cms/tests/CP/AuthRedirectTest.php at deebfeaf5ed38971b90d686e7b4728b112dc2572 · andjsch/cms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<?php

namespace Tests\CP;

use Illuminate\Support\Facades\Route;
use PHPUnit\Framework\Attributes\Test;
use Statamic\Exceptions\AuthorizationException;
use Statamic\Facades\User;
use Statamic\Statamic;
use Tests\Auth\Eloquent\User as EloquentUser;
use Tests\FakesRoles;
use Tests\PreventSavingStacheItemsToDisk;
use Tests\TestCase;

class AuthRedirectTest extends TestCase
{
    use FakesRoles;
    use PreventSavingStacheItemsToDisk;

    protected function resolveApplicationConfiguration($app)
    {
        parent::resolveApplicationConfiguration($app);

        Statamic::pushCpRoutes(function () {
            Route::get('hammertime', function () {
                throw new AuthorizationException("Can't touch this.");
            });
        });
    }

    #[Test]
    public function it_redirects_back_to_referrer()
    {
        $this->setTestRoles(['test' => ['access cp']]);
        $user = tap(User::make()->assignRole('test'))->save();

        $this
            ->actingAs($user)
            ->from('/original')
            ->get('/cp/hammertime')
            ->assertRedirect('/original')
            ->assertSessionHas(['error' => "Can't touch this."]);
    }

    #[Test]
    public function it_redirects_to_cp_index_without_referrer()
    {
        $this->setTestRoles(['test' => ['access cp']]);
        $user = tap(User::make()->assignRole('test'))->save();

        $this
            ->actingAs($user)
            ->get('/cp/hammertime')
            ->assertRedirect(cp_route('index'))
            ->assertSessionHas(['error' => "Can't touch this."]);
    }

    #[Test]
    public function it_redirects_somewhere_if_the_referrer_was_the_login_page()
    {
        $this->setTestRoles(['test' => ['access cp']]);
        $user = tap(User::make()->assignRole('test'))->save();

        $this
            ->actingAs($user)
            ->from(cp_route('login'))
            ->get('/cp/hammertime')
            ->assertRedirect(cp_route('index'))
            ->assertSessionHas(['error' => "Can't touch this."]);
    }

    #[Test]
    public function it_does_not_redirect_to_external_referrer()
    {
        $this->setTestRoles(['test' => ['access cp']]);
        $user = tap(User::make()->assignRole('test'))->save();

        $this
            ->actingAs($user)
            ->withHeaders(['referer' => 'https://external.com'])
            ->get('/cp/hammertime')
            ->assertRedirect(cp_route('index'))
            ->assertSessionHas(['error' => "Can't touch this."]);
    }

    #[Test]
    public function it_redirects_to_unauthorized_view_if_there_would_be_a_redirect_loop()
    {
        $this->setTestRoles(['undashboardable' => ['access cp']]);
        $user = tap(User::make()->assignRole('draft_viewer'))->save();

        $this
            ->actingAs($user)
            ->get('/cp')
            ->assertRedirect(cp_route('unauthorized'))
            ->assertSessionHas(['error' => 'Unauthorized.']);
    }

    #[Test]
    public function it_redirects_to_login_when_authenticated_user_is_not_a_statamic_user()
    {
        $nonStatamicUser = EloquentUser::make();

        $this
            ->actingAs($nonStatamicUser)
            ->get('/cp')
            ->assertRedirect(cp_route('login'));
    }
}