From f4838e123370076bbb699b1599453d9aee880e59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Fri, 1 May 2020 08:55:11 +0200
Subject: [PATCH] add int test for acl

---
 .../org/owasp/webgoat/AccessControlTest.java  | 54 +++++++++++++++++++
 .../idor/src/main/resources/html/IDOR.html    |  2 +-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
new file mode 100644
index 000000000..da39a8c5f
--- /dev/null
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
@@ -0,0 +1,54 @@
+package org.owasp.webgoat;
+
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import lombok.Data;
+
+public class AccessControlTest extends IntegrationTest {
+	
+	@Test
+    public void testLesson() {
+    	startLesson("MissingFunctionAC");      
+    	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("hiddenMenu1", "Users");
+        params.put("hiddenMenu2", "Config");
+       
+    	
+        checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
+        String userHash = 
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .contentType(ContentType.JSON) 
+                        .get(url("/WebGoat/users"))
+                        .then()
+                        .statusCode(200)
+                        .extract()
+                        .jsonPath()
+                        .get("find { it.username == \"" + getWebgoatUser() + "\" }.userHash");
+        
+    	params.clear();
+       	params.put("userHash", userHash);
+        checkAssignment(url("/WebGoat/access-control/user-hash"), params, true);
+         
+  
+        checkResults("/access-control");        
+    }
+    
+	@Data
+    public class Item {
+        private String username;
+        private boolean admin;
+        private String userHash;
+    }
+    
+}
diff --git a/webgoat-lessons/idor/src/main/resources/html/IDOR.html b/webgoat-lessons/idor/src/main/resources/html/IDOR.html
index 28d286fee..77f58adbd 100644
--- a/webgoat-lessons/idor/src/main/resources/html/IDOR.html
+++ b/webgoat-lessons/idor/src/main/resources/html/IDOR.html
@@ -161,7 +161,7 @@
               action="/WebGoat/IDOR/profile/{userId}">
             <script th:src="@{/lesson_js/idor.js}" />
 
-            <input name="Edit Profile" value="Edit Profile" type="submit" />
+            <input name="View Profile" value="View Profile" type="submit" />
 
         </form>
         <!-- do not remove the two following div's, this is where your feedback/output will land -->