();
+ grantUserManagementRights(testUserId2);
+
+ testGroupId = createTestGroup();
+ testUserId = createTestUser();
+
+ Credentials creds = new UsernamePasswordCredentials(testUserId2,
"testPwd");
+
+ // verify that the members array exists, but is empty
+ JsonArray members = getTestGroupMembers(creds);
+ assertEquals(0, members.size());
+
+ JsonArray memberships = getTestUserMemberships(creds);
+ assertEquals(0, memberships.size());
+
+ String postUrl = HTTP_BASE_URL + "/system/userManager/group/" +
testGroupId + ".update.html";
+
+ // add a group member
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair(":member", testUserId));
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ members = getTestGroupMembers(creds);
+ assertEquals(1, members.size());
+ assertEquals("/system/userManager/user/" + testUserId,
members.getString(0));
+
+ memberships = getTestUserMemberships(creds);
+ assertEquals(1, memberships.size());
+ assertEquals("/system/userManager/group/" + testGroupId,
memberships.getString(0));
+
+ // delete a group member
+ postParams.clear();
+ postParams.add(new NameValuePair(":member@Delete", testUserId));
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ members = getTestGroupMembers(creds);
+ assertEquals(0, members.size());
+
+ memberships = getTestUserMemberships(creds);
+ assertEquals(0, memberships.size());
+
+ }
+
JsonArray getTestUserMemberships(Credentials creds) throws IOException,
JsonException {
String getUrl = HTTP_BASE_URL + "/system/userManager/user/" +
testUserId + ".json";
assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateUserTest.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateUserTest.java
index 1dc50cd..7e1d630 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateUserTest.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UpdateUserTest.java
@@ -45,6 +45,7 @@ import org.junit.Test;
public class UpdateUserTest {
String testUserId = null;
+ String testUserId2 = null;
private final UserManagerTestUtil H = new UserManagerTestUtil();
@Before
@@ -60,6 +61,12 @@ public class UpdateUserTest {
List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
H.assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
}
+ if (testUserId2 != null) {
+ //remove the test user if it exists.
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId2 + ".delete.html";
+ List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ H.assertAuthenticatedAdminPostStatus(postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
H.tearDown();
}
@@ -97,6 +104,65 @@ public class UpdateUserTest {
assertEquals("value", jsonObj.getString("param"));
}
+ @Test
+ public void testNotAuthorizedUpdateUser() throws IOException,
JsonException {
+ //a user who is not authorized to do the action
+ testUserId2 = H.createTestUser();
+
+ testUserId = H.createTestUser();
+
+ String postUrl = HttpTest.HTTP_BASE_URL + "/system/userManager/user/"
+ testUserId + ".update.html";
+
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("displayName", "My Updated
Test User"));
+ postParams.add(new NameValuePair("url",
"http://www.apache.org/updated";));
+ // add nested param (SLING-6747)
+ postParams.add(new NameValuePair("nested/param", "value"));
+ Credentials creds = new
UsernamePasswordCredentials(testUserId2, "testPwd");
+ H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, postParams, null);
+
+ //fetch the user profile json to verify the settings
+ String getUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId + ".json";
+ H.assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_NOT_FOUND, null); //make sure the profile request is not
there
+ }
+
+ @Test
+ public void testAuthorizedUpdateUser() throws IOException,
JsonException {
+ //a user who is authorized to do the action
+ testUserId2 = H.createTestUser();
+ H.grantUserManagementRights(testUserId2);
+
+ testUserId = H.createTestUser();
+
+ String postUrl = HttpTest.HTTP_BASE_URL + "/system/userManager/user/"
+ testUserId + ".update.html";
+
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("displayName", "My Updated
Test User"));
+ postParams.add(new NameValuePair("url",
"http://www.apache.org/updated";));
+ // add nested param (SLING-6747)
+ postParams.add(new NameValuePair("nested/param", "value"));
+ Credentials creds = new
UsernamePasswordCredentials(testUserId2, "testPwd");
+ H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+
+ //fetch the user profile json to verify the settings
+ String getUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId + ".json";
+ H.assertAuthenticatedHttpStatus(creds, getUrl,
HttpServletResponse.SC_OK, null); //make sure the profile request returns some
data
+ String json = H.getAuthenticatedContent(creds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ JsonObject jsonObj = JsonUtil.parseObject(json);
+ assertEquals("My Updated Test User",
jsonObj.getString("displayName"));
+ assertEquals("http://www.apache.org/updated";,
jsonObj.getString("url"));
+ // get path (SLING-6753)
+ String path = jsonObj.getString("path");
+ assertNotNull(path);
+ // retrieve nested property via regular GET servlet
+ getUrl = HttpTest.HTTP_BASE_URL + path + "/nested.json";
+ json = H.getAuthenticatedContent(creds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+ assertEquals("value", jsonObj.getString("param"));
+ }
+
/**
* Test for SLING-7831
*/
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserManagerTestUtil.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserManagerTestUtil.java
index d6d9110..796f423 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserManagerTestUtil.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserManagerTestUtil.java
@@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.NameValuePair;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
+import org.apache.sling.commons.testing.integration.HttpTest;
import org.apache.sling.launchpad.webapp.integrationtest.AuthenticatedTestUtil;
/**
@@ -82,4 +83,25 @@ public class UserManagerTestUtil extends
AuthenticatedTestUtil {
addUserToGroup(testUserId, "GroupAdmin");
}
+ /**
+ * Grant the minimum privilges neede for oak User Management
+ *
+ * @param principalId the principal
+ */
+ public void grantUserManagementRights(String principalId) throws
IOException {
+ String postUrl = HttpTest.HTTP_BASE_URL + "/home.modifyAce.html";
+
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", principalId));
+ postParams.add(new NameValuePair("privilege@jcr:read",
"granted"));
+ postParams.add(new NameValuePair("privilege@rep:write",
"granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:readAccessControl", "granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:modifyAccessControl", "granted"));
+ postParams.add(new
NameValuePair("privilege@rep:userManagement", "granted"));
+
+ Credentials creds = new UsernamePasswordCredentials("admin",
"admin");
+ final String info = "Granting principal " + principalId + " user
management rights via " + postUrl;
+ assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, info);
+ }
+
}
diff --git
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserPrivilegesInfoTest.java
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserPrivilegesInfoTest.java
index 35b8976..05e7589 100644
---
a/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserPrivilegesInfoTest.java
+++
b/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/userManager/UserPrivilegesInfoTest.java
@@ -18,6 +18,7 @@ package
org.apache.sling.launchpad.webapp.integrationtest.userManager;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
+
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashSet;
@@ -41,8 +42,8 @@ public class UserPrivilegesInfoTest {
String testUserId = null;
String testUserId2 = null;
+ String testUserId3 = null;
String testGroupId = null;
- String testFolderUrl = null;
Set<String> toDelete = new HashSet<String>();
private final UserManagerTestUtil H = new UserManagerTestUtil();
@@ -65,13 +66,6 @@ public class UserPrivilegesInfoTest {
Credentials creds = new UsernamePasswordCredentials("admin",
"admin");
- if (testFolderUrl != null) {
- //remove the test user if it exists.
- String postUrl = testFolderUrl;
- List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
- postParams.add(new NameValuePair(":operation",
"delete"));
- H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
- }
if (testGroupId != null) {
//remove the test user if it exists.
String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/group/" + testGroupId + ".delete.html";
@@ -90,12 +84,32 @@ public class UserPrivilegesInfoTest {
List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
}
+ if (testUserId3 != null) {
+ //remove the test user if it exists.
+ String postUrl = HttpTest.HTTP_BASE_URL +
"/system/userManager/user/" + testUserId3 + ".delete.html";
+ List<NameValuePair> postParams = new
ArrayList<NameValuePair>();
+ H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
for(String script : toDelete) {
H.getTestClient().delete(script);
}
}
+ private void grantUserManagerRights(String principalId) throws
IOException {
+ String postUrl = HttpTest.HTTP_BASE_URL + "/home.modifyAce.html";
+
+ List<NameValuePair> postParams = new ArrayList<NameValuePair>();
+ postParams.add(new NameValuePair("principalId", principalId));
+ postParams.add(new NameValuePair("privilege@jcr:read",
"granted"));
+ postParams.add(new NameValuePair("privilege@rep:write",
"granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:readAccessControl", "granted"));
+ postParams.add(new
NameValuePair("privilege@jcr:modifyAccessControl", "granted"));
+ postParams.add(new
NameValuePair("privilege@rep:userManagement", "granted"));
+
+ Credentials creds = new UsernamePasswordCredentials("admin",
"admin");
+ H.assertAuthenticatedPostStatus(creds, postUrl,
HttpServletResponse.SC_OK, postParams, null);
+ }
/**
* Checks whether the current user has been granted privileges
@@ -115,6 +129,27 @@ public class UserPrivilegesInfoTest {
JsonObject jsonObj = JsonUtil.parseObject(json);
assertEquals(false, jsonObj.getBoolean("canAddUser"));
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canAddUser"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canAddUser"));
}
/**
@@ -135,6 +170,27 @@ public class UserPrivilegesInfoTest {
JsonObject jsonObj = JsonUtil.parseObject(json);
assertEquals(false, jsonObj.getBoolean("canAddGroup"));
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canAddGroup"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canAddGroup"));
}
/**
@@ -171,6 +227,28 @@ public class UserPrivilegesInfoTest {
//user can not update other users properties
assertEquals(false, jsonObj2.getBoolean("canUpdateProperties"));
+
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canUpdateProperties"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canUpdateProperties"));
}
/**
@@ -194,6 +272,28 @@ public class UserPrivilegesInfoTest {
//normal user can not update group properties
assertEquals(false, jsonObj.getBoolean("canUpdateProperties"));
+
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canUpdateProperties"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canUpdateProperties"));
}
/**
@@ -230,6 +330,28 @@ public class UserPrivilegesInfoTest {
//user can not delete other users
assertEquals(false, jsonObj2.getBoolean("canRemove"));
+
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canRemove"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canRemove"));
}
/**
@@ -253,6 +375,27 @@ public class UserPrivilegesInfoTest {
//normal user can not remove group
assertEquals(false, jsonObj.getBoolean("canRemove"));
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canRemove"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canRemove"));
}
/**
@@ -276,5 +419,26 @@ public class UserPrivilegesInfoTest {
//normal user can not remove group
assertEquals(false,
jsonObj.getBoolean("canUpdateGroupMembers"));
+
+ //try admin user
+ testUserCreds = new UsernamePasswordCredentials("admin",
"admin");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canUpdateGroupMembers"));
+
+ //try non-admin with sufficient privileges
+ testUserId3 = H.createTestUser();
+ grantUserManagerRights(testUserId3);
+
+ testUserCreds = new UsernamePasswordCredentials(testUserId3,
"testPwd");
+
+ json = H.getAuthenticatedContent(testUserCreds, getUrl,
HttpTest.CONTENT_TYPE_JSON, null, HttpServletResponse.SC_OK);
+ assertNotNull(json);
+ jsonObj = JsonUtil.parseObject(json);
+
+ assertEquals(true, jsonObj.getBoolean("canUpdateGroupMembers"));
}
}
