fix(body): only show deleted bodies to people with permission. Fixes …

…HELP-1873 (#386) * fix(body): only show deleted bodies to people with permission * chore(test): add tests
AEGEE · Nov 11, 2021 · c3f38eb · c3f38eb
1 parent 6ffeb7d
commit c3f38eb
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/middlewares/bodies.js b/middlewares/bodies.js
@@ -41,6 +41,10 @@ exports.listAllBodies = async (req, res) => {
 };
 
 exports.getBody = async (req, res) => {
+    if (req.currentBody.status === 'deleted' && (!req.user || !req.permissions.hasPermission('view_deleted:body'))) {
+        return errors.makeForbiddenError(res, 'Permission view_deleted:body is required, but not present.');
+    }
+
     return res.json({
         success: true,
         data: req.currentBody

diff --git a/test/api/bodies-details.test.js b/test/api/bodies-details.test.js
@@ -102,4 +102,57 @@ describe('Body details', () => {
         expect(res.body).not.toHaveProperty('errors');
         expect(res.body.data.id).toEqual(body.id);
     });
+
+    test('should return 403 if not logged in on a deleted body', async () => {
+        const body = await generator.createBody({ status: 'deleted' });
+
+        const res = await request({
+            uri: '/bodies/' + body.id,
+            method: 'GET'
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
+    test('should return 403 if no permissions on a deleted body', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const body = await generator.createBody({ status: 'deleted' });
+
+        const res = await request({
+            uri: '/bodies/' + body.id,
+            method: 'GET',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
+    test('should work for authorized user on a deleted body', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'view_deleted', object: 'body' });
+
+        const body = await generator.createBody({ status: 'deleted' });
+
+        const res = await request({
+            uri: '/bodies/' + body.id,
+            method: 'GET',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).toHaveProperty('data');
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body.data.id).toEqual(body.id);
+    });
 });