From 2565e63a7d5a038ffb89e3cd8d2ad56afe97ec4a Mon Sep 17 00:00:00 2001
From: Jesse Brault <jbrault@mac.com>
Date: Sat, 27 Jul 2024 15:23:52 -0500
Subject: [PATCH] Added security tests to ImageControllerTests.

---
 .../api/image/ImageControllerTests.java       | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/src/integrationTest/java/app/mealsmadeeasy/api/image/ImageControllerTests.java b/src/integrationTest/java/app/mealsmadeeasy/api/image/ImageControllerTests.java
index cd13572..2b281d8 100644
--- a/src/integrationTest/java/app/mealsmadeeasy/api/image/ImageControllerTests.java
+++ b/src/integrationTest/java/app/mealsmadeeasy/api/image/ImageControllerTests.java
@@ -159,6 +159,56 @@ public class ImageControllerTests {
         this.doGetImageTestWithViewer(accessToken);
     }
 
+    @Test
+    @DirtiesContext
+    public void getNonPublicImageNoPrincipalForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        this.createHal9000(owner);
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+        ).andExpect(status().isForbidden());
+    }
+
+    @Test
+    @DirtiesContext
+    public void getNonPublicImageWithPrincipalForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        final User viewer = this.createTestUser("viewer");
+        this.createHal9000(owner);
+        final String accessToken = this.getAccessToken(viewer.getUsername());
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+                        .header("Authorization", "Bearer " + accessToken)
+        ).andExpect(status().isForbidden());
+    }
+
+    @Test
+    @DirtiesContext
+    public void getImageWithViewersNoPrincipalForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        final User viewer = this.createTestUser("viewer");
+        final Image image = this.createHal9000(owner);
+        this.addViewer(image, owner, viewer);
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+        ).andExpect(status().isForbidden());
+    }
+
+    @Test
+    @DirtiesContext
+    public void getImageWithViewersWrongViewerForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        final User viewer = this.createTestUser("viewer");
+        final User wrongViewer = this.createTestUser("wrongViewer");
+        final Image image = this.createHal9000(owner);
+        this.addViewer(image, owner, viewer);
+        final String accessToken = this.getAccessToken(wrongViewer.getUsername());
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+                        .header("Authorization", "Bearer " + accessToken)
+        ).andExpect(status().isForbidden());
+    }
+
     @Test
     @DirtiesContext
     public void putImage() throws Exception {