#83: Access documents by a shared tag

docs-web/src/test/java/com/sismics/docs/rest/TestAclResource.java

@@ -249,4 +249,149 @@ public class TestAclResource extends BaseJerseyTest {
         groups = json.getJsonArray("groups");
         Assert.assertEquals(1, groups.size());
     }
+
+    @Test
+    public void testAclTags() {
+        // Login acltag1
+        clientUtil.createUser("acltag1");
+        String acltag1Token = clientUtil.login("acltag1");
+
+        // Login acltag2
+        clientUtil.createUser("acltag2");
+        String acltag2Token = clientUtil.login("acltag2");
+
+        // Create tag1 with acltag1
+        JsonObject json = target().path("/tag").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag1Token)
+                .put(Entity.form(new Form()
+                        .param("name", "AclTag1")
+                        .param("color", "#ff0000")), JsonObject.class);
+        String tag1Id = json.getString("id");
+        Assert.assertNotNull(tag1Id);
+
+        // Create document1 with acltag1 tagged with tag1
+        json = target().path("/document").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag1Token)
+                .put(Entity.form(new Form()
+                        .param("title", "My super document 1")
+                        .param("tags", tag1Id)
+                        .param("language", "eng")), JsonObject.class);
+        String document1Id = json.getString("id");
+
+        // acltag2 cannot see document1
+        Response response = target().path("/document/" + document1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .get();
+        Assert.assertEquals(Status.NOT_FOUND.getStatusCode(), response.getStatus());
+
+        // acltag2 cannot see any tag
+        json = target().path("/tag/list").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .get(JsonObject.class);
+        JsonArray tags = json.getJsonArray("tags");
+        Assert.assertEquals(0, tags.size());
+
+        // acltag2 cannot see any document
+        json = target().path("/document/list")
+                .queryParam("sort_column", 3)
+                .queryParam("asc", true)
+                .request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .get(JsonObject.class);
+        JsonArray documents = json.getJsonArray("documents");
+        Assert.assertEquals(0, documents.size());
+
+        // acltag2 cannot edit tag1
+        response = target().path("/tag/" + tag1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .post(Entity.form(new Form()
+                        .param("name", "AclTag1")
+                        .param("color", "#ff0000")));
+        Assert.assertEquals(Status.NOT_FOUND.getStatusCode(), response.getStatus());
+
+        // acltag2 cannot edit document1
+        response = target().path("/document/" + document1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .post(Entity.form(new Form()
+                        .param("title", "My super document 1")
+                        .param("tags", tag1Id)
+                        .param("language", "eng")));
+        Assert.assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
+
+        // Add an ACL READ for acltag2 with acltag1 on tag1
+        target().path("/acl").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag1Token)
+                .put(Entity.form(new Form()
+                        .param("source", tag1Id)
+                        .param("perm", "READ")
+                        .param("target", "acltag2")
+                        .param("type", "USER")), JsonObject.class);
+
+        // acltag2 still cannot edit tag1
+        response = target().path("/tag/" + tag1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .post(Entity.form(new Form()
+                        .param("name", "AclTag1")
+                        .param("color", "#ff0000")));
+        Assert.assertEquals(Status.NOT_FOUND.getStatusCode(), response.getStatus());
+
+        // acltag2 still cannot edit document1
+        response = target().path("/document/" + document1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .post(Entity.form(new Form()
+                        .param("title", "My super document 1")
+                        .param("tags", tag1Id)
+                        .param("language", "eng")));
+        Assert.assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
+
+        // acltag2 can see document1 with tag1
+        json = target().path("/document/" + document1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .get(JsonObject.class);
+        tags = json.getJsonArray("tags");
+        Assert.assertEquals(1, tags.size());
+        Assert.assertEquals(tag1Id, tags.getJsonObject(0).getString("id"));
+
+        // acltag2 can see tag1
+        json = target().path("/tag/list").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .get(JsonObject.class);
+        tags = json.getJsonArray("tags");
+        Assert.assertEquals(1, tags.size());
+        Assert.assertEquals(tag1Id, tags.getJsonObject(0).getString("id"));
+
+        // acltag2 can see exactly one document
+        json = target().path("/document/list")
+                .queryParam("sort_column", 3)
+                .queryParam("asc", true)
+                .request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .get(JsonObject.class);
+        documents = json.getJsonArray("documents");
+        Assert.assertEquals(1, documents.size());
+
+        // Add an ACL WRITE for acltag2 with acltag1 on tag1
+        target().path("/acl").request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag1Token)
+                .put(Entity.form(new Form()
+                        .param("source", tag1Id)
+                        .param("perm", "WRITE")
+                        .param("target", "acltag2")
+                        .param("type", "USER")), JsonObject.class);
+
+        // acltag2 can edit tag1
+        target().path("/tag/" + tag1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .post(Entity.form(new Form()
+                        .param("name", "AclTag1")
+                        .param("color", "#ff0000")), JsonObject.class);
+
+        // acltag2 can edit document1
+        target().path("/document/" + document1Id).request()
+                .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acltag2Token)
+                .post(Entity.form(new Form()
+                        .param("title", "My super document 1")
+                        .param("tags", tag1Id)
+                        .param("language", "eng")), JsonObject.class);
+    }
 }