From b02c910b1e360b3287faad9c7b6ae7b4d34fa16b Mon Sep 17 00:00:00 2001 From: "J. King" Date: Sun, 10 Mar 2019 15:54:43 -0400 Subject: [PATCH] Make token creation check that the user exists --- lib/Database.php | 2 ++ tests/cases/Database/SeriesToken.php | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/lib/Database.php b/lib/Database.php index 01cd91ad..df614b5a 100644 --- a/lib/Database.php +++ b/lib/Database.php @@ -392,6 +392,8 @@ class Database { // If the user isn't authorized to perform this action then throw an exception. if (!Arsse::$user->authorize($user, __FUNCTION__)) { throw new User\ExceptionAuthz("notAuthorized", ["action" => __FUNCTION__, "user" => $user]); + } elseif (!$this->userExists($user)) { + throw new User\Exception("doesNotExist", ["action" => __FUNCTION__, "user" => $user]); } // generate a token if it's not provided $id = $id ?? UUID::mint()->hex; diff --git a/tests/cases/Database/SeriesToken.php b/tests/cases/Database/SeriesToken.php index 738fc58b..ff85407b 100644 --- a/tests/cases/Database/SeriesToken.php +++ b/tests/cases/Database/SeriesToken.php @@ -96,6 +96,11 @@ trait SeriesToken { $this->compareExpectations($state); } + public function testCreateATokenForAMissingUser() { + $this->assertException("doesNotExist", "User"); + Arsse::$db->tokenCreate("fever.login", "jane.doe@example.biz"); + } + public function testCreateATokenWithoutAuthority() { Phake::when(Arsse::$user)->authorize->thenReturn(false); $this->assertException("notAuthorized", "User", "ExceptionAuthz");