Check admin permission before able to manage config entries

2025-12-24 21:06:19 +00:00 · 2018-12-13 15:30:20 +01:00
parent 6766d25e62
commit 90df932fe1
4 changed files with 190 additions and 0 deletions
--- a/tests/components/config/test_config_entries.py
+++ b/tests/components/config/test_config_entries.py
@@ -84,6 +84,17 @@ def test_remove_entry(hass, client):
    assert len(hass.config_entries.async_entries()) == 0


+async def test_remove_entry_unauth(hass, client, hass_admin_user):
+    """Test removing an entry via the API."""
+    hass_admin_user.groups = []
+    entry = MockConfigEntry(domain='demo', state=core_ce.ENTRY_STATE_LOADED)
+    entry.add_to_hass(hass)
+    resp = await client.delete(
+        '/api/config/config_entries/entry/{}'.format(entry.entry_id))
+    assert resp.status == 401
+    assert len(hass.config_entries.async_entries()) == 1
+
+
@asyncio.coroutine
 def test_available_flows(hass, client):
    """Test querying the available flows."""
@@ -155,6 +166,35 @@ def test_initialize_flow(hass, client):
    }


+async def test_initialize_flow_unauth(hass, client, hass_admin_user):
+    """Test we can initialize a flow."""
+    hass_admin_user.groups = []
+
+    class TestFlow(core_ce.ConfigFlow):
+        @asyncio.coroutine
+        def async_step_user(self, user_input=None):
+            schema = OrderedDict()
+            schema[vol.Required('username')] = str
+            schema[vol.Required('password')] = str
+
+            return self.async_show_form(
+                step_id='user',
+                data_schema=schema,
+                description_placeholders={
+                    'url': 'https://example.com',
+                },
+                errors={
+                    'username': 'Should be unique.'
+                }
+            )
+
+    with patch.dict(HANDLERS, {'test': TestFlow}):
+        resp = await client.post('/api/config/config_entries/flow',
+                                      json={'handler': 'test'})
+
+    assert resp.status == 401
+
+
@asyncio.coroutine
 def test_abort(hass, client):
    """Test a flow that aborts."""
@@ -273,6 +313,58 @@ def test_two_step_flow(hass, client):
        }


+async def test_continue_flow_unauth(hass, client, hass_admin_user):
+    """Test we can't finish a two step flow."""
+    set_component(
+        hass, 'test',
+        MockModule('test', async_setup_entry=mock_coro_func(True)))
+
+    class TestFlow(core_ce.ConfigFlow):
+        VERSION = 1
+
+        @asyncio.coroutine
+        def async_step_user(self, user_input=None):
+            return self.async_show_form(
+                step_id='account',
+                data_schema=vol.Schema({
+                    'user_title': str
+                }))
+
+        @asyncio.coroutine
+        def async_step_account(self, user_input=None):
+            return self.async_create_entry(
+                title=user_input['user_title'],
+                data={'secret': 'account_token'},
+            )
+
+    with patch.dict(HANDLERS, {'test': TestFlow}):
+        resp = await client.post('/api/config/config_entries/flow',
+                                      json={'handler': 'test'})
+        assert resp.status == 200
+        data = await resp.json()
+        flow_id = data.pop('flow_id')
+        assert data == {
+            'type': 'form',
+            'handler': 'test',
+            'step_id': 'account',
+            'data_schema': [
+                {
+                    'name': 'user_title',
+                    'type': 'string'
+                }
+            ],
+            'description_placeholders': None,
+            'errors': None
+        }
+
+    hass_admin_user.groups = []
+
+    resp = await client.post(
+        '/api/config/config_entries/flow/{}'.format(flow_id),
+        json={'user_title': 'user-title'})
+    assert resp.status == 401
+
+
@asyncio.coroutine
 def test_get_progress_index(hass, client):
    """Test querying for the flows that are in progress."""
@@ -305,6 +397,29 @@ def test_get_progress_index(hass, client):
    ]


+async def test_get_progress_index_unauth(hass, client, hass_admin_user):
+    """Test we can't get flows that are in progress."""
+    hass_admin_user.groups = []
+
+    class TestFlow(core_ce.ConfigFlow):
+        VERSION = 5
+
+        async def async_step_hassio(self, info):
+            return (await self.async_step_account())
+
+        async def async_step_account(self, user_input=None):
+            return self.async_show_form(
+                step_id='account',
+            )
+
+    with patch.dict(HANDLERS, {'test': TestFlow}):
+        form = await hass.config_entries.flow.async_init(
+            'test', context={'source': 'hassio'})
+
+    resp = await client.get('/api/config/config_entries/flow')
+    assert resp.status == 401
+
+
@asyncio.coroutine
 def test_get_progress_flow(hass, client):
    """Test we can query the API for same result as we get from init a flow."""
@@ -337,3 +452,34 @@ def test_get_progress_flow(hass, client):
    data2 = yield from resp2.json()

    assert data == data2
+
+
+async def test_get_progress_flow(hass, client, hass_admin_user):
+    """Test we can query the API for same result as we get from init a flow."""
+    class TestFlow(core_ce.ConfigFlow):
+        async def async_step_user(self, user_input=None):
+            schema = OrderedDict()
+            schema[vol.Required('username')] = str
+            schema[vol.Required('password')] = str
+
+            return self.async_show_form(
+                step_id='user',
+                data_schema=schema,
+                errors={
+                    'username': 'Should be unique.'
+                }
+            )
+
+    with patch.dict(HANDLERS, {'test': TestFlow}):
+        resp = await client.post('/api/config/config_entries/flow',
+                                      json={'handler': 'test'})
+
+    assert resp.status == 200
+    data = await resp.json()
+
+    hass_admin_user.groups = []
+
+    resp2 = await client.get(
+        '/api/config/config_entries/flow/{}'.format(data['flow_id']))
+
+    assert resp2.status == 401