Proyectos de Subversion Moodle

<?php

// This file is part of Moodle - http://moodle.org/

//

// Moodle is free software: you can redistribute it and/or modify

// it under the terms of the GNU General Public License as published by

// the Free Software Foundation, either version 3 of the License, or

// (at your option) any later version.

//

// Moodle is distributed in the hope that it will be useful,

// but WITHOUT ANY WARRANTY; without even the implied warranty of

// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

// GNU General Public License for more details.

//

// You should have received a copy of the GNU General Public License

// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.

namespace tool_dataprivacy;

use core\invalid_persistent_exception;

use core\task\manager;

use testing_data_generator;

use tool_dataprivacy\local\helper;

use tool_dataprivacy\task\process_data_request_task;

use tool_dataprivacy\task\initiate_data_request_task;

/**

 * API tests.

 *

 * @package    tool_dataprivacy

 * @covers     \tool_dataprivacy\api

 * @copyright  2018 Jun Pataleta

 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later

 */

class api_test extends \advanced_testcase {

    /**

     * Ensure that the check_can_manage_data_registry function fails cap testing when a user without capabilities is

     * tested with the default context.

     */

    public function test_check_can_manage_data_registry_admin(): void {

        $this->resetAfterTest();

        $this->setAdminUser();

        // Technically this actually returns void, but assertNull will suffice to avoid a pointless test.

        $this->assertNull(api::check_can_manage_data_registry());

    }

    /**

     * Ensure that the check_can_manage_data_registry function fails cap testing when a user without capabilities is

     * tested with the default context.

     */

    public function test_check_can_manage_data_registry_without_cap_default(): void {

        $this->resetAfterTest();

        $user = $this->getDataGenerator()->create_user();

        $this->setUser($user);

        $this->expectException(\required_capability_exception::class);

        api::check_can_manage_data_registry();

    }

    /**

     * Ensure that the check_can_manage_data_registry function fails cap testing when a user without capabilities is

     * tested with the default context.

     */

    public function test_check_can_manage_data_registry_without_cap_system(): void {

        $this->resetAfterTest();

        $user = $this->getDataGenerator()->create_user();

        $this->setUser($user);

        $this->expectException(\required_capability_exception::class);

        api::check_can_manage_data_registry(\context_system::instance()->id);

    }

    /**

     * Ensure that the check_can_manage_data_registry function fails cap testing when a user without capabilities is

     * tested with the default context.

     */

    public function test_check_can_manage_data_registry_without_cap_own_user(): void {

        $this->resetAfterTest();

        $user = $this->getDataGenerator()->create_user();

        $this->setUser($user);

        $this->expectException(\required_capability_exception::class);

        api::check_can_manage_data_registry(\context_user::instance($user->id)->id);

    }

    /**

     * Test for api::update_request_status().

     */

    public function test_update_request_status(): void {

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $s1 = $generator->create_user();

        $this->setUser($s1);

        // Create the sample data request.

        $datarequest = api::create_data_request($s1->id, api::DATAREQUEST_TYPE_EXPORT);

        $requestid = $datarequest->get('id');

        // Update with a comment.

        $comment = 'This is an example of a comment';

        $result = api::update_request_status($requestid, api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, $comment);

        $this->assertTrue($result);

        $datarequest = new data_request($requestid);

        $this->assertStringEndsWith($comment, $datarequest->get('dpocomment'));

        // Update with a comment which will be trimmed.

        $result = api::update_request_status($requestid, api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, '  ');

        $this->assertTrue($result);

        $datarequest = new data_request($requestid);

        $this->assertStringEndsWith($comment, $datarequest->get('dpocomment'));

        // Update with a comment.

        $secondcomment = '  - More comments -  ';

        $result = api::update_request_status($requestid, api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, $secondcomment);

        $this->assertTrue($result);

        $datarequest = new data_request($requestid);

        $this->assertMatchesRegularExpression("/.*{$comment}.*{$secondcomment}/s", $datarequest->get('dpocomment'));

        // Update with a valid status.

        $result = api::update_request_status($requestid, api::DATAREQUEST_STATUS_DOWNLOAD_READY);

        $this->assertTrue($result);

        // Fetch the request record again.

        $datarequest = new data_request($requestid);

        $this->assertEquals(api::DATAREQUEST_STATUS_DOWNLOAD_READY, $datarequest->get('status'));

        // Update with an invalid status.

        $this->expectException(invalid_persistent_exception::class);

        api::update_request_status($requestid, -1);

    }

    /**

     * Test for api::get_site_dpos() when there are no users with the DPO role.

     */

    public function test_get_site_dpos_no_dpos(): void {

        $this->resetAfterTest();

        $admin = get_admin();

        $dpos = api::get_site_dpos();

        $this->assertCount(1, $dpos);

        $dpo = reset($dpos);

        $this->assertEquals($admin->id, $dpo->id);

    }

    /**

     * Test for api::get_site_dpos() when there are no users with the DPO role.

     */

    public function test_get_site_dpos(): void {

        global $DB;

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $u1 = $generator->create_user();

        $u2 = $generator->create_user();

        $context = \context_system::instance();

        // Give the manager role with the capability to manage data requests.

        $managerroleid = $DB->get_field('role', 'id', array('shortname' => 'manager'));

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $managerroleid, $context->id, true);

        // Assign u1 as a manager.

        role_assign($managerroleid, $u1->id, $context->id);

        // Give the editing teacher role with the capability to manage data requests.

        $editingteacherroleid = $DB->get_field('role', 'id', array('shortname' => 'editingteacher'));

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $editingteacherroleid, $context->id, true);

        // Assign u1 as an editing teacher as well.

        role_assign($editingteacherroleid, $u1->id, $context->id);

        // Assign u2 as an editing teacher.

        role_assign($editingteacherroleid, $u2->id, $context->id);

        // Only map the manager role to the DPO role.

        set_config('dporoles', $managerroleid, 'tool_dataprivacy');

        $dpos = api::get_site_dpos();

        $this->assertCount(1, $dpos);

        $dpo = reset($dpos);

        $this->assertEquals($u1->id, $dpo->id);

    }

    /**

     * Test for \tool_dataprivacy\api::get_assigned_privacy_officer_roles().

     */

    public function test_get_assigned_privacy_officer_roles(): void {

        global $DB;

        $this->resetAfterTest();

        // Erroneously set the manager roles as the PO, even if it doesn't have the managedatarequests capability yet.

        $managerroleid = $DB->get_field('role', 'id', array('shortname' => 'manager'));

        set_config('dporoles', $managerroleid, 'tool_dataprivacy');

        // Get the assigned PO roles when nothing has been set yet.

        $roleids = api::get_assigned_privacy_officer_roles();

        // Confirm that the returned list is empty.

        $this->assertEmpty($roleids);

        $context = \context_system::instance();

        // Give the manager role with the capability to manage data requests.

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $managerroleid, $context->id, true);

        // Give the editing teacher role with the capability to manage data requests.

        $editingteacherroleid = $DB->get_field('role', 'id', array('shortname' => 'editingteacher'));

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $editingteacherroleid, $context->id, true);

        // Get the non-editing teacher role ID.

        $teacherroleid = $DB->get_field('role', 'id', array('shortname' => 'teacher'));

        // Erroneously map the manager and the non-editing teacher roles to the PO role.

        $badconfig = $managerroleid . ',' . $teacherroleid;

        set_config('dporoles', $badconfig, 'tool_dataprivacy');

        // Get the assigned PO roles.

        $roleids = api::get_assigned_privacy_officer_roles();

        // There should only be one PO role.

        $this->assertCount(1, $roleids);

        // Confirm it contains the manager role.

        $this->assertContainsEquals($managerroleid, $roleids);

        // And it does not contain the editing teacher role.

        $this->assertNotContainsEquals($editingteacherroleid, $roleids);

    }

    /**

     * Test for api::approve_data_request().

     */

    public function test_approve_data_request(): void {

        global $DB;

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $s1 = $generator->create_user();

        $u1 = $generator->create_user();

        $context = \context_system::instance();

        // Manager role.

        $managerroleid = $DB->get_field('role', 'id', array('shortname' => 'manager'));

        // Give the manager role with the capability to manage data requests.

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $managerroleid, $context->id, true);

        // Assign u1 as a manager.

        role_assign($managerroleid, $u1->id, $context->id);

        // Map the manager role to the DPO role.

        set_config('dporoles', $managerroleid, 'tool_dataprivacy');

        // Create the sample data request.

        $this->setUser($s1);

        $datarequest = api::create_data_request($s1->id, api::DATAREQUEST_TYPE_EXPORT);

        $requestid = $datarequest->get('id');

        // Make this ready for approval.

        api::update_request_status($requestid, api::DATAREQUEST_STATUS_AWAITING_APPROVAL);

        $this->setUser($u1);

        $result = api::approve_data_request($requestid);

        $this->assertTrue($result);

        $datarequest = new data_request($requestid);

        $this->assertEquals($u1->id, $datarequest->get('dpo'));

        $this->assertEquals(api::DATAREQUEST_STATUS_APPROVED, $datarequest->get('status'));

        // Test adhoc task creation.

        $adhoctasks = manager::get_adhoc_tasks(process_data_request_task::class);

        $this->assertCount(1, $adhoctasks);

    }

    /**

     * Test for api::approve_data_request() when allow filtering of exports by course.

     */

    public function test_approve_data_request_with_allow_filtering(): void {

        global $DB;

        $this->resetAfterTest();

        set_config('allowfiltering', 1, 'tool_dataprivacy');

        $this->setAdminUser();

        $generator = new testing_data_generator();

        $s1 = $generator->create_user();

        $u1 = $generator->create_user();

        $context = \context_system::instance();

        // Manager role.

        $managerroleid = $DB->get_field('role', 'id', array('shortname' => 'manager'));

        // Give the manager role with the capability to manage data requests.

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $managerroleid, $context->id, true);

        // Assign u1 as a manager.

        role_assign($managerroleid, $u1->id, $context->id);

        // Map the manager role to the DPO role.

        set_config('dporoles', $managerroleid, 'tool_dataprivacy');

        $course = $this->getDataGenerator()->create_course([]);

        $coursecontext1 = \context_course::instance($course->id);

        $this->getDataGenerator()->enrol_user($s1->id, $course->id, 'student');

        $datarequest = api::create_data_request($s1->id, api::DATAREQUEST_TYPE_EXPORT);

        $requestid = $datarequest->get('id');

        ob_start();

        $this->runAdhocTasks('tool_dataprivacy\task\initiate_data_request_task');

        ob_end_clean();

        $this->setUser($u1);

        $result = api::approve_data_request($requestid, [$coursecontext1]);

        $this->assertTrue($result);

        $datarequest = new data_request($requestid);

        $this->assertEquals($u1->id, $datarequest->get('dpo'));

        $this->assertEquals(api::DATAREQUEST_STATUS_APPROVED, $datarequest->get('status'));

        // Test adhoc task creation.

        $adhoctasks = manager::get_adhoc_tasks(process_data_request_task::class);

        $this->assertCount(1, $adhoctasks);

    }

    /**

     * Test for api::approve_data_request() when called by a user who doesn't have the DPO role.

     */

    public function test_approve_data_request_non_dpo_user(): void {

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $student = $generator->create_user();

        $teacher = $generator->create_user();

        // Create the sample data request.

        $this->setUser($student);

        $datarequest = api::create_data_request($student->id, api::DATAREQUEST_TYPE_EXPORT);

        $requestid = $datarequest->get('id');

        // Login as a user without DPO role.

        $this->setUser($teacher);

        $this->expectException(\required_capability_exception::class);

        api::approve_data_request($requestid);

    }

    /**

     * Test for api::add_request_contexts_with_status().

     */

    public function test_add_request_contexts_with_status(): void {

        global $DB;

        $this->resetAfterTest();

        set_config('allowfiltering', 1, 'tool_dataprivacy');

        $this->setAdminUser();

        $user = $this->getDataGenerator()->create_user();

        $course = $this->getDataGenerator()->create_course(['startdate' => time() - YEARSECS, 'enddate' => time() - YEARSECS]);

        $coursecontext = \context_course::instance($course->id);

        $this->getDataGenerator()->enrol_user($user->id, $course->id, 'student');

        // Create the initial contextlist.

        $initialcollection = new \core_privacy\local\request\contextlist_collection($user->id);

        $contextlist = new \core_privacy\local\request\contextlist();

        $contextlist->add_from_sql('SELECT id FROM {context} WHERE id = :contextid', ['contextid' => $coursecontext->id]);

        $contextlist->set_component('tool_dataprivacy');

        $initialcollection->add_contextlist($contextlist);

        $datarequest = api::create_data_request($user->id, api::DATAREQUEST_TYPE_EXPORT);

        $requestid = $datarequest->get('id');

        ob_start();

        api::add_request_contexts_with_status($initialcollection, $requestid, contextlist_context::STATUS_PENDING);

        ob_end_clean();

        $result = $DB->get_record('tool_dataprivacy_ctxlst_ctx', ['contextid' => $coursecontext->id]);

        $this->assertEquals($result->status, contextlist_context::STATUS_PENDING);

        $result1 = $DB->get_field('tool_dataprivacy_rqst_ctxlst', 'requestid', ['contextlistid' => $result->contextlistid]);

        $this->assertEquals($result1, $requestid);

    }

    /**

     * Test that deletion requests for the primary admin are rejected

     */

    public function test_reject_data_deletion_request_primary_admin(): void {

        $this->resetAfterTest();

        $this->setAdminUser();

        $datarequest = api::create_data_request(get_admin()->id, api::DATAREQUEST_TYPE_DELETE);

        // Approve the request and execute the ad-hoc process task.

        ob_start();

        api::approve_data_request($datarequest->get('id'));

        $this->runAdhocTasks('\tool_dataprivacy\task\process_data_request_task');

        ob_end_clean();

        $request = api::get_request($datarequest->get('id'));

        $this->assertEquals(api::DATAREQUEST_STATUS_REJECTED, $request->get('status'));

        // Confirm they weren't deleted.

        $user = \core_user::get_user($request->get('userid'));

        \core_user::require_active_user($user);

    }

    /**

     * Test for api::can_contact_dpo()

     */

    public function test_can_contact_dpo(): void {

        $this->resetAfterTest();

        // Default ('contactdataprotectionofficer' is disabled by default).

        $this->assertFalse(api::can_contact_dpo());

        // Enable.

        set_config('contactdataprotectionofficer', 1, 'tool_dataprivacy');

        $this->assertTrue(api::can_contact_dpo());

        // Disable again.

        set_config('contactdataprotectionofficer', 0, 'tool_dataprivacy');

        $this->assertFalse(api::can_contact_dpo());

    }

    /**

     * Test for api::can_manage_data_requests()

     */

    public function test_can_manage_data_requests(): void {

        global $DB;

        $this->resetAfterTest();

        // No configured site DPOs yet.

        $admin = get_admin();

        $this->assertTrue(api::can_manage_data_requests($admin->id));

        $generator = new testing_data_generator();

        $dpo = $generator->create_user();

        $nondpocapable = $generator->create_user();

        $nondpoincapable = $generator->create_user();

        $context = \context_system::instance();

        // Manager role.

        $managerroleid = $DB->get_field('role', 'id', array('shortname' => 'manager'));

        // Give the manager role with the capability to manage data requests.

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $managerroleid, $context->id, true);

        // Assign u1 as a manager.

        role_assign($managerroleid, $dpo->id, $context->id);

        // Editing teacher role.

        $editingteacherroleid = $DB->get_field('role', 'id', array('shortname' => 'editingteacher'));

        // Give the editing teacher role with the capability to manage data requests.

        assign_capability('tool/dataprivacy:managedatarequests', CAP_ALLOW, $managerroleid, $context->id, true);

        // Assign u2 as an editing teacher.

        role_assign($editingteacherroleid, $nondpocapable->id, $context->id);

        // Map only the manager role to the DPO role.

        set_config('dporoles', $managerroleid, 'tool_dataprivacy');

        // User with capability and has DPO role.

        $this->assertTrue(api::can_manage_data_requests($dpo->id));

        // User with capability but has no DPO role.

        $this->assertFalse(api::can_manage_data_requests($nondpocapable->id));

        // User without the capability and has no DPO role.

        $this->assertFalse(api::can_manage_data_requests($nondpoincapable->id));

    }

    /**

     * Test that a user who has no capability to make any data requests for children cannot create data requests for any

     * other user.

     */

    public function test_can_create_data_request_for_user_no(): void {

        $this->resetAfterTest();

        $parent = $this->getDataGenerator()->create_user();

        $otheruser = $this->getDataGenerator()->create_user();

        $this->setUser($parent);

        $this->assertFalse(api::can_create_data_request_for_user($otheruser->id));

    }

    /**

     * Test that a user who has the capability to make any data requests for one other user cannot create data requests

     * for any other user.

     */

    public function test_can_create_data_request_for_user_some(): void {

        $this->resetAfterTest();

        $parent = $this->getDataGenerator()->create_user();

        $child = $this->getDataGenerator()->create_user();

        $otheruser = $this->getDataGenerator()->create_user();

        $systemcontext = \context_system::instance();

        $parentrole = $this->getDataGenerator()->create_role();

        assign_capability('tool/dataprivacy:makedatarequestsforchildren', CAP_ALLOW, $parentrole, $systemcontext);

        role_assign($parentrole, $parent->id, \context_user::instance($child->id));

        $this->setUser($parent);

        $this->assertFalse(api::can_create_data_request_for_user($otheruser->id));

    }

    /**

     * Test that a user who has the capability to make any data requests for one other user cannot create data requests

     * for any other user.

     */

    public function test_can_create_data_request_for_user_own_child(): void {

        $this->resetAfterTest();

        $parent = $this->getDataGenerator()->create_user();

        $child = $this->getDataGenerator()->create_user();

        $systemcontext = \context_system::instance();

        $parentrole = $this->getDataGenerator()->create_role();

        assign_capability('tool/dataprivacy:makedatarequestsforchildren', CAP_ALLOW, $parentrole, $systemcontext);

        role_assign($parentrole, $parent->id, \context_user::instance($child->id));

        $this->setUser($parent);

        $this->assertTrue(api::can_create_data_request_for_user($child->id));

    }

    /**

     * Test that a user who has no capability to make any data requests for children cannot create data requests for any

     * other user.

     */

    public function test_require_can_create_data_request_for_user_no(): void {

        $this->resetAfterTest();

        $parent = $this->getDataGenerator()->create_user();

        $otheruser = $this->getDataGenerator()->create_user();

        $this->setUser($parent);

        $this->expectException('required_capability_exception');

        api::require_can_create_data_request_for_user($otheruser->id);

    }

    /**

     * Test that a user who has the capability to make any data requests for one other user cannot create data requests

     * for any other user.

     */

    public function test_require_can_create_data_request_for_user_some(): void {

        $this->resetAfterTest();

        $parent = $this->getDataGenerator()->create_user();

        $child = $this->getDataGenerator()->create_user();

        $otheruser = $this->getDataGenerator()->create_user();

        $systemcontext = \context_system::instance();

        $parentrole = $this->getDataGenerator()->create_role();

        assign_capability('tool/dataprivacy:makedatarequestsforchildren', CAP_ALLOW, $parentrole, $systemcontext);

        role_assign($parentrole, $parent->id, \context_user::instance($child->id));

        $this->setUser($parent);

        $this->expectException('required_capability_exception');

        api::require_can_create_data_request_for_user($otheruser->id);

    }

    /**

     * Test that a user who has the capability to make any data requests for one other user cannot create data requests

     * for any other user.

     */

    public function test_require_can_create_data_request_for_user_own_child(): void {

        $this->resetAfterTest();

        $parent = $this->getDataGenerator()->create_user();

        $child = $this->getDataGenerator()->create_user();

        $systemcontext = \context_system::instance();

        $parentrole = $this->getDataGenerator()->create_role();

        assign_capability('tool/dataprivacy:makedatarequestsforchildren', CAP_ALLOW, $parentrole, $systemcontext);

        role_assign($parentrole, $parent->id, \context_user::instance($child->id));

        $this->setUser($parent);

        $this->assertTrue(api::require_can_create_data_request_for_user($child->id));

    }

    /**

     * Test for api::can_download_data_request_for_user()

     */

    public function test_can_download_data_request_for_user(): void {

        $this->resetAfterTest();

        $generator = $this->getDataGenerator();

        // Three victims.

        $victim1 = $generator->create_user();

        $victim2 = $generator->create_user();

        $victim3 = $generator->create_user();

        // Assign a user as victim 1's parent.

        $systemcontext = \context_system::instance();

        $parentrole = $generator->create_role();

        assign_capability('tool/dataprivacy:makedatarequestsforchildren', CAP_ALLOW, $parentrole, $systemcontext);

        $parent = $generator->create_user();

        role_assign($parentrole, $parent->id, \context_user::instance($victim1->id));

        // Assign another user as data access wonder woman.

        $wonderrole = $generator->create_role();

        assign_capability('tool/dataprivacy:downloadallrequests', CAP_ALLOW, $wonderrole, $systemcontext);

        $staff = $generator->create_user();

        role_assign($wonderrole, $staff->id, $systemcontext);

        // Finally, victim 3 has been naughty; stop them accessing their own data.

        $naughtyrole = $generator->create_role();

        assign_capability('tool/dataprivacy:downloadownrequest', CAP_PROHIBIT, $naughtyrole, $systemcontext);

        role_assign($naughtyrole, $victim3->id, $systemcontext);

        // Victims 1 and 2 can access their own data, regardless of who requested it.

        $this->assertTrue(api::can_download_data_request_for_user($victim1->id, $victim1->id, $victim1->id));

        $this->assertTrue(api::can_download_data_request_for_user($victim2->id, $staff->id, $victim2->id));

        // Victim 3 cannot access his own data.

        $this->assertFalse(api::can_download_data_request_for_user($victim3->id, $victim3->id, $victim3->id));

        // Victims 1 and 2 cannot access another victim's data.

        $this->assertFalse(api::can_download_data_request_for_user($victim2->id, $victim1->id, $victim1->id));

        $this->assertFalse(api::can_download_data_request_for_user($victim1->id, $staff->id, $victim2->id));

        // Staff can access everyone's data.

        $this->assertTrue(api::can_download_data_request_for_user($victim1->id, $victim1->id, $staff->id));

        $this->assertTrue(api::can_download_data_request_for_user($victim2->id, $staff->id, $staff->id));

        $this->assertTrue(api::can_download_data_request_for_user($victim3->id, $staff->id, $staff->id));

        // Parent can access victim 1's data only if they requested it.

        $this->assertTrue(api::can_download_data_request_for_user($victim1->id, $parent->id, $parent->id));

        $this->assertFalse(api::can_download_data_request_for_user($victim1->id, $staff->id, $parent->id));

        $this->assertFalse(api::can_download_data_request_for_user($victim2->id, $parent->id, $parent->id));

    }

    /**

     * Data provider for data request creation tests.

     *

     * @return array

     */

    public function data_request_creation_provider() {

        return [

            'Export request by user, automatic approval off' => [

                false, api::DATAREQUEST_TYPE_EXPORT, 'automaticdataexportapproval', false, 0,

                api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, 0

            ],

            'Export request by user, automatic approval on' => [

                false, api::DATAREQUEST_TYPE_EXPORT, 'automaticdataexportapproval', true, 0,

                api::DATAREQUEST_STATUS_APPROVED, 1 , 0

            ],

            'Export request by PO, automatic approval off' => [

                true, api::DATAREQUEST_TYPE_EXPORT, 'automaticdataexportapproval', false, 0,

                api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, 0

            ],

            'Export request by PO, automatic approval off, allow filtering of exports by course' => [

                    true, api::DATAREQUEST_TYPE_EXPORT, 'automaticdataexportapproval', false, 0,

                    api::DATAREQUEST_STATUS_PENDING, 0, 1

            ],

            'Export request by PO, automatic approval on' => [

                true, api::DATAREQUEST_TYPE_EXPORT, 'automaticdataexportapproval', true, 'dpo',

                api::DATAREQUEST_STATUS_APPROVED, 1, 0

            ],

            'Delete request by user, automatic approval off' => [

                false, api::DATAREQUEST_TYPE_DELETE, 'automaticdatadeletionapproval', false, 0,

                api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, 0

            ],

            'Delete request by user, automatic approval on' => [

                false, api::DATAREQUEST_TYPE_DELETE, 'automaticdatadeletionapproval', true, 0,

                api::DATAREQUEST_STATUS_APPROVED, 1, 0

            ],

            'Delete request by PO, automatic approval off' => [

                true, api::DATAREQUEST_TYPE_DELETE, 'automaticdatadeletionapproval', false, 0,

                api::DATAREQUEST_STATUS_AWAITING_APPROVAL, 0, 0

            ],

            'Delete request by PO, automatic approval on' => [

                true, api::DATAREQUEST_TYPE_DELETE, 'automaticdatadeletionapproval', true, 'dpo',

                api::DATAREQUEST_STATUS_APPROVED, 1, 0

            ],

        ];

    }

    /**

     * Test for api::create_data_request()

     *

     * @dataProvider data_request_creation_provider

     * @param bool $asprivacyofficer Whether the request is made as the Privacy Officer or the user itself.

     * @param string $type The data request type.

     * @param string $setting The automatic approval setting.

     * @param bool $automaticapproval Whether automatic data request approval is turned on or not.

     * @param int|string $expecteddpoval The expected value for the 'dpo' field. 'dpo' means we'd the expected value would be the

     *                                   user ID of the privacy officer which happens in the case where a PO requests on behalf of

     *                                   someone else and automatic data request approval is turned on.

     * @param int $expectedstatus The expected status of the data request.

     * @param int $expectedtaskcount The number of expected queued data requests tasks.

     * @param bool $allowfiltering Whether allow filtering of exports by course turn on or off.

     * @throws coding_exception

     * @throws invalid_persistent_exception

     */

    public function test_create_data_request(

        $asprivacyofficer,

        $type,

        $setting,

        $automaticapproval,

        $expecteddpoval,

        $expectedstatus,

        $expectedtaskcount,

        $allowfiltering,

    ): void {

        global $USER;

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $user = $generator->create_user();

        $comment = 'sample comment';

        // Login.

        if ($asprivacyofficer) {

            $this->setAdminUser();

        } else {

            $this->setUser($user->id);

        }

        // Set the automatic data request approval setting value.

        set_config($setting, $automaticapproval, 'tool_dataprivacy');

        // If set to 'dpo' use the currently logged-in user's ID (which should be the admin user's ID).

        if ($expecteddpoval === 'dpo') {

            $expecteddpoval = $USER->id;

        }

        if ($allowfiltering) {

            set_config('allowfiltering', 1, 'tool_dataprivacy');

        }

        // Test data request creation.

        $datarequest = api::create_data_request($user->id, $type, $comment);

        $this->assertEquals($user->id, $datarequest->get('userid'));

        $this->assertEquals($USER->id, $datarequest->get('requestedby'));

        $this->assertEquals($expecteddpoval, $datarequest->get('dpo'));

        $this->assertEquals($type, $datarequest->get('type'));

        $this->assertEquals($expectedstatus, $datarequest->get('status'));

        $this->assertEquals($comment, $datarequest->get('comments'));

        $this->assertEquals($automaticapproval, $datarequest->get('systemapproved'));

        // Test number of queued data request tasks.

        $datarequesttasks = manager::get_adhoc_tasks(process_data_request_task::class);

        $this->assertCount($expectedtaskcount, $datarequesttasks);

        if ($allowfiltering) {

            // Test number of queued initiate data request tasks.

            $datarequesttasks = manager::get_adhoc_tasks(initiate_data_request_task::class);

            $this->assertCount(1, $datarequesttasks);

        }

    }

    /**

     * Test for api::create_data_request() made by a parent.

     */

    public function test_create_data_request_by_parent(): void {

        global $DB;

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $user = $generator->create_user();

        $parent = $generator->create_user();

        $comment = 'sample comment';

        // Get the teacher role pretend it's the parent roles ;).

        $systemcontext = \context_system::instance();

        $usercontext = \context_user::instance($user->id);

        $parentroleid = $DB->get_field('role', 'id', array('shortname' => 'teacher'));

        // Give the manager role with the capability to manage data requests.

        assign_capability('tool/dataprivacy:makedatarequestsforchildren', CAP_ALLOW, $parentroleid, $systemcontext->id, true);

        // Assign the parent to user.

        role_assign($parentroleid, $parent->id, $usercontext->id);

        // Login as the user's parent.

        $this->setUser($parent);

        // Test data request creation.

        $datarequest = api::create_data_request($user->id, api::DATAREQUEST_TYPE_EXPORT, $comment);

        $this->assertEquals($user->id, $datarequest->get('userid'));

        $this->assertEquals($parent->id, $datarequest->get('requestedby'));

        $this->assertEquals(0, $datarequest->get('dpo'));

        $this->assertEquals(api::DATAREQUEST_TYPE_EXPORT, $datarequest->get('type'));

        $this->assertEquals(api::DATAREQUEST_STATUS_AWAITING_APPROVAL, $datarequest->get('status'));

        $this->assertEquals($comment, $datarequest->get('comments'));

    }

    /**

     * Test for api::deny_data_request()

     */

    public function test_deny_data_request(): void {

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $user = $generator->create_user();

        $comment = 'sample comment';

        // Login as user.

        $this->setUser($user->id);

        // Test data request creation.

        $datarequest = api::create_data_request($user->id, api::DATAREQUEST_TYPE_EXPORT, $comment);

        // Login as the admin (default DPO when no one is set).

        $this->setAdminUser();

        // Make this ready for approval.

        api::update_request_status($datarequest->get('id'), api::DATAREQUEST_STATUS_AWAITING_APPROVAL);

        // Deny the data request.

        $result = api::deny_data_request($datarequest->get('id'));

        $this->assertTrue($result);

    }

    /**

     * Data provider for \tool_dataprivacy_api_testcase::test_get_data_requests().

     *

     * @return array

     */

    public function get_data_requests_provider() {

        $completeonly = [api::DATAREQUEST_STATUS_COMPLETE, api::DATAREQUEST_STATUS_DOWNLOAD_READY, api::DATAREQUEST_STATUS_DELETED];

        $completeandcancelled = array_merge($completeonly, [api::DATAREQUEST_STATUS_CANCELLED]);

        return [

            // Own data requests.

            ['user', false, $completeonly],

            // Non-DPO fetching all requets.

            ['user', true, $completeonly],

            // Admin fetching all completed and cancelled requests.

            ['dpo', true, $completeandcancelled],

            // Admin fetching all completed requests.

            ['dpo', true, $completeonly],

            // Guest fetching all requests.

            ['guest', true, $completeonly],

        ];

    }

    /**

     * Test for api::get_data_requests()

     *

     * @dataProvider get_data_requests_provider

     * @param string $usertype The type of the user logging in.

     * @param boolean $fetchall Whether to fetch all records.

     * @param int[] $statuses Status filters.

     */

    public function test_get_data_requests($usertype, $fetchall, $statuses): void {

        $this->resetAfterTest();

        $generator = new testing_data_generator();

        $user1 = $generator->create_user();

        $user2 = $generator->create_user();

        $user3 = $generator->create_user();

        $user4 = $generator->create_user();

        $user5 = $generator->create_user();

        $users = [$user1, $user2, $user3, $user4, $user5];

        switch ($usertype) {

            case 'user':

                $loggeduser = $user1;

                break;

            case 'dpo':

                $loggeduser = get_admin();

                break;

            case 'guest':

                $loggeduser = guest_user();

                break;

        }

        $comment = 'Data %s request comment by user %d';

        $exportstring = helper::get_shortened_request_type_string(api::DATAREQUEST_TYPE_EXPORT);

        $deletionstring = helper::get_shortened_request_type_string(api::DATAREQUEST_TYPE_DELETE);

        // Make a data requests for the users.

        foreach ($users as $user) {

            $this->setUser($user);

            api::create_data_request($user->id, api::DATAREQUEST_TYPE_EXPORT, sprintf($comment, $exportstring, $user->id));

            api::create_data_request($user->id, api::DATAREQUEST_TYPE_EXPORT, sprintf($comment, $deletionstring, $user->id));

        }

        // Log in as the target user.

        $this->setUser($loggeduser);

        // Get records count based on the filters.

        $userid = $loggeduser->id;

        if ($fetchall) {

            $userid = 0;

        }

        $count = api::get_data_requests_count($userid);

        if (api::is_site_dpo($loggeduser->id)) {

            // DPOs should see all the requests.

            $this->assertEquals(count($users) * 2, $count);

        } else {

            if (empty($userid)) {

                // There should be no data requests for this user available.

                $this->assertEquals(0, $count);

            } else {

                // There should be only one (request with pending status).

                $this->assertEquals(2, $count);

            }

        }

        // Get data requests.

        $requests = api::get_data_requests($userid);

        // The number of requests should match the count.

        $this->assertCount($count, $requests);

        // Test filtering by status.

        if ($count && !empty($statuses)) {

            $filteredcount = api::get_data_requests_count($userid, $statuses);

            // There should be none as they are all pending.

            $this->assertEquals(0, $filteredcount);

            $filteredrequests = api::get_data_requests($userid, $statuses);

            $this->assertCount($filteredcount, $filteredrequests);

            $statuscounts = [];

            foreach ($statuses as $stat) {

                $statuscounts[$stat] = 0;

            }

            $numstatus = count($statuses);

            // Get all requests with status filter and update statuses, randomly.

            foreach ($requests as $request) {

                if (rand(0, 1)) {

                    continue;

                }

                if ($numstatus > 1) {

                    $index = rand(0, $numstatus - 1);

                    $status = $statuses[$index];

                } else {

                    $status = reset($statuses);

                }

                $statuscounts[$status]++;

                api::update_request_status($request->get('id'), $status);

            }

            $total = array_sum($statuscounts);

            $filteredcount = api::get_data_requests_count($userid, $statuses);

            $this->assertEquals($total, $filteredcount);

            $filteredrequests = api::get_data_requests($userid, $statuses);

            $this->assertCount($filteredcount, $filteredrequests);

            // Confirm the filtered requests match the status filter(s).

            foreach ($filteredrequests as $request) {

                $this->assertContainsEquals($request->get('status'), $statuses);

            }

            if ($numstatus > 1) {

                // Fetch by individual status to check the numbers match.

                foreach ($statuses as $status) {

                    $filteredcount = api::get_data_requests_count($userid, [$status]);

                    $this->assertEquals($statuscounts[$status], $filteredcount);

                    $filteredrequests = api::get_data_requests($userid, [$status]);

                    $this->assertCount($filteredcount, $filteredrequests);

                }

            }

        }

    }

    /**

     * Test for api::get_approved_contextlist_collection_for_request.

     */

    public function test_get_approved_contextlist_collection_for_request(): void {

        $this->resetAfterTest();

        set_config('allowfiltering', 1, 'tool_dataprivacy');

        $this->setAdminUser();

        $user = $this->getDataGenerator()->create_user();

        $course = $this->getDataGenerator()->create_course([]);

        $forum = $this->getDataGenerator()->create_module('forum', ['course' => $course->id]);

        $generator = $this->getDataGenerator()->get_plugin_generator('mod_forum');

        $record = new \stdClass();

        $record->course = $course->id;

        $record->userid = $user->id;

        $record->forum = $forum->id;

        $generator->create_discussion($record);

        $generator->create_discussion($record);

        $coursecontext1 = \context_course::instance($course->id);

        $forumcontext1 = \context_module::instance($forum->cmid);

        $this->getDataGenerator()->enrol_user($user->id, $course->id, 'student');

        $datarequest = api::create_data_request($user->id, api::DATAREQUEST_TYPE_EXPORT);

        ob_start();

        $this->runAdhocTasks('tool_dataprivacy\task\initiate_data_request_task');

        ob_end_clean();

        api::approve_contexts_belonging_to_request($datarequest->get('id'), [$coursecontext1->id]);

        $contextlistcollection = api::get_approved_contextlist_collection_for_request($datarequest);

        $approvecontexts = [];

        foreach ($contextlistcollection->get_contextlists() as $contextlist) {

            foreach ($contextlist->get_contextids() as $contextid) {

                $approvecontexts[] = $contextid;

            }

        }

        $this->assertContains(strval($coursecontext1->id), $approvecontexts);

        $this->assertContains(strval($forumcontext1->id), $approvecontexts);

    }

    /**

     * Data provider for test_has_ongoing_request.

     */