9.5/_unit_2_authentication_2_backend_user_authentication_test_8php_source.html

<?php

declare(strict_types = 1);

namespace ‪TYPO3\CMS\Core\Tests\Unit\Authentication;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use PHPUnit\Framework\MockObject\MockObject;

use Prophecy\Argument;

use Prophecy\Prophecy\ObjectProphecy;

use Psr\Log\NullLogger;

use ‪TYPO3\CMS\Core\Authentication\BackendUserAuthentication;

use ‪TYPO3\CMS\Core\Database\Connection;

use ‪TYPO3\CMS\Core\Database\ConnectionPool;

use ‪TYPO3\CMS\Core\Database\Query\Expression\ExpressionBuilder;

use ‪TYPO3\CMS\Core\Database\Query\QueryBuilder;

use ‪TYPO3\CMS\Core\FormProtection\BackendFormProtection;

use ‪TYPO3\CMS\Core\FormProtection\FormProtectionFactory;

use ‪TYPO3\CMS\Core\Resource\ResourceStorage;

use ‪TYPO3\CMS\Core\Tests\Unit\Database\Mocks\MockPlatform;

use ‪TYPO3\CMS\Core\Type\Bitmask\JsConfirmation;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;

use TYPO3\TestingFramework\Core\Unit\UnitTestCase;


class ‪BackendUserAuthenticationTest extends UnitTestCase

{

    protected ‪$defaultFilePermissions = [

        // File permissions

        'addFile' => false,

        'readFile' => false,

        'writeFile' => false,

        'copyFile' => false,

        'moveFile' => false,

        'renameFile' => false,

        'deleteFile' => false,

        // Folder permissions

        'addFolder' => false,

        'readFolder' => false,

        'writeFolder' => false,

        'copyFolder' => false,

        'moveFolder' => false,

        'renameFolder' => false,

        'deleteFolder' => false,

        'recursivedeleteFolder' => false

    ];


    protected function ‪tearDown(): void

    {

        ‪FormProtectionFactory::purgeInstances();

        parent::tearDown();

    }


    // Tests concerning the form protection


    public function ‪logoffCleansFormProtectionIfBackendUserIsLoggedIn(): void

    {

        $connection = $this->prophesize(Connection::class);

        $connection->delete('sys_lockedrecords', Argument::cetera())->willReturn(1);


        $connectionPool = $this->prophesize(ConnectionPool::class);

        $connectionPool->getConnectionForTable(Argument::cetera())->willReturn($connection->reveal());


        GeneralUtility::addInstance(ConnectionPool::class, $connectionPool->reveal());


        $formProtection = $this->prophesize(BackendFormProtection::class);

        $formProtection->clean()->shouldBeCalled();


        ‪FormProtectionFactory::set(

            'default',

            $formProtection->reveal()

        );


        ‪$GLOBALS['BE_USER'] = $this->getMockBuilder(BackendUserAuthentication::class)->getMock();

        ‪$GLOBALS['BE_USER']->user = [

            'uid' => 4711,

            'ses_backuserid' => 0,

        ];

        ‪$GLOBALS['BE_USER']->setLogger(new NullLogger());


        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['dummy'])

            ->disableOriginalConstructor()

            ->getMock();


        $subject->setLogger(new NullLogger());

        $subject->logoff();

    }


    public function ‪getFilePermissionsTakesUserDefaultAndStoragePermissionsIntoAccountIfUserIsNotAdminDataProvider(): array

    {

        return [

            'Only read permissions' => [

                [

                    'addFile' => 0,

                    'readFile' => 1,

                    'writeFile' => 0,

                    'copyFile' => 0,

                    'moveFile' => 0,

                    'renameFile' => 0,

                    'deleteFile' => 0,

                    'addFolder' => 0,

                    'readFolder' => 1,

                    'copyFolder' => 0,

                    'moveFolder' => 0,

                    'renameFolder' => 0,

                    'writeFolder' => 0,

                    'deleteFolder' => 0,

                    'recursivedeleteFolder' => 0,

                ]

            ],

            'Uploading allowed' => [

                [

                    'addFile' => 1,

                    'readFile' => 1,

                    'writeFile' => 1,

                    'copyFile' => 1,

                    'moveFile' => 1,

                    'renameFile' => 1,

                    'deleteFile' => 1,

                    'addFolder' => 0,

                    'readFolder' => 1,

                    'copyFolder' => 0,

                    'moveFolder' => 0,

                    'renameFolder' => 0,

                    'writeFolder' => 0,

                    'deleteFolder' => 0,

                    'recursivedeleteFolder' => 0

                ]

            ],

            'One value is enough' => [

                [

                    'addFile' => 1,

                ]

            ],

        ];

    }


    public function ‪getFilePermissionsTakesUserDefaultPermissionsFromTsConfigIntoAccountIfUserIsNotAdmin(array $userTsConfiguration): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['isAdmin', 'getTSConfig'])

            ->getMock();


        $subject

            ->expects($this->any())

            ->method('isAdmin')

            ->will($this->returnValue(false));


        $subject->setLogger(new NullLogger());

        $subject

            ->expects($this->any())

            ->method('getTSConfig')

            ->will($this->returnValue([

                'permissions.' => [

                    'file.' => [

                        'default.' => $userTsConfiguration

                    ],

                ]

            ]));


        $expectedPermissions = array_merge($this->defaultFilePermissions, $userTsConfiguration);

        array_walk(

            $expectedPermissions,

            function (&$value) {

                $value = (bool)$value;

            }

        );


        $this->assertEquals($expectedPermissions, $subject->getFilePermissions());

    }


    public function ‪getFilePermissionsFromStorageDataProvider(): array

    {

        $defaultPermissions = [

            'addFile' => true,

            'readFile' => true,

            'writeFile' => true,

            'copyFile' => true,

            'moveFile' => true,

            'renameFile' => true,

            'deleteFile' => true,

            'addFolder' => true,

            'readFolder' => true,

            'copyFolder' => true,

            'moveFolder' => true,

            'renameFolder' => true,

            'writeFolder' => true,

            'deleteFolder' => true,

            'recursivedeleteFolder' => true

        ];


        return [

            'Overwrites given storage permissions with default permissions' => [

                $defaultPermissions,

                1,

                [

                    'addFile' => 0,

                    'recursivedeleteFolder' =>0

                ],

                [

                    'addFile' => 0,

                    'readFile' => 1,

                    'writeFile' => 1,

                    'copyFile' => 1,

                    'moveFile' => 1,

                    'renameFile' => 1,

                    'deleteFile' => 1,

                    'addFolder' => 1,

                    'readFolder' => 1,

                    'copyFolder' => 1,

                    'moveFolder' => 1,

                    'renameFolder' => 1,

                    'writeFolder' => 1,

                    'deleteFolder' => 1,

                    'recursivedeleteFolder' => 0

                ]

            ],

            'Overwrites given storage 0 permissions with default permissions' => [

                $defaultPermissions,

                0,

                [

                    'addFile' => 0,

                    'recursivedeleteFolder' =>0

                ],

                [

                    'addFile' => false,

                    'readFile' => true,

                    'writeFile' => true,

                    'copyFile' => true,

                    'moveFile' => true,

                    'renameFile' => true,

                    'deleteFile' => true,

                    'addFolder' => true,

                    'readFolder' => true,

                    'copyFolder' => true,

                    'moveFolder' => true,

                    'renameFolder' => true,

                    'writeFolder' => true,

                    'deleteFolder' => true,

                    'recursivedeleteFolder' => false

                ]

            ],

            'Returns default permissions if no storage permissions are found' => [

                $defaultPermissions,

                1,

                [],

                [

                    'addFile' => true,

                    'readFile' => true,

                    'writeFile' => true,

                    'copyFile' => true,

                    'moveFile' => true,

                    'renameFile' => true,

                    'deleteFile' => true,

                    'addFolder' => true,

                    'readFolder' => true,

                    'copyFolder' => true,

                    'moveFolder' => true,

                    'renameFolder' => true,

                    'writeFolder' => true,

                    'deleteFolder' => true,

                    'recursivedeleteFolder' => true

                ]

            ],

        ];

    }


    public function ‪getFilePermissionsFromStorageOverwritesDefaultPermissions(array $defaultPermissions, $storageUid, array $storagePermissions, array $expectedPermissions): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['isAdmin', 'getFilePermissions', 'getTSConfig'])

            ->getMock();

        $storageMock = $this->createMock(ResourceStorage::class);

        $storageMock->expects($this->any())->method('getUid')->will($this->returnValue($storageUid));


        $subject

            ->expects($this->any())

            ->method('isAdmin')

            ->will($this->returnValue(false));


        $subject

            ->expects($this->any())

            ->method('getFilePermissions')

            ->will($this->returnValue($defaultPermissions));


        $subject

            ->expects($this->any())

            ->method('getTSConfig')

            ->will($this->returnValue([

                'permissions.' => [

                    'file.' => [

                        'storage.' => [

                            $storageUid . '.' => $storagePermissions

                        ],

                    ],

                ]

            ]));


        $this->assertEquals($expectedPermissions, $subject->getFilePermissionsForStorage($storageMock));

    }


    public function ‪getFilePermissionsFromStorageAlwaysReturnsDefaultPermissionsForAdmins(array $defaultPermissions, $storageUid, array $storagePermissions): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['isAdmin', 'getFilePermissions', 'getTSConfig'])

            ->getMock();

        $storageMock = $this->createMock(ResourceStorage::class);

        $storageMock->expects($this->any())->method('getUid')->will($this->returnValue($storageUid));


        $subject

            ->expects($this->any())

            ->method('isAdmin')

            ->will($this->returnValue(true));


        $subject

            ->expects($this->any())

            ->method('getFilePermissions')

            ->will($this->returnValue($defaultPermissions));


        $subject

            ->expects($this->any())

            ->method('getTSConfig')

            ->will($this->returnValue([

                'permissions.' => [

                    'file.' => [

                        'storage.' => [

                            $storageUid . '.' => $storagePermissions

                        ],

                    ],

                ]

            ]));


        $this->assertEquals($defaultPermissions, $subject->getFilePermissionsForStorage($storageMock));

    }


    public function ‪getFilePermissionsTakesUserDefaultPermissionsFromRecordIntoAccountIfUserIsNotAdminDataProvider(): array

    {

        return [

            'No permission' => [

                '',

                [

                    'addFile' => false,

                    'readFile' => false,

                    'writeFile' => false,

                    'copyFile' => false,

                    'moveFile' => false,

                    'renameFile' => false,

                    'deleteFile' => false,

                    'addFolder' => false,

                    'readFolder' => false,

                    'copyFolder' => false,

                    'moveFolder' => false,

                    'renameFolder' => false,

                    'writeFolder' => false,

                    'deleteFolder' => false,

                    'recursivedeleteFolder' => false

                ]

            ],

            'Standard file permissions' => [

                'addFile,readFile,writeFile,copyFile,moveFile,renameFile,deleteFile',

                [

                    'addFile' => true,

                    'readFile' => true,

                    'writeFile' => true,

                    'copyFile' => true,

                    'moveFile' => true,

                    'renameFile' => true,

                    'deleteFile' => true,

                    'addFolder' => false,

                    'readFolder' => false,

                    'copyFolder' => false,

                    'moveFolder' => false,

                    'renameFolder' => false,

                    'writeFolder' => false,

                    'deleteFolder' => false,

                    'recursivedeleteFolder' => false

                ]

            ],

            'Standard folder permissions' => [

                'addFolder,readFolder,moveFolder,renameFolder,writeFolder,deleteFolder',

                [

                    'addFile' => false,

                    'readFile' => false,

                    'writeFile' => false,

                    'copyFile' => false,

                    'moveFile' => false,

                    'renameFile' => false,

                    'deleteFile' => false,

                    'addFolder' => true,

                    'readFolder' => true,

                    'writeFolder' => true,

                    'copyFolder' => false,

                    'moveFolder' => true,

                    'renameFolder' => true,

                    'deleteFolder' => true,

                    'recursivedeleteFolder' => false

                ]

            ],

            'Copy folder allowed' => [

                'readFolder,copyFolder',

                [

                    'addFile' => false,

                    'readFile' => false,

                    'writeFile' => false,

                    'copyFile' => false,

                    'moveFile' => false,

                    'renameFile' => false,

                    'deleteFile' => false,

                    'addFolder' => false,

                    'readFolder' => true,

                    'writeFolder' => false,

                    'copyFolder' => true,

                    'moveFolder' => false,

                    'renameFolder' => false,

                    'deleteFolder' => false,

                    'recursivedeleteFolder' => false

                ]

            ],

            'Copy folder and remove subfolders allowed' => [

                'readFolder,copyFolder,recursivedeleteFolder',

                [

                    'addFile' => false,

                    'readFile' => false,

                    'writeFile' => false,

                    'copyFile' => false,

                    'moveFile' => false,

                    'renameFile' => false,

                    'deleteFile' => false,

                    'addFolder' => false,

                    'readFolder' => true,

                    'writeFolder' => false,

                    'copyFolder' => true,

                    'moveFolder' => false,

                    'renameFolder' => false,

                    'deleteFolder' => false,

                    'recursivedeleteFolder' => true

                ]

            ],

        ];

    }


    public function ‪getFilePermissionsTakesUserDefaultPermissionsFromRecordIntoAccountIfUserIsNotAdmin(string $permissionValue, array $expectedPermissions): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['isAdmin', 'getTSConfig'])

            ->getMock();


        $subject

            ->expects($this->any())

            ->method('isAdmin')

            ->will($this->returnValue(false));


        $subject

            ->expects($this->any())

            ->method('getTSConfig')

            ->will($this->returnValue([]));

        $subject->groupData['file_permissions'] = $permissionValue;

        $this->assertEquals($expectedPermissions, $subject->getFilePermissions());

    }


    public function ‪getFilePermissionsGrantsAllPermissionsToAdminUsers(): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['isAdmin'])

            ->getMock();


        $subject

            ->expects($this->any())

            ->method('isAdmin')

            ->will($this->returnValue(true));


        $expectedPermissions = [

            'addFile' => true,

            'readFile' => true,

            'writeFile' => true,

            'copyFile' => true,

            'moveFile' => true,

            'renameFile' => true,

            'deleteFile' => true,

            'addFolder' => true,

            'readFolder' => true,

            'writeFolder' => true,

            'copyFolder' => true,

            'moveFolder' => true,

            'renameFolder' => true,

            'deleteFolder' => true,

            'recursivedeleteFolder' => true

        ];


        $this->assertEquals($expectedPermissions, $subject->getFilePermissions());

    }


    public function ‪jsConfirmationReturnsTrueIfPassedValueEqualsConfiguration(): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['getTSConfig'])

            ->getMock();

        $subject->method('getTSConfig')->with()->willReturn([

            'options.' => [

                'alertPopups' => 1

            ],

        ]);

        $this->assertTrue($subject->jsConfirmation(‪JsConfirmation::TYPE_CHANGE));

        $this->assertFalse($subject->jsConfirmation(‪JsConfirmation::COPY_MOVE_PASTE));

    }


    public function ‪jsConfirmationAllowsSettingMultipleBitsInValue(): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['getTSConfig'])

            ->getMock();

        $subject->method('getTSConfig')->with()->willReturn([

            'options.' => [

                'alertPopups' => 3

            ],

        ]);

        $this->assertTrue($subject->jsConfirmation(‪JsConfirmation::TYPE_CHANGE));

        $this->assertTrue($subject->jsConfirmation(‪JsConfirmation::COPY_MOVE_PASTE));

    }


    public function ‪jsConfirmationAllowsUnsettingBitsInValue($jsConfirmation, $typeChangeAllowed, $copyMovePasteAllowed, $deleteAllowed, $feEditAllowed, $otherAllowed): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['getTSConfig'])

            ->getMock();

        $subject->method('getTSConfig')->with()->willReturn([

            'options.' => [

                'alertPopups' => $jsConfirmation

            ],

        ]);

        $this->assertEquals($typeChangeAllowed, $subject->jsConfirmation(‪JsConfirmation::TYPE_CHANGE));

        $this->assertEquals($copyMovePasteAllowed, $subject->jsConfirmation(‪JsConfirmation::COPY_MOVE_PASTE));

        $this->assertEquals($deleteAllowed, $subject->jsConfirmation(‪JsConfirmation::DELETE));

        $this->assertEquals($feEditAllowed, $subject->jsConfirmation(‪JsConfirmation::FE_EDIT));

        $this->assertEquals($otherAllowed, $subject->jsConfirmation(‪JsConfirmation::OTHER));

    }


    public function ‪jsConfirmationsWithUnsetBits(): array

    {

        return [

            'All except "type change" and "copy/move/paste"' => [

                252,

                false,

                false,

                true,

                true,

                true,

            ],

            'All except "other"' => [

                127,

                true,

                true,

                true,

                true,

                false,

            ],

        ];

    }


    public function ‪jsConfirmationAlwaysReturnsFalseIfNoConfirmationIsSet(): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['getTSConfig'])

            ->getMock();

        $subject->method('getTSConfig')->with()->willReturn([

            'options.' => [

                'alertPopups' => 0

            ],

        ]);

        $this->assertFalse($subject->jsConfirmation(‪JsConfirmation::TYPE_CHANGE));

        $this->assertFalse($subject->jsConfirmation(‪JsConfirmation::COPY_MOVE_PASTE));

    }


    public function ‪jsConfirmationReturnsTrueIfConfigurationIsMissing(): void

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['getTSConfig'])

            ->getMock();


        $this->assertTrue($subject->jsConfirmation(‪JsConfirmation::TYPE_CHANGE));

    }


    public function ‪getPagePermissionsClauseWithValidUserDataProvider(): array

    {

        return [

            'for admin' => [

                1,

                true,

                '',

                ' 1=1'

            ],

            'for admin with groups' => [

                11,

                true,

                '1,2',

                ' 1=1'

            ],

            'for user' => [

                2,

                false,

                '',

                ' ((`pages`.`perms_everybody` & 2 = 2) OR' .

                ' ((`pages`.`perms_userid` = 123) AND (`pages`.`perms_user` & 2 = 2)))'

            ],

            'for user with groups' => [

                8,

                false,

                '1,2',

                ' ((`pages`.`perms_everybody` & 8 = 8) OR' .

                ' ((`pages`.`perms_userid` = 123) AND (`pages`.`perms_user` & 8 = 8))' .

                ' OR ((`pages`.`perms_groupid` IN (1, 2)) AND (`pages`.`perms_group` & 8 = 8)))'

            ],

        ];

    }


    public function ‪getPagePermissionsClauseWithValidUser(int $perms, bool $admin, string $groups, string $expected): void

    {

        // We only need to setup the mocking for the non-admin cases

        // If this setup is done for admin cases the FIFO behavior

        // of GeneralUtility::addInstance will influence other tests

        // as the ConnectionPool is never used!

        if (!$admin) {

            $connectionProphecy = $this->prophesize(Connection::class);

            $connectionProphecy->getDatabasePlatform()->willReturn(new ‪MockPlatform());

            $connectionProphecy->quoteIdentifier(Argument::cetera())->will(function (‪$args) {

                return '`' . str_replace('.', '`.`', ‪$args[0]) . '`';

            });


            $queryBuilderProphecy = $this->prophesize(QueryBuilder::class);

            $queryBuilderProphecy->expr()->willReturn(

                new ‪ExpressionBuilder($connectionProphecy->reveal())

            );


            $databaseProphecy = $this->prophesize(ConnectionPool::class);

            $databaseProphecy->getQueryBuilderForTable('pages')->willReturn($queryBuilderProphecy->reveal());

            // Shift previously added instance

            GeneralUtility::makeInstance(ConnectionPool::class);

            GeneralUtility::addInstance(ConnectionPool::class, $databaseProphecy->reveal());

        }


        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->setMethods(['isAdmin'])

            ->getMock();

        $subject->setLogger(new NullLogger());

        $subject->expects($this->any())

            ->method('isAdmin')

            ->will($this->returnValue($admin));


        $subject->user = ['uid' => 123];

        $subject->groupList = $groups;


        $this->assertEquals($expected, $subject->getPagePermsClause($perms));

    }


    public function ‪checkAuthModeReturnsExpectedValue(string $theValue, string $authMode, bool $expectedResult)

    {

        $subject = $this->getMockBuilder(BackendUserAuthentication::class)

            ->disableOriginalConstructor()

            ->setMethods(['isAdmin'])

            ->getMock();


        $subject

            ->expects(self::any())

            ->method('isAdmin')

            ->willReturn(false);


        $subject->groupData['explicit_allowdeny'] =

            'dummytable:dummyfield:explicitly_allowed_value:ALLOW,'

            . 'dummytable:dummyfield:explicitly_denied_value:DENY';


        $result = $subject->checkAuthMode('dummytable', 'dummyfield', $theValue, $authMode);

        self::assertEquals($expectedResult, $result);

    }


    public function ‪checkAuthModeReturnsExpectedValueDataProvider(): array

    {

        return [

            'explicit allow, not allowed value' => [

                'non_allowed_field',

                'explicitAllow',

                false,

            ],

            'explicit allow, allowed value' => [

                'explicitly_allowed_value',

                'explicitAllow',

                true,

            ],

            'explicit deny, not denied value' => [

                'non_denied_field',

                'explicitDeny',

                true,

            ],

            'explicit deny, denied value' => [

                'explicitly_denied_value',

                'explicitDeny',

                false,

            ],

            'invalid value colon' => [

                'containing:invalid:chars',

                'does not matter',

                false,

            ],

            'invalid value comma' => [

                'containing,invalid,chars',

                'does not matter',

                false,

            ],

            'blank value' => [

                '',

                'does not matter',

                true,

            ],

            'divider' => [

                '--div--',

                'explicitAllow',

                true,

            ],

        ];

    }

}