From 8582844f27e0ff56a419c4f859f367eb6d38532c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomo=20=C5=A0ala?= Date: Sun, 24 Dec 2017 18:13:26 +0100 Subject: [PATCH 1/3] Restrict access to registration page Only administrators can register new users with the system. Minimal authorization level needed for accessing registration pages is ROLE_ADMIN. --- config/packages/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/packages/security.yaml b/config/packages/security.yaml index 3b64ebd..f776b3a 100644 --- a/config/packages/security.yaml +++ b/config/packages/security.yaml @@ -34,6 +34,6 @@ security: access_control: - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } + - { path: ^/register, role: ROLE_ADMIN } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin/, role: ROLE_ADMIN } \ No newline at end of file From 267ca98ee0e0d5a0a525503c8edfc89012ad623b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomo=20=C5=A0ala?= Date: Sun, 24 Dec 2017 18:30:08 +0100 Subject: [PATCH 2/3] Modify tests for accessing registration page Considerig that since commit fa31cfe1ee9a only users with at least ROLE_ADMIN authorization level can access the registration page, tests needed to be changed in order to reflect this new state. This will modify the tests for accessing registration page, implementing new steps to handle different users trying to gain access to registration page. --- features/bootstrap/FOSWebContext.php | 68 ++++++++++++++++++++++++ features/fos_user/0-register-web.feature | 20 ++++--- 2 files changed, 77 insertions(+), 11 deletions(-) diff --git a/features/bootstrap/FOSWebContext.php b/features/bootstrap/FOSWebContext.php index bb92bf2..3bacae7 100644 --- a/features/bootstrap/FOSWebContext.php +++ b/features/bootstrap/FOSWebContext.php @@ -3,8 +3,13 @@ declare(strict_types=1); use Behat\Behat\Context\Context; +use Behat\Mink\Driver\BrowserKitDriver; +use Behat\Mink\Exception\UnsupportedDriverActionException; use Behat\MinkExtension\Context\MinkContext; +use Symfony\Component\BrowserKit\Cookie; use Symfony\Component\HttpKernel\KernelInterface; +use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken; +use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; class FOSWebContext extends MinkContext implements Context { @@ -40,4 +45,67 @@ protected function getService(string $name) { return $this->kernel->getContainer()->get($name); } + + /** + * @Given I am not logged in + */ + public function iAmNotLoggedIn() + { + $driver = $this->getSession()->getDriver(); + if (!$driver instanceof BrowserKitDriver) { + throw new UnsupportedDriverActionException('This step is only supported by the BrowserKitDriver', $driver); + } + + /** @var \Symfony\Bundle\FrameworkBundle\Client $client */ + $client = $driver->getClient(); + + $client->getCookieJar()->set(new Cookie(session_name(), 'anon_user_not_logged_in')); + + /** @var Symfony\Component\HttpFoundation\Session\Session $session */ + $session = $this->getService('session'); + + $providerKey = $this->kernel->getContainer()->getParameter('fos_user.firewall_name'); + + $token = new AnonymousToken('$3cr37', 'anon', []); + $session->set('_security_'.$providerKey, serialize($token)); + $session->save(); + + $cookie = new Cookie($session->getName(), $session->getId()); + $client->getCookieJar()->set($cookie); + } + + /** + * @Given I am authorized with :accessRole + */ + public function iAmAuthorizedWith($accessRole) + { + $driver = $this->getSession()->getDriver(); + if (!$driver instanceof BrowserKitDriver) { + throw new UnsupportedDriverActionException('This step is only supported by the BrowserKitDriver', $driver); + } + + /** @var \Symfony\Bundle\FrameworkBundle\Client $client */ + $client = $driver->getClient(); + + /** @var Symfony\Component\HttpFoundation\Session\Session $session */ + $session = $this->getService('session'); + +// clear residual session data from any previous scenarios + $session->clear(); + + $providerKey = $this->kernel->getContainer()->getParameter('fos_user.firewall_name'); + + /** @var \FOS\UserBundle\Doctrine\UserManager $fosUserManager */ + $fosUserManager = $this->getService('fos_user.user_manager'); + + $user = $fosUserManager->findUserByUsername('admin'); + + $token = new UsernamePasswordToken($user, $user->getPassword(), $providerKey, [$accessRole]); + + $session->set('_security_'.$providerKey, serialize($token)); + $session->save(); + + $cookie = new Cookie($session->getName(), $session->getId()); + $client->getCookieJar()->set($cookie); + } } diff --git a/features/fos_user/0-register-web.feature b/features/fos_user/0-register-web.feature index 7cac774..95a67ea 100644 --- a/features/fos_user/0-register-web.feature +++ b/features/fos_user/0-register-web.feature @@ -4,14 +4,12 @@ Feature: Register new administrator As the system administrator I need to be able to register with the site - Scenario: As an ordinary visitor, I should be able to register with the site - Given there is no user with username "admin.primus" - And I am on "/register/" - When I fill in "fos_user_registration_form[email]" with "admin@prim.us" - And I fill in "fos_user_registration_form[username]" with "admin.primus" - And I fill in "fos_user_registration_form[plainPassword][first]" with "12345" - And I fill in "fos_user_registration_form[plainPassword][second]" with "12345" - And I press "Register" - Then I should be on "/register/confirmed" - And I should see text matching "Logged in as admin.primus" - And I should see text matching "Congrats admin.primus, your account is now activated." \ No newline at end of file + Scenario: As an ordinary visitor, I should not be able to access the registration page + Given I am not logged in + And I visit "/register/" + Then I should be on "/login" + + Scenario: As a system administrator, I should be able to access the registration page + Given I am authorized with ROLE_ADMIN + And I visit "/register/" + Then I should be on "/register/" \ No newline at end of file From d0ccf88511cdb7412638ce970321b1abf68fd75f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomo=20=C5=A0ala?= Date: Sun, 24 Dec 2017 20:43:17 +0100 Subject: [PATCH 3/3] Use new login credentials for admins This commit will resolve two problems: 1. Use valid login credential for admin 2. Remove execution order dependency for fos:user tests Because only administrators can have accounts on our application, we can use an admin account to test login and profile page accessibility. Since we've added an admin user to data fixtures, we can now use that data in fos:user tests for login/profile/logout, and remove the ordering dependency between features (up until now we had to run registration scenarios first, and only then could we run login/profile and logout scenarios). --- features/fos_user/1-login-web.feature | 8 ++++---- features/fos_user/2-logout-web.feature | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/features/fos_user/1-login-web.feature b/features/fos_user/1-login-web.feature index ab0de55..5076964 100644 --- a/features/fos_user/1-login-web.feature +++ b/features/fos_user/1-login-web.feature @@ -6,10 +6,10 @@ Feature: Show registered user their profile page Scenario: As a registered user, I need to log in to see my profile page Given I am on "/login" - And I fill in "_username" with "admin.primus" - And I fill in "_password" with "12345" + And I fill in "_username" with "admin" + And I fill in "_password" with "admin" And I press "Log in" Then I should be on "/" And I visit "/profile" - And I should see text matching "Logged in as admin.primus" - And I should see text matching "Username: admin.primus" \ No newline at end of file + And I should see text matching "Logged in as admin" + And I should see text matching "Username: admin" \ No newline at end of file diff --git a/features/fos_user/2-logout-web.feature b/features/fos_user/2-logout-web.feature index 8378627..768f959 100644 --- a/features/fos_user/2-logout-web.feature +++ b/features/fos_user/2-logout-web.feature @@ -7,14 +7,14 @@ Feature: Log out a logged in user Scenario: As a logged in user, I need to be able to log out # log in Given I am on "/login" - And I fill in "_username" with "admin.primus" - And I fill in "_password" with "12345" + And I fill in "_username" with "admin" + And I fill in "_password" with "admin" And I press "Log in" Then I should be on "/" # confirm login And I visit "/profile" - And I should see text matching "Logged in as admin.primus" - And I should see text matching "Username: admin.primus" + And I should see text matching "Logged in as admin" + And I should see text matching "Username: admin" # log out And I visit "/logout" Then I should be on "/"