Skip to content
This repository was archived by the owner on Apr 3, 2023. It is now read-only.

Commit 1ac0bca

Browse files
author
Teddy Roncin
committed
✅ (/users routes) Added tests for parameter name. Added tests for invalid parameter values
Added a test to test the parameter name. Added some tests to verify API responds correctly when an invalid value is passed to the parameters. Updated the testUEParameter test. Added parameter $flush to EtuUTTApiTestCase::createUser (defaults to false) to avoid the changes to be sent to the database (the new entity is still persisted)
1 parent 8530e24 commit 1ac0bca

File tree

2 files changed

+186
-19
lines changed

2 files changed

+186
-19
lines changed

tests/EtuUTTApiTestCase.php

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -114,15 +114,17 @@ protected function loadFixtures(Fixture ...$fixtures)
114114
}
115115
}
116116

117-
protected function createUser(string $firstName, string $lastName, string $login, ?string $role = 'ROLE_USER'): User
117+
protected function createUser(string $firstName, string $lastName, string $login, ?string $role = 'ROLE_USER', bool $flush = true): User
118118
{
119119
$user = new User();
120120
$user->setFirstName($firstName);
121121
$user->setLastName($lastName);
122122
$user->setLogin($login);
123123
$user->addRole($role);
124124
$this->em->persist($user);
125-
$this->em->flush();
125+
if ($flush) {
126+
$this->em->flush();
127+
}
126128

127129
return $user;
128130
}

tests/Users/GetUsers.php

Lines changed: 182 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
use App\DataFixtures\UserSeeder;
99
use App\Entity\User;
1010
use App\Entity\UserBranche;
11+
use App\Entity\UserUESubscription;
1112
use App\Tests\EtuUTTApiTestCase;
1213
use Symfony\Component\HttpFoundation\Response;
1314

@@ -223,29 +224,56 @@ public function testSemesterParameter(): void
223224
static::assertSame('/users?branche.semesterNumber='.$semester, $response->{'hydra:view'}->{'@id'});
224225
}
225226

226-
public function testUEArrayParameterOneValue(): void
227+
public function testUEParameter(): void
227228
{
228229
$this->loadFixtures(new UserSeeder(4), new UESeeder());
229230
$client = static::createClient();
230231
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
231-
$ue = $this->em->getRepository(User::class)->findBy([], limit: 1, offset: 3)[0]
232-
->getUEsSubscriptions()[0]
233-
->getUE()
234-
->getCode()
235-
;
232+
$ueSubscriptions = $this->em->getRepository(User::class)->findBy([], limit: 1, offset: 3)[0]->getUEsSubscriptions();
233+
$ues = [$ueSubscriptions[0]->getUE(), $ueSubscriptions[1]->getUE()];
234+
235+
// Create two users : one with the first UE and one with the second UE
236+
$otherUserWithFirstUE = $this->createUser('first', 'ue', 'firstue', flush: false);
237+
$otherUserWithSecondUE = $this->createUser('second', 'ue', 'secondue', flush: false);
238+
239+
// Create first user's UE subscription
240+
$firstUESubscription = new UserUESubscription();
241+
$firstUESubscription->setUE($ues[0]);
242+
243+
// Create second user's UE subscription
244+
$secondUESubscription = new UserUESubscription();
245+
$secondUESubscription->setUE($ues[1]);
246+
247+
// Bind the subscriptions to the users
248+
$otherUserWithFirstUE->addUEsSubscription($firstUESubscription);
249+
$otherUserWithSecondUE->addUEsSubscription($secondUESubscription);
250+
251+
// Update the database
252+
$this->em->persist($firstUESubscription);
253+
$this->em->persist($secondUESubscription);
254+
// TODO : fix the error that occurs when uncommenting this line (Doctrine\ORM\EntityNotFoundException: Unable to find "Proxies\__CG__\App\Entity\UE" entity identifier associated with the UnitOfWork)
255+
// $this->em->flush();
256+
257+
// Fetching all users with those two UEs (this should be of size 1 in most cases)
236258
$users = $this->em->createQueryBuilder()
237259
->select('user')
238260
->from(User::class, 'user')
239-
->innerJoin('user.UEsSubscriptions', 'subscription')
240-
->innerJoin('subscription.UE', 'ue')
241-
->where('ue.code = :ue')
242-
->setParameter('ue', $ue)
261+
->innerJoin('user.UEsSubscriptions', 'subscription1')
262+
->innerJoin('user.UEsSubscriptions', 'subscription2')
263+
->innerJoin('subscription1.UE', 'ue1')
264+
->innerJoin('subscription2.UE', 'ue2')
265+
->where('ue1.code = :ue1')
266+
->andWhere('ue2.code = :ue2')
267+
->setParameter('ue1', $ues[0]->getCode())
268+
->setParameter('ue2', $ues[1]->getCode())
243269
->orderBy('user.lastName', 'ASC')
244270
->addOrderBy('user.firstName', 'ASC')
245271
->getQuery()
246272
->getResult()
247273
;
248-
$crawler = $client->request('GET', '/users?ue[]='.$ue);
274+
275+
// Test route
276+
$crawler = $client->request('GET', '/users?ue[]='.$ues[0]->getCode().'&ue[]='.$ues[1]->getCode());
249277
$response = json_decode($crawler->getContent());
250278
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
251279
static::assertIsArray($response->{'hydra:member'});
@@ -254,30 +282,167 @@ public function testUEArrayParameterOneValue(): void
254282
static::assertSameUserReadSome($user, $response->{'hydra:member'}[$i]);
255283
}
256284
static::assertSame(\count($users), $response->{'hydra:totalItems'});
257-
static::assertSame('/users?ue%5B%5D='.$ue, $response->{'hydra:view'}->{'@id'});
285+
static::assertSame('/users?ue%5B%5D='.$ues[0]->getCode().'&ue%5B%5D='.$ues[1]->getCode(), $response->{'hydra:view'}->{'@id'});
258286
}
259287

260-
public function testOutOfRangeParameters(): void
288+
public function testNameParameter(): void
261289
{
290+
$this->loadFixtures(new UserSeeder(4), new UserInfoVisibilitySeeder());
262291
$client = static::createClient();
263292
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
293+
$user = $this->em->getRepository(User::class)->findBy([], limit: 1, offset: 3)[0];
294+
$namesToCheck = [$user->getFirstName(), $user->getLastName(), $user->getInfos()->getNickname()];
295+
foreach ($namesToCheck as $name) {
296+
$expected = $this->em->createQueryBuilder()
297+
->select('user')
298+
->from(User::class, 'user')
299+
->join('user.infos', 'info')
300+
->where("user.lastName LIKE '%{$name}%'")
301+
->orWhere("user.firstName LIKE '%{$name}%'")
302+
->orWhere("info.nickname LIKE '%{$name}%'")
303+
->orderBy('user.lastName', 'ASC')
304+
->addOrderBy('user.firstName', 'ASC')
305+
->getQuery()
306+
->getResult()
307+
;
308+
$crawler = $client->request('GET', '/users?name='.$name);
309+
$response = json_decode($crawler->getContent());
310+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
311+
static::assertIsArray($response->{'hydra:member'});
312+
static::assertSameSize($expected, $response->{'hydra:member'});
313+
foreach ($expected as $i => $user) {
314+
static::assertSameUserReadSome($user, $response->{'hydra:member'}[$i]);
315+
}
316+
static::assertSame(\count($expected), $response->{'hydra:totalItems'});
317+
static::assertSame('/users?name='.rawurlencode($name), $response->{'hydra:view'}->{'@id'});
318+
}
319+
}
320+
321+
public function testWrongPageParameterValues(): void
322+
{
323+
$client = static::createClient();
324+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
325+
// page is too small
264326
$client->request('GET', '/users?page=0');
265327
$this->assertResponseStatusCodeSame(Response::HTTP_BAD_REQUEST);
328+
// page is too big
266329
$crawler = $client->request('GET', '/users?page=2');
267330
$response = json_decode($crawler->getContent());
268331
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
269332
static::assertEmpty($response->{'hydra:member'});
333+
// page is not an integer
334+
$crawler = $client->request('GET', '/users?page=2.5');
335+
$response = json_decode($crawler->getContent());
336+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
337+
static::assertEmpty($response->{'hydra:member'});
338+
// page is not a number
339+
$client->request('GET', '/users?page=abc');
340+
$this->assertResponseStatusCodeSame(Response::HTTP_BAD_REQUEST);
270341
}
271342

272-
public function testWrongTypeParameter(): void
343+
public function testWrongStudentIdParameterValues(): void
273344
{
274345
$client = static::createClient();
275346
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
276-
$crawler = $client->request('GET', '/users?page=2.5');
347+
// studentId is too big : argument should be skipped and return everything
348+
$crawler = $client->request('GET', '/users?studentId=999999999999999999999999999999999999999');
349+
$response = json_decode($crawler->getContent());
350+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
351+
static::assertCount(1, $response->{'hydra:member'});
352+
// studentId is not an integer : argument should be skipped and return everything
353+
$crawler = $client->request('GET', '/users?studentId=2.5');
354+
$response = json_decode($crawler->getContent());
355+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
356+
static::assertCount(1, $response->{'hydra:member'});
357+
// studentId is not a number : argument should be skipped and return everything
358+
$client->request('GET', '/users?studentId=abc');
359+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
360+
static::assertCount(1, $response->{'hydra:member'});
361+
}
362+
363+
public function testWrongMailPersonalParameterValues(): void
364+
{
365+
$client = static::createClient();
366+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
367+
// sql injection
368+
$crawler = $client->request('GET', '/users?mailsPhones.mailPersonal="');
369+
$response = json_decode($crawler->getContent());
370+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
371+
static::assertEmpty($response->{'hydra:member'});
372+
$crawler = $client->request('GET', "/users?mailsPhones.mailPersonal='");
373+
$response = json_decode($crawler->getContent());
374+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
375+
static::assertEmpty($response->{'hydra:member'});
376+
}
377+
378+
public function testWrongPhoneNumberParameterValues(): void
379+
{
380+
$client = static::createClient();
381+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
382+
// sql injection
383+
$crawler = $client->request('GET', '/users?mailsPhones.phoneNumber="');
384+
$response = json_decode($crawler->getContent());
385+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
386+
static::assertEmpty($response->{'hydra:member'});
387+
$crawler = $client->request('GET', "/users?mailsPhones.phoneNumber='");
388+
$response = json_decode($crawler->getContent());
389+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
390+
static::assertEmpty($response->{'hydra:member'});
391+
}
392+
393+
public function testWrongBrancheParameterValues(): void
394+
{
395+
$client = static::createClient();
396+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
397+
// sql injection
398+
$crawler = $client->request('GET', '/users?branche.branche.code="');
399+
$response = json_decode($crawler->getContent());
400+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
401+
static::assertEmpty($response->{'hydra:member'});
402+
$crawler = $client->request('GET', "/users?branche.branche.code='");
403+
$response = json_decode($crawler->getContent());
404+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
405+
static::assertEmpty($response->{'hydra:member'});
406+
}
407+
408+
public function testWrongFiliereParameterValues(): void
409+
{
410+
$client = static::createClient();
411+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
412+
// sql injection
413+
$crawler = $client->request('GET', '/users?branche.filiere.code="');
414+
$response = json_decode($crawler->getContent());
415+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
416+
static::assertEmpty($response->{'hydra:member'});
417+
$crawler = $client->request('GET', "/users?branche.filiere.code='");
418+
$response = json_decode($crawler->getContent());
419+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
420+
static::assertEmpty($response->{'hydra:member'});
421+
}
422+
423+
public function testWrongUEParameterValues(): void
424+
{
425+
$client = static::createClient();
426+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
427+
// sql injection
428+
$crawler = $client->request('GET', '/users?ue[]="&ue[]=\'');
429+
$response = json_decode($crawler->getContent());
430+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
431+
static::assertEmpty($response->{'hydra:member'});
432+
}
433+
434+
public function testWrongNameParameterValue(): void
435+
{
436+
$client = static::createClient();
437+
$client->setDefaultOptions(['headers' => ['CAS-LOGIN' => 'test']]);
438+
// sql injection
439+
$crawler = $client->request('GET', '/users?name="');
440+
$response = json_decode($crawler->getContent());
441+
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
442+
static::assertEmpty($response->{'hydra:member'});
443+
$crawler = $client->request('GET', "/users?name='");
277444
$response = json_decode($crawler->getContent());
278445
$this->assertResponseStatusCodeSame(Response::HTTP_OK);
279446
static::assertEmpty($response->{'hydra:member'});
280-
$client->request('GET', '/users?page=abc');
281-
$this->assertResponseStatusCodeSame(Response::HTTP_BAD_REQUEST);
282447
}
283448
}

0 commit comments

Comments
 (0)