public async Task Should_return_forbidden_when_user_has_no_permission()
        {
            var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
            Assert.False(isNextCalled);
        }
        public async Task Should_return_forbidden_when_route_data_has_no_value()
        {
            user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));

            var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
            Assert.False(isNextCalled);
        }
        public async Task Should_call_next_when_user_has_correct_permission()
        {
            actionExecutingContext.RouteData.Values["app"] = "my-app";

            user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app"));

            var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Null(actionExecutingContext.Result);
            Assert.True(isNextCalled);
        }
        public async Task Should_return_forbidden_when_user_has_wrong_permission()
        {
            actionExecutingContext.RouteData.Values["app"] = "my-app";

            user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));

            var sut = new ApiPermissionAttribute(Permissions.AppSchemasRead);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
            Assert.False(isNextCalled);
        }
        public async Task Should_return_forbidden_when_user_has_wrong_permission()
        {
            actionExecutingContext.HttpContext.Features.Set <IAppFeature>(new AppFeature(NamedId.Of(DomainId.NewGuid(), "my-app")));

            user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));

            SetContext();

            var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
            Assert.False(isNextCalled);
        }
        public async Task Should_make_permission_check_with_app_feature()
        {
            actionExecutingContext.HttpContext.Features.Set <IAppFeature>(new AppFeature(NamedId.Of(DomainId.NewGuid(), "my-app")));

            user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app"));

            SetContext();

            var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Null(actionExecutingContext.Result);
            Assert.True(isNextCalled);
        }
Beispiel #7
0
        public async Task Should_make_permission_check_with_schema_feature()
        {
            actionExecutingContext.HttpContext.Features.Set <IAppFeature>(new AppFeature(Mocks.App(appId)));
            actionExecutingContext.HttpContext.Features.Set <ISchemaFeature>(new SchemaFeature(Mocks.Schema(appId, schemaId)));

            user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app.schemas.my-schema"));

            SetContext();

            var sut = new ApiPermissionAttribute(Permissions.AppSchemasUpdate);

            await sut.OnActionExecutionAsync(actionExecutingContext, next);

            Assert.Null(actionExecutingContext.Result);
            Assert.True(isNextCalled);
        }
        public void Should_use_bearer_schemes()
        {
            var sut = new ApiPermissionAttribute();

            Assert.Equal("Bearer", sut.AuthenticationSchemes);
        }
        public void Should_use_custom_authorization_scheme()
        {
            var sut = new ApiPermissionAttribute();

            Assert.Equal(Constants.ApiSecurityScheme, sut.AuthenticationSchemes);
        }