#!/bin/bash # # 02_resource_perm.sh # # 功能:测试跨用户资源访问权限 # 场景: # 1. Admin 修改任意用户资源 (Allow) # 2. 普通用户修改自己资源 (Allow) # 3. 普通用户修改他人资源 (Deny) # 4. 普通用户修改 Admin 资源 (Deny) # set -e # 加载公共库 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/lib.sh" test_start "资源权限交叉验证测试" # 检查服务 check_service # ========================================== # 准备环境 (登录三个账户) # ========================================== COMMON_PASS="password123" ADMIN_USER="admin_${TEST_TIMESTAMP}" USER1_NAME="user1_${TEST_TIMESTAMP}" USER2_NAME="user2_${TEST_TIMESTAMP}" step "0. 登录测试账户" # Admin Login RES=$(login_user "$ADMIN_USER" "$COMMON_PASS") check_http_code "$RES" "200" ADMIN_TOKEN=$(get_token "$RES") ADMIN_ID=$(get_user_id "$RES") info "Admin ID: $ADMIN_ID" # User1 Login RES=$(login_user "$USER1_NAME" "$COMMON_PASS") check_http_code "$RES" "200" USER1_TOKEN=$(get_token "$RES") USER1_ID=$(get_user_id "$RES") info "User1 ID: $USER1_ID" # User2 Login RES=$(login_user "$USER2_NAME" "$COMMON_PASS") check_http_code "$RES" "200" USER2_TOKEN=$(get_token "$RES") USER2_ID=$(get_user_id "$RES") info "User2 ID: $USER2_ID" # ========================================== # 测试用例 # ========================================== # Case 1: Admin 修改 User1 (应成功) step "1. Admin 修改 User1 信息 (预期: 成功)" RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Admin"}' "$ADMIN_TOKEN") check_http_code "$RES" "200" NICK=$(echo "$RES" | jq -r '.nickname') if [ "$NICK" == "Edited By Admin" ]; then check_success "Admin 修改 User1 成功" else error "Admin 修改失败, nickname=$NICK" exit 1 fi # Case 2: User1 修改 User1 (应成功) step "2. User1 修改自己信息 (预期: 成功)" RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Edited By Self"}' "$USER1_TOKEN") check_http_code "$RES" "200" NICK=$(echo "$RES" | jq -r '.nickname') if [ "$NICK" == "Edited By Self" ]; then check_success "User1 修改自己成功" else error "User1 修改自己失败, nickname=$NICK" exit 1 fi # Case 3: User1 修改 User2 (应失败) step "3. User1 修改 User2 信息 (预期: 失败 403/404)" RES=$(api_patch "/api/users/$USER2_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN") # Vigo 可能返回 403 Forbidden 或 404 NotFound (如果做了隔离) code=$(echo "$RES" | jq -r '.code // 200') if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then check_success "User1 修改 User2 被拒绝 (Code: $code)" else error "User1 竟然修改了 User2 ! Code: $code" info "Response: $RES" exit 1 fi # Case 4: User1 修改 Admin (应失败) step "4. User1 修改 Admin 信息 (预期: 失败 403/404)" RES=$(api_patch "/api/users/$ADMIN_ID" '{"nickname": "Hacked By User1"}' "$USER1_TOKEN") code=$(echo "$RES" | jq -r '.code // 200') if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then check_success "User1 修改 Admin 被拒绝 (Code: $code)" else error "User1 竟然修改了 Admin ! Code: $code" info "Response: $RES" exit 1 fi # Case 5: User2 修改 User1 (应失败) step "5. User2 修改 User1 信息 (预期: 失败 403/404)" RES=$(api_patch "/api/users/$USER1_ID" '{"nickname": "Hacked By User2"}' "$USER2_TOKEN") code=$(echo "$RES" | jq -r '.code // 200') if [[ "$code" == "403"* ]] || [[ "$code" == "404"* ]] || [[ "$code" == "401"* ]]; then check_success "User2 修改 User1 被拒绝 (Code: $code)" else error "User2 竟然修改了 User1 ! Code: $code" info "Response: $RES" exit 1 fi test_end