feat(general): permissions check for body members creating

AEGEE · Mar 5, 2020 · 25fb9b9 · 25fb9b9
1 parent 4479116
commit 25fb9b9
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 6 deletions.
diff --git a/middlewares/bodies.js b/middlewares/bodies.js
@@ -63,7 +63,10 @@ exports.setBodyStatus = async (req, res) => {
 };
 
 exports.createMember = async (req, res) => {
-    // TODO: check permissions
+    if (!req.permissions.hasPermission('create_member:body')) {
+        return errors.makeForbiddenError(res, 'Permission create_member:body is required, but not present.');
+    }
+
     // TODD: send mail to a user
 
     // Confirming user by default

diff --git a/test/api/body-members-creating.test.js b/test/api/body-members-creating.test.js
@@ -17,9 +17,11 @@ describe('Body members creating', () => {
     });
 
     test('should fail if there are validation errors', async () => {
-        const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'create_member', object: 'body' });
+
         const body = await generator.createBody();
         const member = generator.generateUser({ first_name: '   ' });
 
@@ -37,10 +39,12 @@ describe('Body members creating', () => {
         expect(res.body.errors).toHaveProperty('first_name');
     });
 
-    test('should succeed if everything is okay', async () => {
-        const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
+    test('should succeed if global permission', async () => {
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'create_member', object: 'body' });
+
         const body = await generator.createBody();
         const member = generator.generateUser();
 
@@ -57,10 +61,57 @@ describe('Body members creating', () => {
         expect(res.body).toHaveProperty('data');
     });
 
+    test('should succeed if local permission', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const permission = await generator.createPermission({ scope: 'local', action: 'create_member', object: 'body' });
+        const body = await generator.createBody();
+        const circle = await generator.createCircle({ body_id: body.id });
+        await generator.createCircleMembership(circle, user);
+        await generator.createCirclePermission(circle, permission);
+
+        const member = generator.generateUser();
+
+        const res = await request({
+            uri: '/bodies/' + body.id + '/create-member',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: member
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body).toHaveProperty('data');
+    });
+
+    test('should fail if no permissions', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const body = await generator.createBody();
+        const member = generator.generateUser();
+
+        const res = await request({
+            uri: '/bodies/' + body.id + '/create-member',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: member
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
     test('should remove extra fields', async () => {
-        const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'create_member', object: 'body' });
+
         const body = await generator.createBody();
         const member = generator.generateUser({ superadmin: true });
 
@@ -81,9 +132,11 @@ describe('Body members creating', () => {
     });
 
     test('should create a body membership', async () => {
-        const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'create_member', object: 'body' });
+
         const body = await generator.createBody();
         const member = generator.generateUser({ superadmin: true });