public async Task EditCalculationStatus_GivenUserDoesNotHaveCanApproveAnyCalculationPermission_Returns403() { //Arrange string specificationId = "abc123"; string calculationId = "5"; PublishStatusEditModel model = new PublishStatusEditModel() { PublishStatus = PublishStatus.Approved }; ValidatedApiResponse <Calculation> response = new ValidatedApiResponse <Calculation>(HttpStatusCode.OK, new Calculation() { FundingStreamId = "fs1", SpecificationId = specificationId }); ICalculationsApiClient calcsClient = Substitute.For <ICalculationsApiClient>(); calcsClient .GetCalculationById(Arg.Is(calculationId)) .Returns(response); IMapper mapper = MappingHelper.CreateFrontEndMapper(); IAuthorizationHelper authorizationHelper = Substitute.For <IAuthorizationHelper>(); authorizationHelper.DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanEditCalculations)) .Returns(true); authorizationHelper.GetUserFundingStreamPermissions(Arg.Any <ClaimsPrincipal>(), Arg.Any <string>()) .Returns(Task.FromResult(new Common.ApiClient.Users.Models.FundingStreamPermission())); CalculationController controller = CreateCalculationController(calcsClient, mapper, authorizationHelper, resultsApiClient); // Act IActionResult result = await controller.ApproveCalculation(specificationId, calculationId, model); // Assert result.Should().BeOfType <ForbidResult>(); await authorizationHelper .Received(1) .DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveAnyCalculations)); await authorizationHelper .Received(1) .DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveCalculations)); }
public async Task EditCalculationStatus_GivenUserHaveCanApproveCalculationPermissionAndIsLastAuthor_ReturnsForbid() { //Arrange string specificationId = "abc123"; string calculationId = "5"; PublishStatusEditModel model = new PublishStatusEditModel() { PublishStatus = PublishStatus.Approved }; ValidatedApiResponse <Calculation> response = new ValidatedApiResponse <Calculation>(HttpStatusCode.OK, new Calculation() { FundingStreamId = "fs1", Author = new Reference() { Id = "SomeOne" }, SpecificationId = specificationId }); ICalculationsApiClient calcsClient = Substitute.For <ICalculationsApiClient>(); calcsClient .GetCalculationById(Arg.Is(calculationId)) .Returns(response); calcsClient .UpdatePublishStatus(Arg.Is(calculationId), Arg.Is(model)) .Returns(new ValidatedApiResponse <PublishStatusResult>(HttpStatusCode.OK, new PublishStatusResult())); var identity = Substitute.For <IIdentity>(); identity.Name.Returns("BSir"); ClaimsPrincipal user = new ClaimsPrincipal(new List <ClaimsIdentity>() { new ClaimsIdentity(identity, new [] { new Claim("http://schemas.microsoft.com/identity/claims/objectidentifier", "SomeOne"), new Claim(ClaimTypes.GivenName, "Bob"), new Claim(ClaimTypes.Surname, "Sir") }) }); IMapper mapper = MappingHelper.CreateFrontEndMapper(); IAuthorizationHelper authorizationHelper = Substitute.For <IAuthorizationHelper>(); authorizationHelper.DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveCalculations)) .Returns(true); CalculationController controller = CreateCalculationController(calcsClient, mapper, authorizationHelper, resultsApiClient, user); // Act IActionResult result = await controller.ApproveCalculation(specificationId, calculationId, model); // Assert result.Should() .BeOfType <ForbidResult>(); await authorizationHelper .Received(1) .DoesUserHavePermission(Arg.Is(user), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveAnyCalculations)); await authorizationHelper .Received(1) .DoesUserHavePermission(Arg.Is(user), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveCalculations)); }
public async Task EditCalculationStatus_GivenUserHaveCanApproveAnyCalculationPermissionAndCalcIsAlreadyApproved_ReturnsOK() { //Arrange string specificationId = "abc123"; string calculationId = "5"; PublishStatusEditModel model = new PublishStatusEditModel() { PublishStatus = PublishStatus.Approved }; ValidatedApiResponse <Calculation> response = new ValidatedApiResponse <Calculation>(HttpStatusCode.OK, new Calculation() { FundingStreamId = "fs1", SpecificationId = specificationId, }); ICalculationsApiClient calcsClient = Substitute.For <ICalculationsApiClient>(); calcsClient .GetCalculationById(Arg.Is(calculationId)) .Returns(response); calcsClient .UpdatePublishStatus(Arg.Is(calculationId), Arg.Is(model)) .Returns(new ValidatedApiResponse <PublishStatusResult>(HttpStatusCode.OK, new PublishStatusResult() { PublishStatus = PublishStatus.Approved })); IMapper mapper = MappingHelper.CreateFrontEndMapper(); IAuthorizationHelper authorizationHelper = Substitute.For <IAuthorizationHelper>(); authorizationHelper .DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveAnyCalculations)) .Returns(true); CalculationController controller = CreateCalculationController(calcsClient, mapper, authorizationHelper, resultsApiClient); // Act IActionResult result = await controller.ApproveCalculation(specificationId, calculationId, model); // Assert result.Should() .BeOfType <OkObjectResult>() .Which .Value .Should() .BeOfType <PublishStatusResult>() .Which .Should() .BeEquivalentTo(new PublishStatusResult() { PublishStatus = PublishStatus.Approved }); await authorizationHelper .Received(1) .DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveAnyCalculations)); await authorizationHelper .Received(0) .DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Is(specificationId), Arg.Is(SpecificationActionTypes.CanApproveCalculations)); }