Exemple #1
0
        //[Fact]
        public async System.Threading.Tasks.Task UserCantAccessAnotherUsersAccount()
        {
            // verify (before we log in) that we are not logged in
            await GetCurrentUserIsUnauthorized();

            // register as a new user (creates an account and contact)
            var loginUser1    = randomNewUserName("NewSecUser1", 6);
            var businessName1 = randomNewUserName(loginUser1, 6);
            var strId1        = await LoginAndRegisterAsNewUser(loginUser1, businessName1);

            // verify the current user represents our new user
            ViewModels.User user1 = await GetCurrentUser();

            Assert.Equal(user1.name, loginUser1 + " TestUser");
            Assert.Equal(user1.businessname, businessName1 + " TestBusiness");

            // fetch our current account
            ViewModels.Account account1 = await GetAccountForCurrentUser();

            ViewModels.AdoxioLegalEntity legalEntity1 = await SecurityHelper.GetLegalEntityRecordForCurrent(_client);

            Assert.Equal(user1.accountid, account1.id);

            // logout and verify we are logged out
            await Logout();
            await GetCurrentUserIsUnauthorized();

            // register and login as a second user
            var loginUser2    = randomNewUserName("NewSecUser2", 6);
            var businessName2 = randomNewUserName(loginUser2, 6);
            var strId2        = await LoginAndRegisterAsNewUser(loginUser2, businessName2);

            ViewModels.User user2 = await GetCurrentUser();

            Assert.Equal(user2.name, loginUser2 + " TestUser");
            Assert.Equal(user2.businessname, businessName2 + " TestBusiness");
            ViewModels.Account account2 = await GetAccountForCurrentUser();

            Assert.NotEqual(account1.id, account2.id);
            Assert.Equal(user2.accountid, account2.id);

            // *** as user 2, try to access account and legal entity of account 1
            var secAccount = await SecurityHelper.GetAccountRecord(_client, account1.id, false);

            Assert.Null(secAccount);
            var secLegalEntity = await SecurityHelper.GetLegalEntityRecord(_client, legalEntity1.id, false);

            Assert.Null(secLegalEntity);

            secAccount = await SecurityHelper.UpdateAccountRecord(_client, account1.id, account1, false);

            Assert.Null(secAccount);
            // ***

            // logout and cleanup second test user
            await LogoutAndCleanupTestUser(strId2);
            await GetCurrentUserIsUnauthorized();

            // login again as the same user as above ^^^
            await Login(loginUser1, businessName1);

            user1 = await GetCurrentUser();

            Assert.Equal(user1.name, loginUser1 + " TestUser");
            Assert.Equal(user1.businessname, businessName1 + " TestBusiness");
            account1 = await GetAccountForCurrentUser();

            // logout and cleanup (deletes the account and contact created above ^^^)
            await LogoutAndCleanupTestUser(strId1);
            await GetCurrentUserIsUnauthorized();
        }