Skip to content

Commit

Permalink
feat(general): checking permissions for body
Browse files Browse the repository at this point in the history
  • Loading branch information
@serge1peshcoff
serge1peshcoff committed Mar 5, 2020
1 parent 0c0c788 commit 4479116
Show file tree
Hide file tree
Showing 5 changed files with 164 additions and 18 deletions.
8 changes: 4 additions & 4 deletions lib/permissions-manager.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ class PermissionsManager {
// istanbul ignore next
addPermissions(permissions) {
for (const permission of permissions) {
if (!this.permissionsMap[permission.id]) {
if (!this.permissionsMap[permission.combined]) {
this.permissions.push(permission);
this.permissionsMap[permission.id] = permission;
this.permissionsMap[permission.combined] = permission;
}
}
}
Expand All @@ -53,12 +53,12 @@ class PermissionsManager {
}

hasPermission(permission) {
const keys = this.getPermissionKeys(permission);
const keys = PermissionsManager.getPermissionKeys(permission);
return keys.some((key) => this.permissionsMap[key]);
}

getPermissionFilters(permission) {
const keys = this.getPermissionKeys(permission);
const keys = PermissionsManager.getPermissionKeys(permission);
for (const key of keys) {
if (this.permissionsMap[key]) {
return this.permissionsMap[key].filters.length > 0 ? this.permissionsMap[key].filters : undefined;
Expand Down
22 changes: 16 additions & 6 deletions middlewares/bodies.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
const { Body, User, BodyMembership } = require('../models');
const helpers = require('../lib/helpers');
const constants = require('../lib/constants');
const errors = require('../lib/errors');

exports.listAllBodies = async (req, res) => {
const result = await Body.findAndCountAll({
Expand All @@ -16,15 +17,17 @@ exports.listAllBodies = async (req, res) => {
};

exports.getBody = async (req, res) => {
// TODO: check permissions
return res.json({
success: true,
data: req.currentBody
});
};

exports.createBody = async (req, res) => {
// TODO: check permissions
if (!req.permissions.hasPermission('global:create:body')) {
return errors.makeForbiddenError(res, 'Permission global:create:body is required, but not present.');
}

// TODO: filter out fields that are changed in the other way
const body = await Body.create(req.body);
return res.json({
Expand All @@ -34,17 +37,24 @@ exports.createBody = async (req, res) => {
};

exports.updateBody = async (req, res) => {
// TODO: check permissions
// TODO: filter out fields that are changed in the other way
await req.currentBody.update(req.body);
if (!req.permissions.hasPermission('update:body')) {
return errors.makeForbiddenError(res, 'Permission update:body is required, but not present.');
}

await req.currentBody.update(req.body, { fields: req.permissions.getPermissionFilters('update:body') });
return res.json({
success: true,
data: req.currentBody
});
};

exports.setBodyStatus = async (req, res) => {
// TODO: check permissions
if (!req.permissions.hasPermission('global:delete:body')) {
return errors.makeForbiddenError(res, 'Permission global:delete:body is required, but not present.');
}

// TODO: delete all the join requests, payments, body memberships and circle memberships
// if the body is deleted.
await req.currentBody.update({ status: req.body.status });
return res.json({
success: true,
Expand Down
27 changes: 25 additions & 2 deletions test/api/bodies-creating.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,11 @@ describe('Bodies creating', () => {
});

test('should fail if there are validation errors', async () => {
const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date(), superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'create', object: 'body' });

const body = generator.generateBody({ email: 'invalid' });

const res = await request({
Expand All @@ -35,7 +37,7 @@ describe('Bodies creating', () => {
expect(res.body.errors).toHaveProperty('email');
});

test('should succeed if everything is okay', async () => {
test('should fail if no permissions', async () => {
const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
const token = await generator.createAccessToken({}, user);

Expand All @@ -48,6 +50,27 @@ describe('Bodies creating', () => {
body
});

expect(res.statusCode).toEqual(403);
expect(res.body.success).toEqual(false);
expect(res.body).not.toHaveProperty('data');
expect(res.body).toHaveProperty('message');
});

test('should succeed if everything is okay', async () => {
const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date(), superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'create', object: 'body' });

const body = generator.generateBody();

const res = await request({
uri: '/bodies/',
method: 'POST',
headers: { 'X-Auth-Token': token.value },
body
});

expect(res.statusCode).toEqual(200);
expect(res.body.success).toEqual(true);
expect(res.body).not.toHaveProperty('errors');
Expand Down
94 changes: 91 additions & 3 deletions test/api/bodies-editing.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,12 @@ describe('Bodies editing', () => {
});

test('should return 404 if the body is not found', async () => {
const user = await generator.createUser();
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'update', object: 'body' });


const res = await request({
uri: '/bodies/1337',
method: 'PUT',
Expand All @@ -33,9 +36,11 @@ describe('Bodies editing', () => {
});

test('should fail if there are validation errors', async () => {
const user = await generator.createUser();
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'update', object: 'body' });

const body = await generator.createBody();

const res = await request({
Expand All @@ -52,12 +57,33 @@ describe('Bodies editing', () => {
expect(res.body.errors).toHaveProperty('email');
});

test('should succeed if everything is okay', async () => {
test('should fail if no permissions', async () => {
const user = await generator.createUser();
const token = await generator.createAccessToken({}, user);

const body = await generator.createBody();

const res = await request({
uri: '/bodies/' + body.id,
method: 'PUT',
headers: { 'X-Auth-Token': token.value },
body: { email: 'invalid' }
});

expect(res.statusCode).toEqual(403);
expect(res.body.success).toEqual(false);
expect(res.body).not.toHaveProperty('data');
expect(res.body).toHaveProperty('message');
});

test('should succeed on global permission', async () => {
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'update', object: 'body' });

const body = await generator.createBody();

const res = await request({
uri: '/bodies/' + body.id,
method: 'PUT',
Expand All @@ -71,4 +97,66 @@ describe('Bodies editing', () => {
expect(res.body).toHaveProperty('data');
expect(res.body.data.email).toEqual('test@test.io');
});

test('should succeed on local permission', async () => {
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

const permission = await generator.createPermission({
scope: 'local',
action: 'update',
object: 'body'
});

const body = await generator.createBody();
const circle = await generator.createCircle({ body_id: body.id });
await generator.createBodyMembership(body, user);
await generator.createCircleMembership(circle, user);
await generator.createCirclePermission(circle, permission);

const res = await request({
uri: '/bodies/' + body.id,
method: 'PUT',
headers: { 'X-Auth-Token': token.value },
body: { email: 'test@test.io' }
});

expect(res.statusCode).toEqual(200);
expect(res.body.success).toEqual(true);
expect(res.body).not.toHaveProperty('errors');
expect(res.body).toHaveProperty('data');
expect(res.body.data.email).toEqual('test@test.io');
});

test('should respect filters', async () => {
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

const permission = await generator.createPermission({
scope: 'local',
action: 'update',
object: 'body',
filters: ['name']
});

const body = await generator.createBody({ name: 'aaa' });
const circle = await generator.createCircle({ body_id: body.id });
await generator.createBodyMembership(body, user);
await generator.createCircleMembership(circle, user);
await generator.createCirclePermission(circle, permission);

const res = await request({
uri: '/bodies/' + body.id,
method: 'PUT',
headers: { 'X-Auth-Token': token.value },
body: { email: 'test@test.io', name: 'bbb' }
});

expect(res.statusCode).toEqual(200);
expect(res.body.success).toEqual(true);
expect(res.body).not.toHaveProperty('errors');
expect(res.body).toHaveProperty('data');
expect(res.body.data.email).not.toEqual('test@test.io');
expect(res.body.data.name).toEqual('bbb');
});
});
31 changes: 28 additions & 3 deletions test/api/bodies-status.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,11 @@ describe('Bodies status', () => {
});

test('should return 404 if the body is not found', async () => {
const user = await generator.createUser();
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'delete', object: 'body' });

const res = await request({
uri: '/bodies/1337/status',
method: 'PUT',
Expand All @@ -33,9 +35,11 @@ describe('Bodies status', () => {
});

test('should fail if there are validation errors', async () => {
const user = await generator.createUser();
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'delete', object: 'body' });

const body = await generator.createBody();

const res = await request({
Expand All @@ -52,12 +56,33 @@ describe('Bodies status', () => {
expect(res.body.errors).toHaveProperty('status');
});

test('should succeed if everything is okay', async () => {
test('should fail if no permissions', async () => {
const user = await generator.createUser();
const token = await generator.createAccessToken({}, user);

const body = await generator.createBody();

const res = await request({
uri: '/bodies/' + body.id + '/status',
method: 'PUT',
headers: { 'X-Auth-Token': token.value },
body: { status: 'aaa' }
});

expect(res.statusCode).toEqual(403);
expect(res.body.success).toEqual(false);
expect(res.body).not.toHaveProperty('data');
expect(res.body).toHaveProperty('message');
});

test('should succeed if everything is okay', async () => {
const user = await generator.createUser({ superadmin: true });
const token = await generator.createAccessToken({}, user);

await generator.createPermission({ scope: 'global', action: 'delete', object: 'body' });

const body = await generator.createBody();

const res = await request({
uri: '/bodies/' + body.id + '/status',
method: 'PUT',
Expand Down

0 comments on commit 4479116

Please sign in to comment.