From f47ba4fb2351ee9268d9adb94daa6be035a0396f Mon Sep 17 00:00:00 2001 From: Shaun McDonald Date: Mon, 27 Apr 2009 11:57:58 +0000 Subject: [PATCH] Fix the node and relation tests from when the users with data public=false were disallowed from editing. Needed extra fixtures. --- test/fixtures/current_node_tags.yml | 6 + test/fixtures/current_nodes.yml | 4 +- test/fixtures/node_tags.yml | 7 ++ test/fixtures/nodes.yml | 4 +- test/functional/node_controller_test.rb | 130 +++++++++++++++++--- test/functional/relation_controller_test.rb | 10 +- test/unit/node_tag_test.rb | 2 +- test/unit/old_node_tag_test.rb | 2 +- 8 files changed, 137 insertions(+), 28 deletions(-) diff --git a/test/fixtures/current_node_tags.yml b/test/fixtures/current_node_tags.yml index 1494daf54..8d5202e90 100644 --- a/test/fixtures/current_node_tags.yml +++ b/test/fixtures/current_node_tags.yml @@ -27,3 +27,9 @@ nv_t2: id: 15 k: 'testing two' v: 'modified in node version 4' + +public_v_t1: + id: 16 + k: 'testvisible' + v: 'yes' + diff --git a/test/fixtures/current_nodes.yml b/test/fixtures/current_nodes.yml index 10c48196d..b0761a264 100644 --- a/test/fixtures/current_nodes.yml +++ b/test/fixtures/current_nodes.yml @@ -25,7 +25,7 @@ used_node_1: id: 3 latitude: <%= 3*SCALE %> longitude: <%= 3*SCALE %> - changeset_id: 1 + changeset_id: 2 visible: true version: 1 tile: <%= QuadTile.tile_for_point(3,3) %> @@ -45,7 +45,7 @@ node_used_by_relationship: id: 5 latitude: <%= 5*SCALE %> longitude: <%= 5*SCALE %> - changeset_id: 1 + changeset_id: 2 visible: true version: 1 tile: <%= QuadTile.tile_for_point(5,5) %> diff --git a/test/fixtures/node_tags.yml b/test/fixtures/node_tags.yml index 722bc5367..b02291300 100644 --- a/test/fixtures/node_tags.yml +++ b/test/fixtures/node_tags.yml @@ -45,3 +45,10 @@ nv4_t2: k: 'testing two' v: 'modified in node version 4' version: 4 + +public_v_t1: + id: 16 + k: 'testvisible' + v: 'yes' + version: 1 + diff --git a/test/fixtures/nodes.yml b/test/fixtures/nodes.yml index fb02fa7ee..d23a7c014 100644 --- a/test/fixtures/nodes.yml +++ b/test/fixtures/nodes.yml @@ -25,7 +25,7 @@ used_node_1: id: 3 latitude: <%= 3*SCALE %> longitude: <%= 3*SCALE %> - changeset_id: 1 + changeset_id: 2 visible: true version: 1 tile: <%= QuadTile.tile_for_point(3,3) %> @@ -45,7 +45,7 @@ node_used_by_relationship: id: 5 latitude: <%= 5*SCALE %> longitude: <%= 5*SCALE %> - changeset_id: 1 + changeset_id: 2 visible: true version: 1 tile: <%= QuadTile.tile_for_point(5,5) %> diff --git a/test/functional/node_controller_test.rb b/test/functional/node_controller_test.rb index f7b96e291..6877fc967 100644 --- a/test/functional/node_controller_test.rb +++ b/test/functional/node_controller_test.rb @@ -5,6 +5,24 @@ class NodeControllerTest < ActionController::TestCase def test_create # cannot read password from fixture as it is stored as MD5 digest + ## First try with no auth + + # create a node with random lat/lon + lat = rand(100)-50 + rand + lon = rand(100)-50 + rand + # normal user has a changeset open, so we'll use that. + changeset = changesets(:normal_user_first_change) + # create a minimal xml file + content("") + assert_difference('OldNode.count', 0) do + put :create + end + # hope for unauthorized + assert_response :unauthorized, "node upload did not return unauthorized status" + + + + ## Now try with the user which doesn't have their data public basic_authorization(users(:normal_user).email, "test") # create a node with random lat/lon @@ -14,6 +32,24 @@ class NodeControllerTest < ActionController::TestCase changeset = changesets(:normal_user_first_change) # create a minimal xml file content("") + assert_difference('Node.count', 0) do + put :create + end + # hope for success + assert_require_public_data "node create did not return forbidden status" + + + + ## Now try with the user that has the public data + basic_authorization(users(:public_user).email, "test") + + # create a node with random lat/lon + lat = rand(100)-50 + rand + lon = rand(100)-50 + rand + # normal user has a changeset open, so we'll use that. + changeset = changesets(:public_user_first_change) + # create a minimal xml file + content("") put :create # hope for success assert_response :success, "node upload did not return success status" @@ -25,15 +61,17 @@ class NodeControllerTest < ActionController::TestCase # compare values assert_in_delta lat * 10000000, checknode.latitude, 1, "saved node does not match requested latitude" assert_in_delta lon * 10000000, checknode.longitude, 1, "saved node does not match requested longitude" - assert_equal changesets(:normal_user_first_change).id, checknode.changeset_id, "saved node does not belong to changeset that it was created in" + assert_equal changesets(:public_user_first_change).id, checknode.changeset_id, "saved node does not belong to changeset that it was created in" assert_equal true, checknode.visible, "saved node is not visible" end def test_create_invalid_xml + ## Only test public user here, as test_create should cover what's the forbiddens + ## that would occur here # Initial setup - basic_authorization(users(:normal_user).email, "test") + basic_authorization(users(:public_user).email, "test") # normal user has a changeset open, so we'll use that. - changeset = changesets(:normal_user_first_change) + changeset = changesets(:public_user_first_change) lat = 3.434 lon = 3.23 @@ -43,7 +81,7 @@ class NodeControllerTest < ActionController::TestCase put :create # hope for success assert_response :bad_request, "node upload did not return bad_request status" - assert_equal 'Cannot parse valid node from xml string . lat missing', @response.body + assert_equal "Cannot parse valid node from xml string . lat missing", @response.body # test that the upload is rejected when no lon is supplied # create a minimal xml file @@ -51,7 +89,7 @@ class NodeControllerTest < ActionController::TestCase put :create # hope for success assert_response :bad_request, "node upload did not return bad_request status" - assert_equal 'Cannot parse valid node from xml string . lon missing', @response.body + assert_equal "Cannot parse valid node from xml string . lon missing", @response.body end @@ -72,32 +110,76 @@ class NodeControllerTest < ActionController::TestCase # this tests deletion restrictions - basic deletion is tested in the unit # tests for node! def test_delete - # first try to delete node without auth + ## first try to delete node without auth delete :delete, :id => current_nodes(:visible_node).id assert_response :unauthorized - - # now set auth + + + ## now set auth for the non-data public user basic_authorization(users(:normal_user).email, "test"); # try to delete with an invalid (closed) changeset content update_changeset(current_nodes(:visible_node).to_xml, changesets(:normal_user_closed_change).id) delete :delete, :id => current_nodes(:visible_node).id - assert_response :conflict + assert_require_public_data("non-public user shouldn't be able to delete node") # try to delete with an invalid (non-existent) changeset content update_changeset(current_nodes(:visible_node).to_xml,0) delete :delete, :id => current_nodes(:visible_node).id - assert_response :conflict + assert_require_public_data("shouldn't be able to delete node, when user's data is private") # valid delete now takes a payload content(nodes(:visible_node).to_xml) delete :delete, :id => current_nodes(:visible_node).id + assert_require_public_data("shouldn't be able to delete node when user's data isn't public'") + + # this won't work since the node is already deleted + content(nodes(:invisible_node).to_xml) + delete :delete, :id => current_nodes(:invisible_node).id + assert_require_public_data + + # this won't work since the node never existed + delete :delete, :id => 0 + assert_require_public_data + + ## these test whether nodes which are in-use can be deleted: + # in a way... + content(nodes(:used_node_1).to_xml) + delete :delete, :id => current_nodes(:used_node_1).id + assert_require_public_data + "shouldn't be able to delete a node used in a way (#{@response.body})" + + # in a relation... + content(nodes(:node_used_by_relationship).to_xml) + delete :delete, :id => current_nodes(:node_used_by_relationship).id + assert_require_public_data + "shouldn't be able to delete a node used in a relation (#{@response.body})" + + + + ## now set auth for the public data user + basic_authorization(users(:public_user).email, "test"); + + # try to delete with an invalid (closed) changeset + content update_changeset(current_nodes(:visible_node).to_xml, + changesets(:normal_user_closed_change).id) + delete :delete, :id => current_nodes(:visible_node).id + assert_response :conflict + + # try to delete with an invalid (non-existent) changeset + content update_changeset(current_nodes(:visible_node).to_xml,0) + delete :delete, :id => current_nodes(:visible_node).id + assert_response :conflict + + # valid delete now takes a payload + content(nodes(:public_visible_node).to_xml) + delete :delete, :id => current_nodes(:public_visible_node).id assert_response :success # valid delete should return the new version number, which should # be greater than the old version number - assert @response.body.to_i > current_nodes(:visible_node).version, + assert @response.body.to_i > current_nodes(:public_visible_node).version, "delete request should return a new version number for node" # this won't work since the node is already deleted @@ -264,30 +346,44 @@ class NodeControllerTest < ActionController::TestCase # test adding tags to a node def test_duplicate_tags # setup auth - basic_authorization(users(:normal_user).email, "test") + basic_authorization(users(:public_user).email, "test") # add an identical tag to the node tag_xml = XML::Node.new("tag") - tag_xml['k'] = current_node_tags(:t1).k - tag_xml['v'] = current_node_tags(:t1).v + tag_xml['k'] = current_node_tags(:public_v_t1).k + tag_xml['v'] = current_node_tags(:public_v_t1).v # add the tag into the existing xml - node_xml = current_nodes(:visible_node).to_xml + node_xml = current_nodes(:public_visible_node).to_xml node_xml.find("//osm/node").first << tag_xml # try and upload it content node_xml - put :update, :id => current_nodes(:visible_node).id + put :update, :id => current_nodes(:public_visible_node).id assert_response :bad_request, "adding duplicate tags to a node should fail with 'bad request'" - assert_equal "Element node/#{current_nodes(:visible_node).id} has duplicate tags with key #{current_node_tags(:t1).k}.", @response.body + assert_equal "Element node/#{current_nodes(:public_visible_node).id} has duplicate tags with key #{current_node_tags(:t1).k}.", @response.body end # test whether string injection is possible def test_string_injection + ## First try with the non-data public user basic_authorization(users(:normal_user).email, "test") changeset_id = changesets(:normal_user_first_change).id + # try and put something into a string that the API might + # use unquoted and therefore allow code injection... + content "" + + '' + + '' + put :create + assert_require_public_data "Shouldn't be able to create with non-public user" + + + ## Then try with the public data user + basic_authorization(users(:public_user).email, "test") + changeset_id = changesets(:public_user_first_change).id + # try and put something into a string that the API might # use unquoted and therefore allow code injection... content "" + diff --git a/test/functional/relation_controller_test.rb b/test/functional/relation_controller_test.rb index c7e9ca6be..fa49bd98b 100644 --- a/test/functional/relation_controller_test.rb +++ b/test/functional/relation_controller_test.rb @@ -300,7 +300,7 @@ class RelationControllerTest < ActionController::TestCase # and the API gives sensible results. this is to test a case that # gregory marler noticed and posted to josm-dev. def test_update_relation_tags_via_upload - basic_authorization "test@example.com", "test" + basic_authorization users(:public_user).email, "test" rel_id = current_relations(:multi_tag_relation).id cs_id = changesets(:public_user_first_change).id @@ -328,10 +328,10 @@ class RelationControllerTest < ActionController::TestCase # ------------------------------------- def test_create_invalid - basic_authorization "test@openstreetmap.org", "test" + basic_authorization users(:public_user).email, "test" # put the relation in a dummy fixture changset - changeset_id = changesets(:normal_user_first_change).id + changeset_id = changesets(:public_user_first_change).id # create a relation with non-existing node as member content "" + @@ -347,10 +347,10 @@ class RelationControllerTest < ActionController::TestCase # Test creating a relation, with some invalid XML # ------------------------------------- def test_create_invalid_xml - basic_authorization "test@openstreetmap.org", "test" + basic_authorization users(:public_user).email, "test" # put the relation in a dummy fixture changeset that works - changeset_id = changesets(:normal_user_first_change).id + changeset_id = changesets(:public_user_first_change).id # create some xml that should return an error content "" + diff --git a/test/unit/node_tag_test.rb b/test/unit/node_tag_test.rb index bd7d9f6e3..fe0f112bf 100644 --- a/test/unit/node_tag_test.rb +++ b/test/unit/node_tag_test.rb @@ -4,7 +4,7 @@ class NodeTagTest < Test::Unit::TestCase api_fixtures def test_tag_count - assert_equal 6, NodeTag.count + assert_equal 7, NodeTag.count node_tag_count(:visible_node, 1) node_tag_count(:invisible_node, 1) node_tag_count(:used_node_1, 1) diff --git a/test/unit/old_node_tag_test.rb b/test/unit/old_node_tag_test.rb index 969677653..f2203005c 100644 --- a/test/unit/old_node_tag_test.rb +++ b/test/unit/old_node_tag_test.rb @@ -4,7 +4,7 @@ class OldNodeTest < Test::Unit::TestCase api_fixtures def test_old_node_tag_count - assert_equal 8, OldNodeTag.count, "Unexpected number of fixtures loaded." + assert_equal 9, OldNodeTag.count, "Unexpected number of fixtures loaded." end def test_length_key_valid -- 2.43.2