public async Task Should_return_forbidden_when_user_has_no_permission()
{
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
public async Task Should_return_forbidden_when_route_data_has_no_value()
{
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
public async Task Should_call_next_when_user_has_correct_permission()
{
actionExecutingContext.RouteData.Values["app"] = "my-app";
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app"));
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Null(actionExecutingContext.Result);
Assert.True(isNextCalled);
}
public async Task Should_return_forbidden_when_user_has_wrong_permission()
{
actionExecutingContext.RouteData.Values["app"] = "my-app";
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
var sut = new ApiPermissionAttribute(Permissions.AppSchemasRead);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
public async Task Should_return_forbidden_when_user_has_wrong_permission()
{
actionExecutingContext.HttpContext.Features.Set <IAppFeature>(new AppFeature(NamedId.Of(DomainId.NewGuid(), "my-app")));
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
SetContext();
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
public async Task Should_make_permission_check_with_app_feature()
{
actionExecutingContext.HttpContext.Features.Set <IAppFeature>(new AppFeature(NamedId.Of(DomainId.NewGuid(), "my-app")));
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app"));
SetContext();
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Null(actionExecutingContext.Result);
Assert.True(isNextCalled);
}
public async Task Should_make_permission_check_with_schema_feature()
{
actionExecutingContext.HttpContext.Features.Set <IAppFeature>(new AppFeature(Mocks.App(appId)));
actionExecutingContext.HttpContext.Features.Set <ISchemaFeature>(new SchemaFeature(Mocks.Schema(appId, schemaId)));
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app.schemas.my-schema"));
SetContext();
var sut = new ApiPermissionAttribute(Permissions.AppSchemasUpdate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Null(actionExecutingContext.Result);
Assert.True(isNextCalled);
}
public void Should_use_bearer_schemes()
{
var sut = new ApiPermissionAttribute();
Assert.Equal("Bearer", sut.AuthenticationSchemes);
}
public void Should_use_custom_authorization_scheme()
{
var sut = new ApiPermissionAttribute();
Assert.Equal(Constants.ApiSecurityScheme, sut.AuthenticationSchemes);
}
