Added security tests to ImageControllerTests.

2024-07-27 15:23:52 -05:00 · 2024-07-27 15:23:52 -05:00 · 2565e63a7d
commit 2565e63a7d
parent eeb58aa5a1
1 changed files with 50 additions and 0 deletions
--- a/src/integrationTest/java/app/mealsmadeeasy/api/image/ImageControllerTests.java
+++ b/src/integrationTest/java/app/mealsmadeeasy/api/image/ImageControllerTests.java
@ -159,6 +159,56 @@ public class ImageControllerTests {
        this.doGetImageTestWithViewer(accessToken);
    }

+    @Test
+    @DirtiesContext
+    public void getNonPublicImageNoPrincipalForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        this.createHal9000(owner);
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+        ).andExpect(status().isForbidden());
+    }
+
+    @Test
+    @DirtiesContext
+    public void getNonPublicImageWithPrincipalForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        final User viewer = this.createTestUser("viewer");
+        this.createHal9000(owner);
+        final String accessToken = this.getAccessToken(viewer.getUsername());
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+                        .header("Authorization", "Bearer " + accessToken)
+        ).andExpect(status().isForbidden());
+    }
+
+    @Test
+    @DirtiesContext
+    public void getImageWithViewersNoPrincipalForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        final User viewer = this.createTestUser("viewer");
+        final Image image = this.createHal9000(owner);
+        this.addViewer(image, owner, viewer);
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+        ).andExpect(status().isForbidden());
+    }
+
+    @Test
+    @DirtiesContext
+    public void getImageWithViewersWrongViewerForbidden() throws Exception {
+        final User owner = this.createTestUser("imageOwner");
+        final User viewer = this.createTestUser("viewer");
+        final User wrongViewer = this.createTestUser("wrongViewer");
+        final Image image = this.createHal9000(owner);
+        this.addViewer(image, owner, viewer);
+        final String accessToken = this.getAccessToken(wrongViewer.getUsername());
+        this.mockMvc.perform(
+                get("/images/imageOwner/HAL9000.svg")
+                        .header("Authorization", "Bearer " + accessToken)
+        ).andExpect(status().isForbidden());
+    }
+
    @Test
    @DirtiesContext
    public void putImage() throws Exception {