public async Task GetExpensesAccessTest()
{
using (var fixture = new GeldAppFixture())
{
await fixture.Login("Hans");
await fixture.ExpectGetAsync("/api/account/Hans/export/tsv", HttpStatusCode.OK);
await fixture.ExpectGetAsync("/api/account/Shared/export/tsv", HttpStatusCode.OK);
await fixture.ExpectGetAsync("/api/account/Petra/expenses", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Unknown/expenses", HttpStatusCode.Unauthorized);
fixture.Logout();
await fixture.ExpectGetAsync("/api/account/Hans/export/tsv", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Shared/export/tsv", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Petra/expenses", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Unknown/expenses", HttpStatusCode.Unauthorized);
}
}
public async Task GetExpensesAccessTest()
{
using (var fixture = new GeldAppFixture())
{
await fixture.Login("Hans");
await fixture.ExpectGetAsync("/api/account/Hans/imports/unhandled", HttpStatusCode.OK);
fixture.Logout();
await fixture.ExpectGetAsync("/api/account/Hans/imports/unhandled", HttpStatusCode.Unauthorized);
await fixture.Login("Petra");
await fixture.ExpectGetAsync("/api/account/Hans/imports/unhandled", HttpStatusCode.Unauthorized);
}
}
public async Task EnsureAccessIsVerifiedTest()
{
using (var fixture = new GeldAppFixture())
{
var testCmd = new CreateCategoryCommand("Hans", "Einnahmen");
// Test authenticated.
await fixture.Login("Petra");
await fixture.ExpectGetAsync("/api/account/Hans/categories", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Hans/categories/predict", HttpStatusCode.Unauthorized);
(await fixture.Client.PostAsync("/api/account/Hans/categories", testCmd.AsContent())).IsUnauthorized();
(await fixture.Client.PostAsync("/api/account/Teal'C/categories", testCmd.AsContent())).IsUnauthorized();
(await fixture.Client.PutAsync("/api/account/Hans/category/Einnahmen/Aktien", null)).IsUnauthorized();
(await fixture.Client.PutAsync("/api/account/SamCarter/category/Einnahmen/Aktien", null)).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen/Aktien")).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen")).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/Hans/category/Schwarzgeld")).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/JackONeil/category/Schwarzgeld")).IsUnauthorized();
// Test unauthenticated.
fixture.Logout();
await fixture.ExpectGetAsync("/api/account/Hans/categories", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Hans/categories/predict", HttpStatusCode.Unauthorized);
(await fixture.Client.PostAsync("/api/account/Hans/categories", testCmd.AsContent())).IsUnauthorized();
(await fixture.Client.PostAsync("/api/account/Teal'C/categories", testCmd.AsContent())).IsUnauthorized();
(await fixture.Client.PutAsync("/api/account/Hans/category/Einnahmen/Aktien", null)).IsUnauthorized();
(await fixture.Client.PutAsync("/api/account/SamCarter/category/Einnahmen/Aktien", null)).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen/Aktien")).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/Hans/category/Einnahmen")).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/Hans/category/Schwarzgeld")).IsUnauthorized();
(await fixture.Client.DeleteAsync("/api/account/JackONeil/category/Schwarzgeld")).IsUnauthorized();
}
}
public async Task EnsureAccessIsVerifiedTest()
{
using (var fixture = new GeldAppFixture())
{
await fixture.ExpectGetAsync("/api/account/Hans/charts/month-by-category", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Hans/charts/expense-history", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Hans/charts/revenue-history", HttpStatusCode.Unauthorized);
await fixture.ExpectPostAsync("/api/account/Hans/charts/compare-category", new GetCompareCategoryChartQuery().AsContent(), HttpStatusCode.Unauthorized);
await fixture.Login("Hans");
await fixture.ExpectGetAsync("/api/account/Hans/charts/month-by-category", HttpStatusCode.OK);
await fixture.ExpectGetAsync("/api/account/Hans/charts/expense-history", HttpStatusCode.OK);
await fixture.ExpectGetAsync("/api/account/Hans/charts/revenue-history", HttpStatusCode.OK);
await fixture.ExpectPostAsync("/api/account/Hans/charts/compare-category", new GetCompareCategoryChartQuery().AsContent(), HttpStatusCode.OK);
fixture.Logout();
await fixture.Login("Petra");
await fixture.ExpectGetAsync("/api/account/Hans/charts/month-by-category", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Hans/charts/expense-history", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/Hans/charts/revenue-history", HttpStatusCode.Unauthorized);
await fixture.ExpectGetAsync("/api/account/ColonelHogan/charts/revenue-history", HttpStatusCode.Unauthorized);
await fixture.ExpectPostAsync("/api/account/Hans/charts/compare-category", new GetCompareCategoryChartQuery().AsContent(), HttpStatusCode.Unauthorized);
}
}
public async Task EnsureThatExpensesFromOtherAccountsDoNotLeak()
{
using (var fixture = new GeldAppFixture())
{
await fixture.Login("Hans");
// Import.
var csv = File.ReadAllBytes("Import/dkb-import-test.csv");
await fixture.PostFileAsync("/api/account/Hans/import/csv", "csvFile", "file.csv", csv);
var hansImportedExpense = (await fixture.GetAsync <ImportedExpense[]>("/api/account/Hans/imports/unhandled")).Single();
// Add some expenses.
await fixture.AddExpenseAsync("Hans", -12.34M, "Correct", "Subcategory", ex => ex.Date = hansImportedExpense.BookingDay.AddDays(-2).Date);
// Get related expenses.
var relatedExpenses = await fixture.GetAsync <ExpenseViewModel[]>("/api/account/Hans/expenses?relatedToImportedExpense=" + hansImportedExpense.Id);
relatedExpenses.Should().HaveCount(1);
relatedExpenses.Single().CategoryName.Should().Be("Correct");
// Login as different user.
fixture.Logout();
await fixture.Login("Petra");
// Simple leak.
await fixture.ExpectGetAsync("/api/account/Hans/expenses?relatedToImportedExpense=" + hansImportedExpense.Id, HttpStatusCode.Unauthorized);
// Leak via related expenses.
await fixture.PostFileAsync("/api/account/Petra/import/csv", "csvFile", "file.csv", csv);
var petraImportedExpense = (await fixture.GetAsync <ImportedExpense[]>("/api/account/Petra/imports/unhandled")).Single();
var petraRelatedExpenses = await fixture.GetAsync <ExpenseViewModel[]>("/api/account/Petra/expenses?relatedToImportedExpense=" + petraImportedExpense.Id);
petraRelatedExpenses.Should().BeEmpty();
// Leak via linking.
await fixture.ExpectPostAsync($"/api/account/Hans/import/link?importedExpenseId={hansImportedExpense.Id}&relatedExpenseId={relatedExpenses.Single().Id}", HttpStatusCode.Unauthorized);
await fixture.ExpectPostAsync($"/api/account/Petra/import/link?importedExpenseId={hansImportedExpense.Id}&relatedExpenseId={relatedExpenses.Single().Id}", HttpStatusCode.NotFound);
// Leak via creating.
await fixture.ExpectAddExpenseAsync("Hans", 10, "Cat", "Sub", modCmd : cmd => cmd.HandlesImportedExpenseId = hansImportedExpense.Id, expectedStatus : HttpStatusCode.Unauthorized);
await fixture.ExpectAddExpenseAsync("Petra", 10, "Cat", "Sub", modCmd : cmd => cmd.HandlesImportedExpenseId = hansImportedExpense.Id, expectedStatus : HttpStatusCode.NotFound);
}
}