feat(circles): adding and deleting permissions

AEGEE · Apr 19, 2020 · f95f47b · f95f47b
1 parent e7ece27
commit f95f47b
Show file tree

Hide file tree

Showing 4 changed files with 230 additions and 0 deletions.
diff --git a/lib/server.js b/lib/server.js
@@ -123,6 +123,8 @@ JoinRequestsRouter.put('/status', joinRequests.changeRequestStatus);
 CirclesRouter.use(middlewares.maybeAuthorize, middlewares.ensureAuthorized, fetch.fetchCircle);
 CirclesRouter.get('/my_permissions', myPermissions.getMyPermissions);
 CirclesRouter.get('/permissions', circles.getCirclePermissions);
+CirclesRouter.post('/permissions', circles.addPermission);
+CirclesRouter.delete('/permissions/:permission_id', circles.deletePermission);
 CirclesRouter.get('/', circles.getCircle);
 CirclesRouter.put('/parent', circles.setParentCircle);
 CirclesRouter.post('/members/:user_id', circles.createCircleMembership);

diff --git a/middlewares/circles.js b/middlewares/circles.js
@@ -153,3 +153,48 @@ exports.createCircleMembership = async (req, res) => {
         data: circleMembership
     });
 };
+
+exports.addPermission = async (req, res) => {
+    if (!req.permissions.hasPermission('put_permissions:circle')) {
+        return errors.makeForbiddenError(res, 'Permission put_permissions:circle is required, but not present.');
+    }
+
+    const permission = await Permission.findByPk(req.body.permission_id);
+    if (!permission) {
+        return errors.makeNotFoundError(res, 'The permission is not found.');
+    }
+
+    await CirclePermission.create({
+        circle_id: req.currentCircle.id,
+        permission_id: permission.id
+    });
+
+    return res.json({
+        success: true,
+        message: 'Permission was added to circle.'
+    });
+};
+
+exports.deletePermission = async (req, res) => {
+    if (!req.permissions.hasPermission('put_permissions:circle')) {
+        return errors.makeForbiddenError(res, 'Permission put_permissions:circle is required, but not present.');
+    }
+
+    const circlePermission = await CirclePermission.findOne({
+        where: {
+            circle_id: req.currentCircle.id,
+            permission_id: req.params.permission_id
+        }
+    });
+
+    if (!circlePermission) {
+        return errors.makeNotFoundError(res, 'The permission does not belong to this circle.');
+    }
+
+    await circlePermission.destroy();
+
+    return res.json({
+        success: true,
+        message: 'Permission was deleted from circle.'
+    });
+};
diff --git a/test/api/circles-add-permission.test.js b/test/api/circles-add-permission.test.js
@@ -0,0 +1,103 @@
+const { startServer, stopServer } = require('../../lib/server.js');
+const { request } = require('../scripts/helpers');
+const generator = require('../scripts/generator');
+
+describe('Circle add permission', () => {
+    beforeAll(async () => {
+        await startServer();
+    });
+
+    afterAll(async () => {
+        await stopServer();
+    });
+
+    afterEach(async () => {
+        await generator.clearAll();
+    });
+
+    test('should fail without permission', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const circle = await generator.createCircle();
+        const permission = await generator.createPermission();
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: { permission_id: permission.id }
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('message');
+        expect(res.body).not.toHaveProperty('data');
+    });
+
+    test('should fail if permission is not found', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'put_permissions', object: 'circle' });
+
+        const circle = await generator.createCircle();
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: { permission_id: -1 }
+        });
+
+        expect(res.statusCode).toEqual(404);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('message');
+        expect(res.body).not.toHaveProperty('data');
+    });
+
+    test('should fail if permission is already there', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'put_permissions', object: 'circle' });
+
+        const circle = await generator.createCircle();
+        const permission = await generator.createPermission();
+        await generator.createCirclePermission(circle, permission);
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: { permission_id: permission.id }
+        });
+
+        expect(res.statusCode).toEqual(422);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('errors');
+        expect(res.body).not.toHaveProperty('data');
+    });
+
+    test('should succeed if everything\'s okay', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'put_permissions', object: 'circle' });
+
+        const circle = await generator.createCircle();
+        const permission = await generator.createPermission();
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            body: { permission_id: permission.id }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).toHaveProperty('message');
+        expect(res.body).not.toHaveProperty('errors');
+    });
+});
diff --git a/test/api/circles-delete-permission.test.js b/test/api/circles-delete-permission.test.js
@@ -0,0 +1,80 @@
+const { startServer, stopServer } = require('../../lib/server.js');
+const { request } = require('../scripts/helpers');
+const generator = require('../scripts/generator');
+
+describe('Circle add permission', () => {
+    beforeAll(async () => {
+        await startServer();
+    });
+
+    afterAll(async () => {
+        await stopServer();
+    });
+
+    afterEach(async () => {
+        await generator.clearAll();
+    });
+
+    test('should fail without permission', async () => {
+        const user = await generator.createUser();
+        const token = await generator.createAccessToken({}, user);
+
+        const circle = await generator.createCircle();
+        const permission = await generator.createPermission();
+        await generator.createCirclePermission(circle, permission);
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions/' + permission.id,
+            method: 'DELETE',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(403);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('message');
+        expect(res.body).not.toHaveProperty('data');
+    });
+
+    test('should fail if permission doesn\'t beleong to circle', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'put_permissions', object: 'circle' });
+
+        const circle = await generator.createCircle();
+        const permission = await generator.createPermission();
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions/' + permission.id,
+            method: 'DELETE',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(404);
+        expect(res.body.success).toEqual(false);
+        expect(res.body).toHaveProperty('message');
+        expect(res.body).not.toHaveProperty('data');
+    });
+
+    test('should succeed if everything\'s okay', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'put_permissions', object: 'circle' });
+
+        const circle = await generator.createCircle();
+        const permission = await generator.createPermission();
+        await generator.createCirclePermission(circle, permission);
+
+        const res = await request({
+            uri: '/circles/' + circle.id + '/permissions/' + permission.id,
+            method: 'DELETE',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).toHaveProperty('message');
+        expect(res.body).not.toHaveProperty('errors');
+    });
+});