duanming7833 2019-02-21 12:01
浏览 59

我应该测试每个Web应用程序路由的授权吗?

I have a question about testing coverage. I'm developing a basic CRUD application that has certain access rules. Authenticated users can create/edit forms, and allow other users either edit or view access to a form. What I'm wondering is should I write a feature test for every possible authorisation scenario, i.e:

  • A guest can't edit a form
  • A user can edit their own form
  • A user can't edit another users form
  • A user can edit another users form they have 'edit' access to
  • A user can't edit another users form they have 'view' access to

These will then need to be written for every feature, such as deleting a form, viewing the form's responses etc.

Do these all need to be included to ensure that authorisation is applied at the right level for every feature? Or should just the basic functionality be feature tested (i.e. a user can edit their form), and then have a unit test to check the authorisation middleware and trust that's enough?

Edit: I know how to add the authorisation I need, I'm just asking whether on not to test it at every level.

  • 写回答

1条回答 默认 最新

  • douhushen3241 2019-02-21 12:36
    关注

    MY ANSWER IS FOR

    I'm developing a basic CRUD application

    if you are doing muliple user types application implement roles and permissions

    can be found here

    https://laravel-news.com/two-best-roles-permissions-packages

    Or Implement Your Own

    else

    Question 1:

    A guest can't edit a form

    Route::middleware(['web', 'auth'])->group(function () 
{
    //authenticated user functions
    Route::get('testmiddleware',function(){return 'user is loggend in';});
    Route::get('/posts/{post}/edit',  'PostController@edit')->name('posts.edit');
    Route::put('/posts/{post}',  'PostController@update')->name('post.update');

});

    Question 2 & 3:

    A user can edit their own form AND A user can't edit another users form

    For Example consider that i have a filed user_id in post in the posts table

    public function edit($id,Post $Post)
    {
       $post = Post::findOrFail($id);        

        if ($post->user_id != auth()->user()->id) 
        {
            abort(401);
        }

        $viewShare = ['post'];
        return view('post.edit',compact($viewShare));
    }

    Question 4 & 5:

    A user can edit another users form they have 'edit' access to

    A user can't edit another users form they have 'view' access to

    I have no idea to do it but you can do it by role-based access control.

    评论

报告相同问题?

悬赏问题

  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 划分vlan后不通了
  • ¥15 GDI处理通道视频时总是带有白色锯齿
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)
  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大