mirror of
https://github.com/appwrite/appwrite.git
synced 2026-05-26 13:51:13 +00:00
Jake Barnby
5cb36a0a3a
- Add probe callback support to getLastEmail(), getLastEmailByAddress(), and getLastRequest() to filter results by content before accepting - Fix variable name typo in TeamsCustomClientTest ($email vs $lastEmail) - Add event probes to all 56 webhook test getLastRequest() calls to filter by specific event pattern (resource ID + action) - Add email probes to Account OTP/recovery/magic-url tests to wait for the correct email (security phrase, Password Reset subject, etc.) - Add email probes to Projects tests for recovery email URL matching - Increase FunctionsSchedule future time from 1min to 2min to avoid timing issues when seconds are zeroed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
167 lines
6.6 KiB
PHP
167 lines
6.6 KiB
PHP
<?php
|
|
|
|
namespace Tests\E2E\Services\Teams;
|
|
|
|
use Tests\E2E\Client;
|
|
use Tests\E2E\Scopes\ProjectCustom;
|
|
use Tests\E2E\Scopes\Scope;
|
|
use Tests\E2E\Scopes\SideClient;
|
|
|
|
class TeamsCustomClientTest extends Scope
|
|
{
|
|
use TeamsBase;
|
|
use TeamsBaseClient;
|
|
use ProjectCustom;
|
|
use SideClient;
|
|
|
|
public function testGetMembershipPrivacy(): void
|
|
{
|
|
$teamData = $this->createTeamHelper();
|
|
$teamUid = $teamData['teamUid'];
|
|
|
|
$projectId = $this->getProject()['$id'];
|
|
|
|
$response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $projectId . '/auth/memberships-privacy', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => 'console',
|
|
'cookie' => 'a_session_console=' . $this->getRoot()['session'],
|
|
]), [
|
|
'userName' => false,
|
|
'userEmail' => false,
|
|
'mfa' => false,
|
|
]);
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
|
|
/**
|
|
* Test that sensitive fields are hidden
|
|
*/
|
|
$response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => $projectId,
|
|
], $this->getHeaders()));
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
$this->assertIsInt($response['body']['total']);
|
|
$this->assertNotEmpty($response['body']['memberships'][0]['$id']);
|
|
|
|
// Assert that sensitive fields are not present
|
|
$this->assertEmpty($response['body']['memberships'][0]['userName']);
|
|
$this->assertEmpty($response['body']['memberships'][0]['userEmail']);
|
|
$this->assertFalse($response['body']['memberships'][0]['mfa']);
|
|
|
|
/**
|
|
* Update project settings to show sensitive fields
|
|
*/
|
|
$response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $projectId . '/auth/memberships-privacy', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => 'console',
|
|
'cookie' => 'a_session_console=' . $this->getRoot()['session'],
|
|
]), [
|
|
'userName' => true,
|
|
'userEmail' => true,
|
|
'mfa' => true,
|
|
]);
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
|
|
/**
|
|
* Test that sensitive fields are shown
|
|
*/
|
|
$response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => $projectId,
|
|
], $this->getHeaders()));
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
$this->assertIsInt($response['body']['total']);
|
|
$this->assertNotEmpty($response['body']['memberships'][0]['$id']);
|
|
|
|
// Assert that sensitive fields are present
|
|
$this->assertNotEmpty($response['body']['memberships'][0]['userName']);
|
|
$this->assertNotEmpty($response['body']['memberships'][0]['userEmail']);
|
|
$this->assertArrayHasKey('mfa', $response['body']['memberships'][0]);
|
|
|
|
/**
|
|
* Update project settings to show only MFA
|
|
*/
|
|
$response = $this->client->call(Client::METHOD_PATCH, '/projects/' . $this->getProject()['$id'] . '/auth/memberships-privacy', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => 'console',
|
|
'cookie' => 'a_session_console=' . $this->getRoot()['session'],
|
|
]), [
|
|
'userName' => false,
|
|
'userEmail' => false,
|
|
'mfa' => true,
|
|
]);
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
|
|
/**
|
|
* Test that sensitive fields are not shown
|
|
*/
|
|
$response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => $projectId,
|
|
], $this->getHeaders()));
|
|
|
|
$this->assertEquals(200, $response['headers']['status-code']);
|
|
$this->assertIsInt($response['body']['total']);
|
|
$this->assertNotEmpty($response['body']['memberships'][0]['$id']);
|
|
|
|
// Assert that sensitive fields are present
|
|
$this->assertEmpty($response['body']['memberships'][0]['userName']);
|
|
$this->assertEmpty($response['body']['memberships'][0]['userEmail']);
|
|
$this->assertArrayHasKey('mfa', $response['body']['memberships'][0]);
|
|
}
|
|
|
|
public function testTeamsInviteHTMLInjection(): void
|
|
{
|
|
$teamData = $this->createTeamHelper();
|
|
$teamUid = $teamData['teamUid'];
|
|
$email = uniqid() . 'friend@localhost.test';
|
|
$name = 'Friend User';
|
|
$password = 'password';
|
|
|
|
// Create a user account before we create a invite so we can check if the user has permissions when it shouldn't
|
|
$user = $this->client->call(Client::METHOD_POST, '/account', [
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => 'console'], [
|
|
'userId' => 'unique()',
|
|
'email' => $email,
|
|
'password' => $password,
|
|
'name' => $name,
|
|
], false);
|
|
|
|
$this->assertEquals(201, $user['headers']['status-code']);
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/teams/' . $teamUid . '/memberships', array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
], $this->getHeaders()), [
|
|
'email' => $email,
|
|
'name' => $name,
|
|
'roles' => ['admin', 'editor'],
|
|
'url' => 'http://localhost:5000/join-us\"></a><h1>INJECTED</h1>'
|
|
]);
|
|
|
|
$this->assertEquals(201, $response['headers']['status-code']);
|
|
|
|
$lastEmail = $this->getLastEmailByAddress($email);
|
|
$this->assertNotEmpty($lastEmail, 'Email not found for address: ' . $email);
|
|
|
|
|
|
// injection allowed, meant to be protected client-side
|
|
$encoded = 'http://localhost:5000/join-us\"></a><h1>INJECTED</h1>';
|
|
|
|
$this->assertStringContainsString('<h1>INJECTED</h1>', $lastEmail['html']);
|
|
$this->assertStringContainsString($encoded, $lastEmail['html']);
|
|
|
|
$response = $this->client->call(Client::METHOD_DELETE, '/teams/' . $teamUid . '/memberships/'.$response['body']['$id'], array_merge([
|
|
'content-type' => 'application/json',
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
], $this->getHeaders()));
|
|
$this->assertEquals(204, $response['headers']['status-code']);
|
|
}
|
|
}
|