public int CreateUser(NewUser newUser)
{
return javascriptProxy.CreateUser(newUser);
}
public void RBAC_UserCreation()
{
//Readers cannot get users
UserGroup.Reader.setThreadPrincipalWithRoles();
Assert.Throws<SecurityException>(()=> tmWebServices.GetUser_byID(111111111), "Reader: GetUser_byID");
//Anonymous can create users
UserGroup.Anonymous.setThreadPrincipalWithRoles();
var newUser = new NewUser();
newUser.username = "******".add_RandomLetters(4);
var userId = tmWebServices.CreateUser(newUser);
Assert.That(userId > 0 , "Anonymous: CreateUser");
// confirm that new user role is 2 (Reader)
UserGroup.Admin.setThreadPrincipalWithRoles();
var user = tmWebServices.GetUser_byID(userId);
Assert.AreEqual(user.GroupID, 2, "Anonymous created user: group id");
//only admins can delete user
UserGroup.Anonymous .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.DeleteUser(userId), "Anonymous: DeleteUser");
UserGroup.Reader .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.DeleteUser(userId), "Reader : DeleteUser");
UserGroup.Editor .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.DeleteUser(userId), "Editor : DeleteUser");
UserGroup.Admin .setThreadPrincipalWithRoles(); Assert.DoesNotThrow( ()=> tmWebServices.DeleteUser(userId), "Admin : DeleteUser");
//check that only admins can create users with GroupId specificed
userId = 0;
newUser = new NewUser();
newUser.username = "******".add_RandomLetters(4);
newUser.groupId = 10;
UserGroup.Anonymous .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.CreateUser(newUser), "Anonnymous: CreateUser with groupd ID");
UserGroup.Reader .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.CreateUser(newUser), "Reader : CreateUser with groupd ID");
UserGroup.Editor .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.CreateUser(newUser), "Editor : CreateUser with groupd ID");
UserGroup.Admin .setThreadPrincipalWithRoles(); Assert.DoesNotThrow (()=> userId = tmWebServices.CreateUser(newUser), "Admin : CreateUser with groupd ID");
Assert.That(userId > 0 , "Admin: CreateUser with groupID");
user = tmWebServices.GetUser_byID(userId);
Assert.AreEqual(user.GroupID, 10, "Admin created user: group id");
tmWebServices.DeleteUser(userId);
//check that only admins can call BatchUserCreation
var batchUserCreation ="";
UserGroup.Anonymous .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.BatchUserCreation(batchUserCreation), "Anonymous: BatchUserCreation");
UserGroup.Reader .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.BatchUserCreation(batchUserCreation), "Reader : BatchUserCreation");
UserGroup.Editor .setThreadPrincipalWithRoles(); Assert.Throws<SecurityException>(()=> tmWebServices.BatchUserCreation(batchUserCreation), "Editor : BatchUserCreation");
UserGroup.Admin .setThreadPrincipalWithRoles(); Assert.DoesNotThrow (()=> tmWebServices.BatchUserCreation(batchUserCreation), "Admin : BatchUserCreation");
}
//******** javascriptProxy User Management no admin privs needed
[WebMethod(EnableSession = true)] public int CreateUser(NewUser newUser) { return javascriptProxy.CreateUser(newUser); }