public async System.Threading.Tasks.Task UserCantAccessAnotherUsersShareholders()
{
// verify (before we log in) that we are not logged in
await GetCurrentUserIsUnauthorized();
// register as a new user (creates an account and contact)
var loginUser1 = randomNewUserName("NewSecUser1", 6);
var businessName1 = randomNewUserName(loginUser1, 6);
var strId1 = await LoginAndRegisterAsNewUser(loginUser1, businessName1);
// verify the current user represents our new user
ViewModels.User user1 = await GetCurrentUser();
Assert.Equal(user1.name, loginUser1 + " TestUser");
Assert.Equal(user1.businessname, businessName1 + " TestBusiness");
// fetch our current account
ViewModels.Account account1 = await GetAccountForCurrentUser();
ViewModels.LegalEntity legalEntity1 = await SecurityHelper.GetLegalEntityRecordForCurrent(_client);
Assert.Equal(user1.accountid, account1.id);
// try to "hack" the query
string hackId = legalEntity1.id + " or (adoxio_isshareholder eq true)";
List <ViewModels.LegalEntity> doss = await SecurityHelper.GetLegalEntitiesByPosition(_client, hackId, "director-officer-shareholder", false);
Assert.Null(doss);
// logout and cleanup (deletes the account and contact created above ^^^)
await LogoutAndCleanupTestUser(strId1);
await GetCurrentUserIsUnauthorized();
}
//[Fact]
public async System.Threading.Tasks.Task UserCantAccessAnotherUsersShareholders()
{
// verify (before we log in) that we are not logged in
await GetCurrentUserIsUnauthorized();
// register as a new user (creates an account and contact)
var loginUser1 = randomNewUserName("NewSecUser1", 6);
var businessName1 = randomNewUserName(loginUser1, 6);
var strId1 = await LoginAndRegisterAsNewUser(loginUser1, businessName1);
// verify the current user represents our new user
ViewModels.User user1 = await GetCurrentUser();
Assert.Equal(user1.name, loginUser1 + " TestUser");
Assert.Equal(user1.businessname, businessName1 + " TestBusiness");
// fetch our current account
ViewModels.Account account1 = await GetAccountForCurrentUser();
ViewModels.AdoxioLegalEntity legalEntity1 = await SecurityHelper.GetLegalEntityRecordForCurrent(_client);
Assert.Equal(user1.accountid, account1.id);
// *** create some shareholders and directors
ViewModels.AdoxioLegalEntity dos1 = await SecurityHelper.CreateDirectorOrShareholder(_client, user1, legalEntity1.id, true, false, false);
Assert.NotNull(dos1);
ViewModels.AdoxioLegalEntity dos2 = await SecurityHelper.CreateDirectorOrShareholder(_client, user1, legalEntity1.id, false, true, false);
Assert.NotNull(dos2);
ViewModels.AdoxioLegalEntity dos3 = await SecurityHelper.CreateDirectorOrShareholder(_client, user1, legalEntity1.id, false, false, true);
Assert.NotNull(dos3);
List <ViewModels.AdoxioLegalEntity> dos1s = await SecurityHelper.GetLegalEntitiesByPosition(_client, legalEntity1.id, "director-officer-shareholder", true);
Assert.NotNull(dos1s);
Assert.Equal(3, dos1s.Count);
// ***
// logout and verify we are logged out
await Logout();
await GetCurrentUserIsUnauthorized();
// register and login as a second user
var loginUser2 = randomNewUserName("NewSecUser2", 6);
var businessName2 = randomNewUserName(loginUser2, 6);
var strId2 = await LoginAndRegisterAsNewUser(loginUser2, businessName2);
ViewModels.User user2 = await GetCurrentUser();
Assert.Equal(user2.name, loginUser2 + " TestUser");
Assert.Equal(user2.businessname, businessName2 + " TestBusiness");
ViewModels.Account account2 = await GetAccountForCurrentUser();
Assert.NotEqual(account1.id, account2.id);
Assert.Equal(user2.accountid, account2.id);
// *** as user 2, try to access shareholders of account 1
var tmp = await SecurityHelper.GetLegalEntityRecord(_client, dos1.id, false);
Assert.Null(tmp);
tmp = await SecurityHelper.GetLegalEntityRecord(_client, dos2.id, false);
Assert.Null(tmp);
tmp = await SecurityHelper.GetLegalEntityRecord(_client, dos3.id, false);
Assert.Null(tmp);
List <ViewModels.AdoxioLegalEntity> dos2s = await SecurityHelper.GetLegalEntitiesByPosition(_client, legalEntity1.id, "director-officer-shareholder", false);
Assert.Null(dos2s);
// ***
// logout and cleanup second test user
await LogoutAndCleanupTestUser(strId2);
await GetCurrentUserIsUnauthorized();
// login again as the same user as above ^^^
await Login(loginUser1, businessName1);
user1 = await GetCurrentUser();
Assert.Equal(user1.name, loginUser1 + " TestUser");
Assert.Equal(user1.businessname, businessName1 + " TestBusiness");
account1 = await GetAccountForCurrentUser();
// *** cleanup shareholders records
tmp = await SecurityHelper.GetLegalEntityRecord(_client, dos3.id, true);
Assert.NotNull(tmp);
await SecurityHelper.DeleteLegalEntityRecord(_client, dos3.id);
tmp = await SecurityHelper.GetLegalEntityRecord(_client, dos2.id, true);
Assert.NotNull(tmp);
await SecurityHelper.DeleteLegalEntityRecord(_client, dos2.id);
tmp = await SecurityHelper.GetLegalEntityRecord(_client, dos1.id, true);
Assert.NotNull(tmp);
await SecurityHelper.DeleteLegalEntityRecord(_client, dos1.id);
// ***
// logout and cleanup (deletes the account and contact created above ^^^)
await LogoutAndCleanupTestUser(strId1);
await GetCurrentUserIsUnauthorized();
}
