feat(general): checking permissions for permissions

AEGEE · Mar 15, 2020 · 6da0349 · 6da0349
1 parent 5ed1dc5
commit 6da0349
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 11 deletions.
diff --git a/middlewares/permissions.js b/middlewares/permissions.js
@@ -1,7 +1,9 @@
 const { Permission } = require('../models');
 const helpers = require('../lib/helpers');
+const errors = require('../lib/errors');
 
 exports.listAllPermissions = async (req, res) => {
+    // TODO: add filtering
     const result = await Permission.findAndCountAll({
         ...helpers.getPagination(req.query),
         order: helpers.getSorting(req.query)
@@ -15,15 +17,17 @@ exports.listAllPermissions = async (req, res) => {
 };
 
 exports.getPermission = async (req, res) => {
-    // TODO: check permissions
     return res.json({
         success: true,
         data: req.currentPermission
     });
 };
 
 exports.createPermission = async (req, res) => {
-    // TODO: check permissions
+    if (!req.permissions.hasPermission('global:create:permission')) {
+        return errors.makeForbiddenError(res, 'Permission global:create:permission is required, but not present.');
+    }
+
     const permission = await Permission.create(req.body);
     return res.json({
         success: true,
@@ -32,7 +36,10 @@ exports.createPermission = async (req, res) => {
 };
 
 exports.updatePermission = async (req, res) => {
-    // TODO: check permissions
+    if (!req.permissions.hasPermission('global:update:permission')) {
+        return errors.makeForbiddenError(res, 'Permission global:update:permission is required, but not present.');
+    }
+
     // TODO: filter out fields that are changed in the other way
     await req.currentPermission.update(req.body);
     return res.json({
@@ -42,7 +49,10 @@ exports.updatePermission = async (req, res) => {
 };
 
 exports.deletePermission = async (req, res) => {
-    // TODO: check permissions
+    if (!req.permissions.hasPermission('global:delete:permission')) {
+        return errors.makeForbiddenError(res, 'Permission global:delete:permission is required, but not present.');
+    }
+
     await req.currentPermission.destroy();
     return res.json({
         success: true,

diff --git a/test/api/permissions-creating.test.js b/test/api/permissions-creating.test.js
@@ -16,9 +16,11 @@ describe('Permissions creating', () => {
     });
 
     test('should fail if there are validation errors', async () => {
-        const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'create', object: 'permission' });
+
         const permission = generator.generatePermission({ scope: '' });
 
         const res = await request({
@@ -35,10 +37,31 @@ describe('Permissions creating', () => {
         expect(res.body.errors).toHaveProperty('scope');
     });
 
+    test('should fail if no permission', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const permission = generator.generatePermission();
+
+        const res = await request({
+            uri: '/permissions',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: permission
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
     test('should succeed if everything is okay', async () => {
-        const user = await generator.createUser({ username: 'test', mail_confirmed_at: new Date() });
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'create', object: 'permission' });
+
         const permission = generator.generatePermission();
 
         const res = await request({

diff --git a/test/api/permissions-deleting.test.js b/test/api/permissions-deleting.test.js
@@ -17,9 +17,11 @@ describe('Permissions deleting', () => {
     });
 
     test('should return 404 if the permission is not found', async () => {
-        const user = await generator.createUser();
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'delete', object: 'permission' });
+
         const res = await request({
             uri: '/permissions/1337',
             method: 'DELETE',
@@ -32,7 +34,7 @@ describe('Permissions deleting', () => {
         expect(res.body).toHaveProperty('message');
     });
 
-    test('should succeed if everything is okay', async () => {
+    test('should fail if no permission', async () => {
         const user = await generator.createUser();
         const token = await generator.createAccessToken({}, user);
 
@@ -44,6 +46,26 @@ describe('Permissions deleting', () => {
             headers: { 'X-Auth-Token': token.value }
         });
 
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
+    test('should succeed if everything is okay', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'delete', object: 'permission' });
+
+        const permission = await generator.createPermission();
+
+        const res = await request({
+            uri: '/permissions/' + permission.id,
+            method: 'DELETE',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
         expect(res.statusCode).toEqual(200);
         expect(res.body.success).toEqual(true);
         expect(res.body).not.toHaveProperty('errors');

diff --git a/test/api/permissions-editing.test.js b/test/api/permissions-editing.test.js
@@ -16,9 +16,11 @@ describe('Permissions details', () => {
     });
 
     test('should return 404 if the permission is not found', async () => {
-        const user = await generator.createUser();
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'update', object: 'permission' });
+
         const res = await request({
             uri: '/permissions/1337',
             method: 'PUT',
@@ -33,9 +35,11 @@ describe('Permissions details', () => {
     });
 
     test('should fail if there are validation errors', async () => {
-        const user = await generator.createUser();
+        const user = await generator.createUser({ superadmin: true });
         const token = await generator.createAccessToken({}, user);
 
+        await generator.createPermission({ scope: 'global', action: 'update', object: 'permission' });
+
         const permission = await generator.createPermission();
 
         const res = await request({
@@ -52,7 +56,7 @@ describe('Permissions details', () => {
         expect(res.body.errors).toHaveProperty('scope');
     });
 
-    test('should succeed if everything is okay', async () => {
+    test('should fail if no permission', async () => {
         const user = await generator.createUser();
         const token = await generator.createAccessToken({}, user);
 
@@ -65,6 +69,27 @@ describe('Permissions details', () => {
             body: { scope: 'local' }
         });
 
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).not.toHaveProperty('data');
+        expect(res.body).toHaveProperty('message');
+    });
+
+    test('should succeed if everything is okay', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'update', object: 'permission' });
+
+        const permission = await generator.createPermission();
+
+        const res = await request({
+            uri: '/permissions/' + permission.id,
+            method: 'PUT',
+            headers: { 'X-Auth-Token': token.value },
+            body: { scope: 'local' }
+        });
+
         expect(res.statusCode).toEqual(200);
         expect(res.body.success).toEqual(true);
         expect(res.body).not.toHaveProperty('errors');