anonymous user should not have permission to change password or autocomplete

2025-11-14 17:26:22 +01:00 · 2019-10-17 11:08:55 +02:00
parent a33acf5326
commit 1fd6337f64
6 changed files with 48 additions and 6 deletions
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeDtoFactoryTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeDtoFactoryTest.java
@@ -12,14 +12,17 @@ import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.mockito.junit.jupiter.MockitoSettings;
 import org.mockito.quality.Strictness;
+import sonia.scm.SCMContext;
 import sonia.scm.group.GroupCollector;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
+import sonia.scm.user.UserPermissions;
 import sonia.scm.user.UserTestData;

 import java.net.URI;

 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;

@@ -159,6 +162,18 @@ class MeDtoFactoryTest {
    assertThat(dto.getLinks().getLinkBy("password")).isNotPresent();
  }

+  @Test
+  void shouldNotGetPasswordLinkForAnonymousUser() {
+    User user = SCMContext.ANONYMOUS;
+    prepareSubject(user);
+
+    when(userManager.isTypeDefault(any())).thenReturn(true);
+    when(UserPermissions.changePassword(user).isPermitted()).thenReturn(true);
+
+    MeDto dto = meDtoFactory.create();
+    assertThat(dto.getLinks().getLinkBy("password")).isNotPresent();
+  }
+
  @Test
  void shouldAppendLinks() {
    prepareSubject(UserTestData.createTrillian());
--- a/scm-webapp/src/test/java/sonia/scm/security/DefaultAuthorizationCollectorTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/DefaultAuthorizationCollectorTest.java
@@ -48,6 +48,7 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
+import sonia.scm.SCMContext;
 import sonia.scm.cache.Cache;
 import sonia.scm.cache.CacheManager;
 import sonia.scm.group.GroupCollector;
@@ -172,6 +173,23 @@ public class DefaultAuthorizationCollectorTest {
    assertThat(authInfo.getObjectPermissions(), nullValue());
  }

+  /**
+   * Tests {@link AuthorizationCollector#collect(PrincipalCollection)} ()} without permissions.
+   */
+  @Test
+  @SubjectAware(
+    configuration = "classpath:sonia/scm/shiro-001.ini"
+  )
+  public void testCollectWithoutPermissionsForAnonymousUser() {
+    User anonymous = SCMContext.ANONYMOUS;
+    authenticate(anonymous, "anon");
+
+    AuthorizationInfo authInfo = collector.collect();
+    assertThat(authInfo.getStringPermissions(), hasSize(1));
+    assertThat(authInfo.getStringPermissions(), containsInAnyOrder("user:read:_anonymous"));
+    assertThat(authInfo.getObjectPermissions(), nullValue());
+  }
+
  /**
   * Tests {@link AuthorizationCollector#collect(PrincipalCollection)} ()} with repository permissions.
   */