1
|
|
|
<?php |
2
|
|
|
/** |
3
|
|
|
* |
4
|
|
|
* @todo Test Relation getters |
5
|
|
|
* @todo Test filter and limit through GET params |
6
|
|
|
* @todo Test DELETE verb |
7
|
|
|
* |
8
|
|
|
*/ |
9
|
|
|
class RestfulServerTest extends SapphireTest |
|
|
|
|
10
|
|
|
{ |
11
|
|
|
public static $fixture_file = 'RestfulServerTest.yml'; |
12
|
|
|
|
13
|
|
|
protected $extraDataObjects = array( |
14
|
|
|
'RestfulServerTest_Comment', |
15
|
|
|
'RestfulServerTest_SecretThing', |
16
|
|
|
'RestfulServerTest_Page', |
17
|
|
|
'RestfulServerTest_Author', |
18
|
|
|
'RestfulServerTest_AuthorRating', |
19
|
|
|
); |
20
|
|
|
|
21
|
|
View Code Duplication |
public function testApiAccess() |
|
|
|
|
22
|
|
|
{ |
23
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
24
|
|
|
$page1 = $this->objFromFixture('RestfulServerTest_Page', 'page1'); |
25
|
|
|
|
26
|
|
|
// normal GET should succeed with $api_access enabled |
27
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
28
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
29
|
|
|
$this->assertEquals($response->getStatusCode(), 200); |
|
|
|
|
30
|
|
|
|
31
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
32
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'user'; |
33
|
|
|
|
34
|
|
|
// even with logged in user a GET with $api_access disabled should fail |
35
|
|
|
$url = "/api/v1/RestfulServerTest_Page/" . $page1->ID; |
36
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
37
|
|
|
$this->assertEquals($response->getStatusCode(), 401); |
|
|
|
|
38
|
|
|
|
39
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
40
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
41
|
|
|
} |
42
|
|
|
|
43
|
|
|
public function testApiAccessBoolean() |
44
|
|
|
{ |
45
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
46
|
|
|
|
47
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
48
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
49
|
|
|
$this->assertContains('<ID>', $response->getBody()); |
50
|
|
|
$this->assertContains('<Name>', $response->getBody()); |
51
|
|
|
$this->assertContains('<Comment>', $response->getBody()); |
52
|
|
|
$this->assertContains('<Page', $response->getBody()); |
53
|
|
|
$this->assertContains('<Author', $response->getBody()); |
54
|
|
|
} |
55
|
|
|
|
56
|
|
View Code Duplication |
public function testAuthenticatedGET() |
|
|
|
|
57
|
|
|
{ |
58
|
|
|
$thing1 = $this->objFromFixture('RestfulServerTest_SecretThing', 'thing1'); |
59
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
60
|
|
|
|
61
|
|
|
// @todo create additional mock object with authenticated VIEW permissions |
62
|
|
|
$url = "/api/v1/RestfulServerTest_SecretThing/" . $thing1->ID; |
63
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
64
|
|
|
$this->assertEquals($response->getStatusCode(), 401); |
|
|
|
|
65
|
|
|
|
66
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
67
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'user'; |
68
|
|
|
|
69
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
70
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
71
|
|
|
$this->assertEquals($response->getStatusCode(), 200); |
|
|
|
|
72
|
|
|
|
73
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
74
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
75
|
|
|
} |
76
|
|
|
|
77
|
|
|
public function testAuthenticatedPUT() |
|
|
|
|
78
|
|
|
{ |
79
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
80
|
|
|
|
81
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
82
|
|
|
$data = array('Comment' => 'created'); |
83
|
|
|
|
84
|
|
|
$response = Director::test($url, $data, null, 'PUT'); |
|
|
|
|
85
|
|
|
$this->assertEquals($response->getStatusCode(), 401); // Permission failure |
|
|
|
|
86
|
|
|
|
87
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
88
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
89
|
|
|
$response = Director::test($url, $data, null, 'PUT'); |
|
|
|
|
90
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Success |
|
|
|
|
91
|
|
|
|
92
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
93
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
94
|
|
|
} |
95
|
|
|
|
96
|
|
|
public function testGETRelationshipsXML() |
97
|
|
|
{ |
98
|
|
|
$author1 = $this->objFromFixture('RestfulServerTest_Author', 'author1'); |
99
|
|
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating', 'rating1'); |
100
|
|
|
$rating2 = $this->objFromFixture('RestfulServerTest_AuthorRating', 'rating2'); |
101
|
|
|
|
102
|
|
|
// @todo should be set up by fixtures, doesn't work for some reason... |
103
|
|
|
$author1->Ratings()->add($rating1); |
104
|
|
|
$author1->Ratings()->add($rating2); |
105
|
|
|
|
106
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID; |
107
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
108
|
|
|
$this->assertEquals($response->getStatusCode(), 200); |
|
|
|
|
109
|
|
|
|
110
|
|
|
$responseArr = Convert::xml2array($response->getBody()); |
111
|
|
|
$ratingsArr = $responseArr['Ratings']['RestfulServerTest_AuthorRating']; |
112
|
|
|
$this->assertEquals(count($ratingsArr), 2); |
|
|
|
|
113
|
|
|
$ratingIDs = array( |
114
|
|
|
(int)$ratingsArr[0]['@attributes']['id'], |
115
|
|
|
(int)$ratingsArr[1]['@attributes']['id'] |
116
|
|
|
); |
117
|
|
|
$this->assertContains($rating1->ID, $ratingIDs); |
118
|
|
|
$this->assertContains($rating2->ID, $ratingIDs); |
119
|
|
|
} |
120
|
|
|
|
121
|
|
|
public function testGETManyManyRelationshipsXML() |
122
|
|
|
{ |
123
|
|
|
// author4 has related authors author2 and author3 |
124
|
|
|
$author2 = $this->objFromFixture('RestfulServerTest_Author', 'author2'); |
125
|
|
|
$author3 = $this->objFromFixture('RestfulServerTest_Author', 'author3'); |
126
|
|
|
$author4 = $this->objFromFixture('RestfulServerTest_Author', 'author4'); |
127
|
|
|
|
128
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author4->ID . '/RelatedAuthors'; |
129
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
130
|
|
|
$this->assertEquals(200, $response->getStatusCode()); |
|
|
|
|
131
|
|
|
$arr = Convert::xml2array($response->getBody()); |
132
|
|
|
$authorsArr = $arr['RestfulServerTest_Author']; |
133
|
|
|
|
134
|
|
|
$this->assertEquals(count($authorsArr), 2); |
|
|
|
|
135
|
|
|
$ratingIDs = array( |
136
|
|
|
(int)$authorsArr[0]['ID'], |
137
|
|
|
(int)$authorsArr[1]['ID'] |
138
|
|
|
); |
139
|
|
|
$this->assertContains($author2->ID, $ratingIDs); |
140
|
|
|
$this->assertContains($author3->ID, $ratingIDs); |
141
|
|
|
} |
142
|
|
|
|
143
|
|
|
public function testPUTWithFormEncoded() |
|
|
|
|
144
|
|
|
{ |
145
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
146
|
|
|
|
147
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
148
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
149
|
|
|
|
150
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
151
|
|
|
$body = 'Name=Updated Comment&Comment=updated'; |
152
|
|
|
$headers = array( |
153
|
|
|
'Content-Type' => 'application/x-www-form-urlencoded' |
154
|
|
|
); |
155
|
|
|
$response = Director::test($url, null, null, 'PUT', $body, $headers); |
|
|
|
|
156
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Success |
|
|
|
|
157
|
|
|
// Assumption: XML is default output |
158
|
|
|
$responseArr = Convert::xml2array($response->getBody()); |
159
|
|
|
$this->assertEquals($responseArr['ID'], $comment1->ID); |
|
|
|
|
160
|
|
|
$this->assertEquals($responseArr['Comment'], 'updated'); |
|
|
|
|
161
|
|
|
$this->assertEquals($responseArr['Name'], 'Updated Comment'); |
|
|
|
|
162
|
|
|
|
163
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
164
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
165
|
|
|
} |
166
|
|
|
|
167
|
|
|
public function testPOSTWithFormEncoded() |
|
|
|
|
168
|
|
|
{ |
169
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
170
|
|
|
|
171
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
172
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
173
|
|
|
|
174
|
|
|
$url = "/api/v1/RestfulServerTest_Comment"; |
175
|
|
|
$body = 'Name=New Comment&Comment=created'; |
176
|
|
|
$headers = array( |
177
|
|
|
'Content-Type' => 'application/x-www-form-urlencoded' |
178
|
|
|
); |
179
|
|
|
$response = Director::test($url, null, null, 'POST', $body, $headers); |
|
|
|
|
180
|
|
|
$this->assertEquals($response->getStatusCode(), 201); // Created |
|
|
|
|
181
|
|
|
// Assumption: XML is default output |
182
|
|
|
$responseArr = Convert::xml2array($response->getBody()); |
183
|
|
|
$this->assertTrue($responseArr['ID'] > 0); |
|
|
|
|
184
|
|
|
$this->assertNotEquals($responseArr['ID'], $comment1->ID); |
|
|
|
|
185
|
|
|
$this->assertEquals($responseArr['Comment'], 'created'); |
|
|
|
|
186
|
|
|
$this->assertEquals($responseArr['Name'], 'New Comment'); |
|
|
|
|
187
|
|
|
$this->assertEquals( |
|
|
|
|
188
|
|
|
$response->getHeader('Location'), |
189
|
|
|
Controller::join_links(Director::absoluteBaseURL(), $url, $responseArr['ID']) |
190
|
|
|
); |
191
|
|
|
|
192
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
193
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
194
|
|
|
} |
195
|
|
|
|
196
|
|
View Code Duplication |
public function testPostWithoutBodyReturnsNoContent() |
|
|
|
|
197
|
|
|
{ |
198
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
199
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
200
|
|
|
|
201
|
|
|
$url = '/api/v1/RestfulServerTest_Comment'; |
202
|
|
|
$response = Director::test($url, null, null, 'POST'); |
|
|
|
|
203
|
|
|
|
204
|
|
|
$this->assertEquals('No Content', $response->getBody()); |
|
|
|
|
205
|
|
|
|
206
|
|
|
unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); |
207
|
|
|
} |
208
|
|
|
|
209
|
|
|
public function testPUTwithJSON() |
|
|
|
|
210
|
|
|
{ |
211
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
212
|
|
|
|
213
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
214
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
215
|
|
|
|
216
|
|
|
// by mimetype |
217
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
218
|
|
|
$body = '{"Comment":"updated"}'; |
219
|
|
|
$response = Director::test($url, null, null, 'PUT', $body, array('Content-Type'=>'application/json')); |
|
|
|
|
220
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Updated |
|
|
|
|
221
|
|
|
$obj = Convert::json2obj($response->getBody()); |
222
|
|
|
$this->assertEquals($obj->ID, $comment1->ID); |
|
|
|
|
223
|
|
|
$this->assertEquals($obj->Comment, 'updated'); |
|
|
|
|
224
|
|
|
|
225
|
|
|
// by extension |
226
|
|
|
$url = sprintf("/api/v1/RestfulServerTest_Comment/%d.json", $comment1->ID); |
227
|
|
|
$body = '{"Comment":"updated"}'; |
228
|
|
|
$response = Director::test($url, null, null, 'PUT', $body); |
|
|
|
|
229
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Updated |
|
|
|
|
230
|
|
|
$this->assertEquals( |
|
|
|
|
231
|
|
|
$response->getHeader('Location'), |
232
|
|
|
Controller::join_links(Director::absoluteBaseURL(), $url) |
233
|
|
|
); |
234
|
|
|
$obj = Convert::json2obj($response->getBody()); |
235
|
|
|
$this->assertEquals($obj->ID, $comment1->ID); |
|
|
|
|
236
|
|
|
$this->assertEquals($obj->Comment, 'updated'); |
|
|
|
|
237
|
|
|
|
238
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
239
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
240
|
|
|
} |
241
|
|
|
|
242
|
|
|
public function testPUTwithXML() |
|
|
|
|
243
|
|
|
{ |
244
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
245
|
|
|
|
246
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
247
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
248
|
|
|
|
249
|
|
|
// by mimetype |
250
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
251
|
|
|
$body = '<RestfulServerTest_Comment><Comment>updated</Comment></RestfulServerTest_Comment>'; |
252
|
|
|
$response = Director::test($url, null, null, 'PUT', $body, array('Content-Type'=>'text/xml')); |
|
|
|
|
253
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Updated |
|
|
|
|
254
|
|
|
$obj = Convert::xml2array($response->getBody()); |
255
|
|
|
$this->assertEquals($obj['ID'], $comment1->ID); |
|
|
|
|
256
|
|
|
$this->assertEquals($obj['Comment'], 'updated'); |
|
|
|
|
257
|
|
|
|
258
|
|
|
// by extension |
259
|
|
|
$url = sprintf("/api/v1/RestfulServerTest_Comment/%d.xml", $comment1->ID); |
260
|
|
|
$body = '<RestfulServerTest_Comment><Comment>updated</Comment></RestfulServerTest_Comment>'; |
261
|
|
|
$response = Director::test($url, null, null, 'PUT', $body); |
|
|
|
|
262
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Updated |
|
|
|
|
263
|
|
|
$this->assertEquals( |
|
|
|
|
264
|
|
|
$response->getHeader('Location'), |
265
|
|
|
Controller::join_links(Director::absoluteBaseURL(), $url) |
266
|
|
|
); |
267
|
|
|
$obj = Convert::xml2array($response->getBody()); |
268
|
|
|
$this->assertEquals($obj['ID'], $comment1->ID); |
|
|
|
|
269
|
|
|
$this->assertEquals($obj['Comment'], 'updated'); |
|
|
|
|
270
|
|
|
|
271
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
272
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
273
|
|
|
} |
274
|
|
|
|
275
|
|
|
public function testHTTPAcceptAndContentType() |
276
|
|
|
{ |
277
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
278
|
|
|
|
279
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
280
|
|
|
|
281
|
|
|
$headers = array('Accept' => 'application/json'); |
282
|
|
|
$response = Director::test($url, null, null, 'GET', null, $headers); |
|
|
|
|
283
|
|
|
$this->assertEquals($response->getStatusCode(), 200); // Success |
|
|
|
|
284
|
|
|
$obj = Convert::json2obj($response->getBody()); |
285
|
|
|
$this->assertEquals($obj->ID, $comment1->ID); |
|
|
|
|
286
|
|
|
$this->assertEquals($response->getHeader('Content-Type'), 'application/json'); |
|
|
|
|
287
|
|
|
} |
288
|
|
|
|
289
|
|
View Code Duplication |
public function testNotFound() |
|
|
|
|
290
|
|
|
{ |
291
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
292
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'user'; |
293
|
|
|
|
294
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/99"; |
295
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
296
|
|
|
$this->assertEquals($response->getStatusCode(), 404); |
|
|
|
|
297
|
|
|
|
298
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
299
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
300
|
|
|
} |
301
|
|
|
|
302
|
|
View Code Duplication |
public function testMethodNotAllowed() |
|
|
|
|
303
|
|
|
{ |
304
|
|
|
$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1'); |
305
|
|
|
|
306
|
|
|
$url = "/api/v1/RestfulServerTest_Comment/" . $comment1->ID; |
307
|
|
|
$response = Director::test($url, null, null, 'UNKNOWNHTTPMETHOD'); |
|
|
|
|
308
|
|
|
$this->assertEquals($response->getStatusCode(), 405); |
|
|
|
|
309
|
|
|
} |
310
|
|
|
|
311
|
|
View Code Duplication |
public function testConflictOnExistingResourceWhenUsingPost() |
|
|
|
|
312
|
|
|
{ |
313
|
|
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating', 'rating1'); |
314
|
|
|
|
315
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID; |
316
|
|
|
$response = Director::test($url, null, null, 'POST'); |
|
|
|
|
317
|
|
|
$this->assertEquals($response->getStatusCode(), 409); |
|
|
|
|
318
|
|
|
} |
319
|
|
|
|
320
|
|
|
public function testUnsupportedMediaType() |
|
|
|
|
321
|
|
|
{ |
322
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
323
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'user'; |
324
|
|
|
|
325
|
|
|
$url = "/api/v1/RestfulServerTest_Comment"; |
326
|
|
|
$data = "Comment||\/||updated"; // weird format |
327
|
|
|
$headers = array('Content-Type' => 'text/weirdformat'); |
328
|
|
|
$response = Director::test($url, null, null, 'POST', $data, $headers); |
|
|
|
|
329
|
|
|
$this->assertEquals($response->getStatusCode(), 415); |
|
|
|
|
330
|
|
|
|
331
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
332
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
333
|
|
|
} |
334
|
|
|
|
335
|
|
|
public function testXMLValueFormatting() |
336
|
|
|
{ |
337
|
|
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating', 'rating1'); |
338
|
|
|
|
339
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID; |
340
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
341
|
|
|
$this->assertContains('<ID>' . $rating1->ID . '</ID>', $response->getBody()); |
342
|
|
|
$this->assertContains('<Rating>' . $rating1->Rating . '</Rating>', $response->getBody()); |
343
|
|
|
} |
344
|
|
|
|
345
|
|
|
public function testApiAccessFieldRestrictions() |
346
|
|
|
{ |
347
|
|
|
$author1 = $this->objFromFixture('RestfulServerTest_Author', 'author1'); |
348
|
|
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating', 'rating1'); |
349
|
|
|
|
350
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID; |
351
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
352
|
|
|
$this->assertContains('<ID>', $response->getBody()); |
353
|
|
|
$this->assertContains('<Rating>', $response->getBody()); |
354
|
|
|
$this->assertContains('<Author', $response->getBody()); |
355
|
|
|
$this->assertNotContains('<SecretField>', $response->getBody()); |
356
|
|
|
$this->assertNotContains('<SecretRelation>', $response->getBody()); |
357
|
|
|
|
358
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID . '?add_fields=SecretField,SecretRelation'; |
359
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
360
|
|
|
$this->assertNotContains('<SecretField>', $response->getBody(), |
361
|
|
|
'"add_fields" URL parameter filters out disallowed fields from $api_access' |
362
|
|
|
); |
363
|
|
|
$this->assertNotContains('<SecretRelation>', $response->getBody(), |
364
|
|
|
'"add_fields" URL parameter filters out disallowed relations from $api_access' |
365
|
|
|
); |
366
|
|
|
|
367
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID . '?fields=SecretField,SecretRelation'; |
368
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
369
|
|
|
$this->assertNotContains('<SecretField>', $response->getBody(), |
370
|
|
|
'"fields" URL parameter filters out disallowed fields from $api_access' |
371
|
|
|
); |
372
|
|
|
$this->assertNotContains('<SecretRelation>', $response->getBody(), |
373
|
|
|
'"fields" URL parameter filters out disallowed relations from $api_access' |
374
|
|
|
); |
375
|
|
|
|
376
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID . '/Ratings'; |
377
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
378
|
|
|
$this->assertContains('<Rating>', $response->getBody(), |
379
|
|
|
'Relation viewer shows fields allowed through $api_access' |
380
|
|
|
); |
381
|
|
|
$this->assertNotContains('<SecretField>', $response->getBody(), |
382
|
|
|
'Relation viewer on has-many filters out disallowed fields from $api_access' |
383
|
|
|
); |
384
|
|
|
} |
385
|
|
|
|
386
|
|
|
public function testApiAccessRelationRestrictionsInline() |
387
|
|
|
{ |
388
|
|
|
$author1 = $this->objFromFixture('RestfulServerTest_Author', 'author1'); |
389
|
|
|
|
390
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID; |
391
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
392
|
|
|
$this->assertNotContains('<RelatedPages', $response->getBody(), 'Restricts many-many with api_access=false'); |
393
|
|
|
$this->assertNotContains('<PublishedPages', $response->getBody(), 'Restricts has-many with api_access=false'); |
394
|
|
|
} |
395
|
|
|
|
396
|
|
|
public function testApiAccessRelationRestrictionsOnEndpoint() |
397
|
|
|
{ |
398
|
|
|
$author1 = $this->objFromFixture('RestfulServerTest_Author', 'author1'); |
399
|
|
|
|
400
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID . "/ProfilePage"; |
401
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
402
|
|
|
$this->assertEquals(404, $response->getStatusCode(), 'Restricts has-one with api_access=false'); |
|
|
|
|
403
|
|
|
|
404
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID . "/RelatedPages"; |
405
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
406
|
|
|
$this->assertEquals(404, $response->getStatusCode(), 'Restricts many-many with api_access=false'); |
|
|
|
|
407
|
|
|
|
408
|
|
|
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID . "/PublishedPages"; |
409
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
410
|
|
|
$this->assertEquals(404, $response->getStatusCode(), 'Restricts has-many with api_access=false'); |
|
|
|
|
411
|
|
|
} |
412
|
|
|
|
413
|
|
|
public function testApiAccessWithPUT() |
414
|
|
|
{ |
415
|
|
|
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating', 'rating1'); |
416
|
|
|
|
417
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating/" . $rating1->ID; |
418
|
|
|
$data = array( |
419
|
|
|
'Rating' => '42', |
420
|
|
|
'WriteProtectedField' => 'haxx0red' |
421
|
|
|
); |
422
|
|
|
$response = Director::test($url, $data, null, 'PUT'); |
|
|
|
|
423
|
|
|
// Assumption: XML is default output |
424
|
|
|
$responseArr = Convert::xml2array($response->getBody()); |
425
|
|
|
$this->assertEquals($responseArr['Rating'], 42); |
|
|
|
|
426
|
|
|
$this->assertNotEquals($responseArr['WriteProtectedField'], 'haxx0red'); |
|
|
|
|
427
|
|
|
} |
428
|
|
|
|
429
|
|
|
public function testJSONDataFormatter() |
430
|
|
|
{ |
431
|
|
|
$formatter = new JSONDataFormatter(); |
432
|
|
|
$editor = $this->objFromFixture('Member', 'editor'); |
433
|
|
|
$user = $this->objFromFixture('Member', 'user'); |
434
|
|
|
|
435
|
|
|
$this->assertEquals( |
|
|
|
|
436
|
|
|
$formatter->convertDataObject($editor, array("FirstName", "Email")), |
|
|
|
|
437
|
|
|
'{"FirstName":"Editor","Email":"[email protected]"}', |
438
|
|
|
"Correct JSON formatting with field subset"); |
439
|
|
|
|
440
|
|
|
$set = DataObject::get( |
441
|
|
|
"Member", |
442
|
|
|
sprintf('"Member"."ID" IN (%s)', implode(',', array($editor->ID, $user->ID))), |
443
|
|
|
'"Email" ASC' // for sorting for postgres |
444
|
|
|
); |
445
|
|
|
$this->assertEquals( |
|
|
|
|
446
|
|
|
$formatter->convertDataObjectSet($set, array("FirstName", "Email")), |
447
|
|
|
'{"totalSize":null,"items":[{"FirstName":"Editor","Email":"[email protected]"},' . |
448
|
|
|
'{"FirstName":"User","Email":"[email protected]"}]}', |
449
|
|
|
"Correct JSON formatting on a dataobjectset with field filter"); |
450
|
|
|
} |
451
|
|
|
|
452
|
|
|
public function testApiAccessWithPOST() |
453
|
|
|
{ |
454
|
|
|
$url = "/api/v1/RestfulServerTest_AuthorRating"; |
455
|
|
|
$data = array( |
456
|
|
|
'Rating' => '42', |
457
|
|
|
'WriteProtectedField' => 'haxx0red' |
458
|
|
|
); |
459
|
|
|
$response = Director::test($url, $data, null, 'POST'); |
|
|
|
|
460
|
|
|
// Assumption: XML is default output |
461
|
|
|
$responseArr = Convert::xml2array($response->getBody()); |
462
|
|
|
$this->assertEquals($responseArr['Rating'], 42); |
|
|
|
|
463
|
|
|
$this->assertNotEquals($responseArr['WriteProtectedField'], 'haxx0red'); |
|
|
|
|
464
|
|
|
} |
465
|
|
|
|
466
|
|
|
public function testCanViewRespectedInList() |
|
|
|
|
467
|
|
|
{ |
468
|
|
|
// Default content type |
469
|
|
|
$url = "/api/v1/RestfulServerTest_SecretThing/"; |
470
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
471
|
|
|
$this->assertEquals($response->getStatusCode(), 200); |
|
|
|
|
472
|
|
|
$this->assertNotContains('Unspeakable', $response->getBody()); |
473
|
|
|
|
474
|
|
|
// JSON content type |
475
|
|
|
$url = "/api/v1/RestfulServerTest_SecretThing.json"; |
476
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
477
|
|
|
$this->assertEquals($response->getStatusCode(), 200); |
|
|
|
|
478
|
|
|
$this->assertNotContains('Unspeakable', $response->getBody()); |
479
|
|
|
$responseArray = Convert::json2array($response->getBody()); |
480
|
|
|
$this->assertSame(0, $responseArray['totalSize']); |
|
|
|
|
481
|
|
|
|
482
|
|
|
// With authentication |
483
|
|
|
$_SERVER['PHP_AUTH_USER'] = '[email protected]'; |
484
|
|
|
$_SERVER['PHP_AUTH_PW'] = 'editor'; |
485
|
|
|
$url = "/api/v1/RestfulServerTest_SecretThing/"; |
486
|
|
|
$response = Director::test($url, null, null, 'GET'); |
|
|
|
|
487
|
|
|
$this->assertEquals($response->getStatusCode(), 200); |
|
|
|
|
488
|
|
|
$this->assertContains('Unspeakable', $response->getBody()); |
489
|
|
|
// Assumption: default formatter is XML |
490
|
|
|
$responseArray = Convert::xml2array($response->getBody()); |
491
|
|
|
$this->assertEquals(1, $responseArray['@attributes']['totalSize']); |
|
|
|
|
492
|
|
|
unset($_SERVER['PHP_AUTH_USER']); |
493
|
|
|
unset($_SERVER['PHP_AUTH_PW']); |
494
|
|
|
} |
495
|
|
|
} |
496
|
|
|
|
497
|
|
|
/** |
498
|
|
|
* Everybody can view comments, logged in members in the "users" group can create comments, |
499
|
|
|
* but only "editors" can edit or delete them. |
500
|
|
|
* |
501
|
|
|
*/ |
502
|
|
|
class RestfulServerTest_Comment extends DataObject implements PermissionProvider,TestOnly |
|
|
|
|
503
|
|
|
{ |
504
|
|
|
public static $api_access = true; |
505
|
|
|
|
506
|
|
|
public static $db = array( |
507
|
|
|
"Name" => "Varchar(255)", |
508
|
|
|
"Comment" => "Text" |
509
|
|
|
); |
510
|
|
|
|
511
|
|
|
public static $has_one = array( |
512
|
|
|
'Page' => 'RestfulServerTest_Page', |
513
|
|
|
'Author' => 'RestfulServerTest_Author', |
514
|
|
|
); |
515
|
|
|
|
516
|
|
|
public function providePermissions() |
517
|
|
|
{ |
518
|
|
|
return array( |
519
|
|
|
'EDIT_Comment' => 'Edit Comment Objects', |
520
|
|
|
'CREATE_Comment' => 'Create Comment Objects', |
521
|
|
|
'DELETE_Comment' => 'Delete Comment Objects', |
522
|
|
|
); |
523
|
|
|
} |
524
|
|
|
|
525
|
|
|
public function canView($member = null) |
526
|
|
|
{ |
527
|
|
|
return true; |
528
|
|
|
} |
529
|
|
|
|
530
|
|
|
public function canEdit($member = null) |
531
|
|
|
{ |
532
|
|
|
return Permission::checkMember($member, 'EDIT_Comment'); |
533
|
|
|
} |
534
|
|
|
|
535
|
|
|
public function canDelete($member = null) |
536
|
|
|
{ |
537
|
|
|
return Permission::checkMember($member, 'DELETE_Comment'); |
538
|
|
|
} |
539
|
|
|
|
540
|
|
|
public function canCreate($member = null) |
541
|
|
|
{ |
542
|
|
|
return Permission::checkMember($member, 'CREATE_Comment'); |
543
|
|
|
} |
544
|
|
|
} |
545
|
|
|
|
546
|
|
|
class RestfulServerTest_SecretThing extends DataObject implements TestOnly,PermissionProvider |
|
|
|
|
547
|
|
|
{ |
548
|
|
|
public static $api_access = true; |
549
|
|
|
|
550
|
|
|
public static $db = array( |
551
|
|
|
"Name" => "Varchar(255)", |
552
|
|
|
); |
553
|
|
|
|
554
|
|
|
public function canView($member = null) |
555
|
|
|
{ |
556
|
|
|
return Permission::checkMember($member, 'VIEW_SecretThing'); |
557
|
|
|
} |
558
|
|
|
|
559
|
|
|
public function providePermissions() |
560
|
|
|
{ |
561
|
|
|
return array( |
562
|
|
|
'VIEW_SecretThing' => 'View Secret Things', |
563
|
|
|
); |
564
|
|
|
} |
565
|
|
|
} |
566
|
|
|
|
567
|
|
|
class RestfulServerTest_Page extends DataObject implements TestOnly |
|
|
|
|
568
|
|
|
{ |
569
|
|
|
public static $api_access = false; |
570
|
|
|
|
571
|
|
|
public static $db = array( |
572
|
|
|
'Title' => 'Text', |
573
|
|
|
'Content' => 'HTMLText', |
574
|
|
|
); |
575
|
|
|
|
576
|
|
|
public static $has_one = array( |
577
|
|
|
'Author' => 'RestfulServerTest_Author', |
578
|
|
|
); |
579
|
|
|
|
580
|
|
|
public static $has_many = array( |
581
|
|
|
'TestComments' => 'RestfulServerTest_Comment' |
582
|
|
|
); |
583
|
|
|
|
584
|
|
|
public static $belongs_many_many = array( |
585
|
|
|
'RelatedAuthors' => 'RestfulServerTest_Author', |
586
|
|
|
); |
587
|
|
|
} |
588
|
|
|
|
589
|
|
|
class RestfulServerTest_Author extends DataObject implements TestOnly |
|
|
|
|
590
|
|
|
{ |
591
|
|
|
public static $api_access = true; |
592
|
|
|
|
593
|
|
|
public static $db = array( |
594
|
|
|
'Name' => 'Text', |
595
|
|
|
); |
596
|
|
|
|
597
|
|
|
public static $many_many = array( |
598
|
|
|
'RelatedPages' => 'RestfulServerTest_Page', |
599
|
|
|
'RelatedAuthors' => 'RestfulServerTest_Author', |
600
|
|
|
); |
601
|
|
|
|
602
|
|
|
public static $has_many = array( |
603
|
|
|
'PublishedPages' => 'RestfulServerTest_Page', |
604
|
|
|
'Ratings' => 'RestfulServerTest_AuthorRating', |
605
|
|
|
); |
606
|
|
|
|
607
|
|
|
public function canView($member = null) |
608
|
|
|
{ |
609
|
|
|
return true; |
610
|
|
|
} |
611
|
|
|
} |
612
|
|
|
|
613
|
|
|
class RestfulServerTest_AuthorRating extends DataObject implements TestOnly |
|
|
|
|
614
|
|
|
{ |
615
|
|
|
public static $api_access = array( |
616
|
|
|
'view' => array( |
617
|
|
|
'Rating', |
618
|
|
|
'WriteProtectedField', |
619
|
|
|
'Author' |
620
|
|
|
), |
621
|
|
|
'edit' => array( |
622
|
|
|
'Rating' |
623
|
|
|
) |
624
|
|
|
); |
625
|
|
|
|
626
|
|
|
public static $db = array( |
627
|
|
|
'Rating' => 'Int', |
628
|
|
|
'SecretField' => 'Text', |
629
|
|
|
'WriteProtectedField' => 'Text', |
630
|
|
|
); |
631
|
|
|
|
632
|
|
|
public static $has_one = array( |
633
|
|
|
'Author' => 'RestfulServerTest_Author', |
634
|
|
|
'SecretRelation' => 'RestfulServerTest_Author', |
635
|
|
|
); |
636
|
|
|
|
637
|
|
|
public function canView($member = null) |
638
|
|
|
{ |
639
|
|
|
return true; |
640
|
|
|
} |
641
|
|
|
|
642
|
|
|
public function canEdit($member = null) |
643
|
|
|
{ |
644
|
|
|
return true; |
645
|
|
|
} |
646
|
|
|
|
647
|
|
|
public function canCreate($member = null) |
648
|
|
|
{ |
649
|
|
|
return true; |
650
|
|
|
} |
651
|
|
|
} |
652
|
|
|
|
You can fix this by adding a namespace to your class:
When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries.