Global users aren't able to cast the vote on subwiki's poll xwikisas#111

* Changed rights requirements for voting * Added unit tests for voting with different rights
KebabRonin · Feb 19, 2025 · b39cb9d · b39cb9d
1 parent bc470f7
commit b39cb9d
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 8 deletions.
diff --git a/application-xpoll-api/src/main/java/com/xwiki/xpoll/internal/rest/DefaultXPollResource.java b/application-xpoll-api/src/main/java/com/xwiki/xpoll/internal/rest/DefaultXPollResource.java
@@ -31,6 +31,7 @@
 import org.xwiki.security.authorization.ContextualAuthorizationManager;
 import org.xwiki.security.authorization.Right;
 
+import com.xpn.xwiki.user.api.XWikiRightService;
 import com.xpn.xwiki.XWikiContext;
 import com.xwiki.xpoll.XPollException;
 import com.xwiki.xpoll.XPollManager;
@@ -58,13 +59,14 @@ public class DefaultXPollResource extends ModifiablePageResource implements XPol
     public Response vote(String wikiName, String spaces, String pageName, Vote vote) throws XWikiRestException
     {
         DocumentReference documentReference = new DocumentReference(pageName, getSpaceReference(spaces, wikiName));
+        XWikiContext context = getXWikiContext();
+        DocumentReference userReference = context.getUserReference();
 
-        if (!contextualAuthorizationManager.hasAccess(Right.EDIT, documentReference)) {
+        if (!(contextualAuthorizationManager.hasAccess(Right.VIEW, documentReference)
+                && !XWikiRightService.isGuest(userReference))) {
             return Response.status(Response.Status.FORBIDDEN).build();
         }
-        XWikiContext context = getXWikiContext();
         try {
-            DocumentReference userReference = context.getUserReference();
             xPollManager.vote(documentReference, userReference, vote.getProposals());
             return Response.ok().build();
         } catch (XPollException e) {

diff --git a/...ation-xpoll-api/src/test/java/com/xwiki/xpoll/internal/rest/DefaultXPollResourceTest.java b/...ation-xpoll-api/src/test/java/com/xwiki/xpoll/internal/rest/DefaultXPollResourceTest.java
@@ -25,6 +25,7 @@
 import javax.ws.rs.core.Response;
 
 import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentMatcher;
 import org.mockito.Mock;
 import org.xwiki.component.manager.ComponentManager;
 import org.xwiki.context.Execution;
@@ -43,12 +44,15 @@
 import org.xwiki.test.mockito.MockitoComponentManager;
 
 import com.xpn.xwiki.XWikiContext;
+import com.xpn.xwiki.user.api.XWikiRightService;
 import com.xpn.xwiki.web.XWikiRequest;
 import com.xwiki.xpoll.XPollException;
 import com.xwiki.xpoll.XPollManager;
 import com.xwiki.xpoll.rest.model.jaxb.Vote;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -62,6 +66,8 @@
 @ComponentTest
 public class DefaultXPollResourceTest
 {
+    private static final DocumentReference userDocumentReference = new DocumentReference("xwiki", "XWiki", "User");
+
     @InjectMockComponents
     private DefaultXPollResource resource;
 
@@ -96,25 +102,59 @@ public void configure() throws Exception
         when(this.xcontextProvider.get()).thenReturn(this.xWikiContext);
     }
 
+    @Test
+    void saveXPollAnswersWithEditRightTest() throws XWikiRestException
+    {
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.VIEW), any(DocumentReference.class))).thenReturn(true);
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.EDIT), any(DocumentReference.class))).thenReturn(true);
+        when(this.xWikiContext.getUserReference()).thenReturn(userDocumentReference);
+        Response response = this.resource.vote("wiki", "space", "page", new Vote());
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
+    }
+
     @Test
     void saveXPollAnswersWithoutEditRightTest() throws XWikiRestException
     {
-        when(this.contextualAuthorizationManager.hasAccess(Right.EDIT)).thenReturn(false);
-        Response response = this.resource.vote("wiki", "space", "page", null);
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.VIEW), any(DocumentReference.class))).thenReturn(true);
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.EDIT), any(DocumentReference.class))).thenReturn(false);
+        when(this.xWikiContext.getUserReference()).thenReturn(userDocumentReference);
+        Response response = this.resource.vote("wiki", "space", "page", new Vote());
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
+    }
+
+    @Test
+    void saveXPollAnswersWithoutViewRightTest() throws XWikiRestException
+    {
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.VIEW), any(DocumentReference.class))).thenReturn(false);
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.EDIT), any(DocumentReference.class))).thenReturn(false);
+        when(this.xWikiContext.getUserReference()).thenReturn(userDocumentReference);
+        Response response = this.resource.vote("wiki", "space", "page", new Vote());
+        assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
+    }
+
+    @Test
+    void saveXPollAnswersLoggedOutTest() throws XWikiRestException
+    {
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.VIEW), any(DocumentReference.class))).thenReturn(true);
+        when(this.contextualAuthorizationManager.hasAccess(eq(Right.EDIT), any(DocumentReference.class))).thenReturn(false);
+        when(this.xWikiContext.getUserReference()).thenReturn(null);
+        Response response = this.resource.vote("wiki", "space", "page", new Vote());
         assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
     }
 
     @Test
     void saveXPollButManagerThrowsException() throws XPollException, XWikiRestException
     {
         DocumentReference docRef = new DocumentReference("xwiki", "Main", "WebHome");
-        when(this.contextualAuthorizationManager.hasAccess(Right.EDIT, docRef)).thenReturn(true);
+        when(this.xWikiContext.getUserReference()).thenReturn(userDocumentReference);
+        when(this.contextualAuthorizationManager.hasAccess(Right.VIEW, docRef)).thenReturn(true);
         when(this.serializer.serialize(null, new WikiReference("wiki"))).thenReturn("userIdentifier");
 
         Vote vote = new Vote();
 
-        doThrow(new XPollException("Message")).when(this.xPollManager).vote(docRef, null, Collections.emptyList());
+        doThrow(new XPollException("Message")).when(this.xPollManager)
+            .vote(docRef, userDocumentReference, Collections.emptyList());
         Response response = resource.vote("xwiki", "Main", "WebHome", vote);
         assertEquals(Response.Status.NOT_FOUND.getStatusCode(), response.getStatus());
     }
-}
+}