From 34bb023b7d0dd5fadd066c07feba1e0c3dceb3a8 Mon Sep 17 00:00:00 2001
From: Alejandro Celaya <alejandro@alejandrocelaya.com>
Date: Sun, 10 Jan 2021 10:28:00 +0100
Subject: [PATCH] Created API tests to cover deletion and renaming of tags with
 non-admin API keys

---
 .../Rest/test-api/Action/DeleteTagsTest.php   | 35 +++++++++++++++++
 module/Rest/test-api/Action/RenameTagTest.php | 38 +++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 module/Rest/test-api/Action/DeleteTagsTest.php
 create mode 100644 module/Rest/test-api/Action/RenameTagTest.php

diff --git a/module/Rest/test-api/Action/DeleteTagsTest.php b/module/Rest/test-api/Action/DeleteTagsTest.php
new file mode 100644
index 00000000..ca175b69
--- /dev/null
+++ b/module/Rest/test-api/Action/DeleteTagsTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ShlinkioApiTest\Shlink\Rest\Action;
+
+use GuzzleHttp\RequestOptions;
+use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
+
+class DeleteTagsTest extends ApiTestCase
+{
+    /**
+     * @test
+     * @dataProvider provideNonAdminApiKeys
+     */
+    public function anErrorIsReturnedWithNonAdminApiKeys(string $apiKey): void
+    {
+        $resp = $this->callApiWithKey(self::METHOD_DELETE, '/tags', [
+            RequestOptions::QUERY => ['tags' => ['foo']],
+        ], $apiKey);
+        $payload = $this->getJsonResponsePayload($resp);
+
+        self::assertEquals(self::STATUS_FORBIDDEN, $resp->getStatusCode());
+        self::assertEquals(self::STATUS_FORBIDDEN, $payload['status']);
+        self::assertEquals('FORBIDDEN_OPERATION', $payload['type']);
+        self::assertEquals('You are not allowed to delete tags', $payload['detail']);
+        self::assertEquals('Forbidden tag operation', $payload['title']);
+    }
+
+    public function provideNonAdminApiKeys(): iterable
+    {
+        yield 'author' => ['author_api_key'];
+        yield 'domain' => ['domain_api_key'];
+    }
+}
diff --git a/module/Rest/test-api/Action/RenameTagTest.php b/module/Rest/test-api/Action/RenameTagTest.php
new file mode 100644
index 00000000..7ed4ff4f
--- /dev/null
+++ b/module/Rest/test-api/Action/RenameTagTest.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ShlinkioApiTest\Shlink\Rest\Action;
+
+use GuzzleHttp\RequestOptions;
+use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
+
+class RenameTagTest extends ApiTestCase
+{
+    /**
+     * @test
+     * @dataProvider provideNonAdminApiKeys
+     */
+    public function anErrorIsReturnedWithNonAdminApiKeys(string $apiKey): void
+    {
+        $resp = $this->callApiWithKey(self::METHOD_PUT, '/tags', [
+            RequestOptions::JSON => [
+                'oldName' => 'foo',
+                'newName' => 'foo_renamed',
+            ],
+        ], $apiKey);
+        $payload = $this->getJsonResponsePayload($resp);
+
+        self::assertEquals(self::STATUS_FORBIDDEN, $resp->getStatusCode());
+        self::assertEquals(self::STATUS_FORBIDDEN, $payload['status']);
+        self::assertEquals('FORBIDDEN_OPERATION', $payload['type']);
+        self::assertEquals('You are not allowed to rename tags', $payload['detail']);
+        self::assertEquals('Forbidden tag operation', $payload['title']);
+    }
+
+    public function provideNonAdminApiKeys(): iterable
+    {
+        yield 'author' => ['author_api_key'];
+        yield 'domain' => ['domain_api_key'];
+    }
+}