#130: Tests for new Request methods from Storage

saplingjs · Oct 23, 2021 · 7eb01fa · 7eb01fa
1 parent 3037602
commit 7eb01fa
Show file tree

Hide file tree

Showing 2 changed files with 652 additions and 54 deletions.
diff --git a/lib/Request.js b/lib/Request.js
@@ -8,8 +8,6 @@
 import _ from 'underscore';
 
 import { console } from './Cluster.js';
-import Response from './Response.js';
-import SaplingError from './SaplingError.js';
 import Validation from './Validation.js';
 
 
@@ -136,9 +134,53 @@ export default class Request {
 					}
 
 					/* If the data is a number, convert from string */
-					if (rule.type === 'number') {
+					if (rule && rule.type === 'number') {
 						request.body[key] = Number.parseFloat(request.body[key], 10);
 					}
+
+					/* Ignore CSRF tokens */
+					if (key === '_csrf') {
+						delete request.body[key];
+					}
+
+					/* In strict mode, don't allow unknown fields */
+					if (!rule && this.app.config.strict) {
+						console.warn('UNKNOWN FIELD', key);
+						delete request.body[key];
+					}
+
+					/* If this field has no defined access level, we can skip the rest of the checks */
+					if (!rule || !rule.access) {
+						continue;
+					}
+
+					/* Get the write access level */
+					const access = rule.access.w || rule.access;
+
+					/* If the field is owner-only, defer to individual op methods to check against it */
+					if (access === 'owner') {
+						continue;
+					}
+
+					/* Get the role from session, if any */
+					const role = this.app.user.getRole({ session: request.session });
+
+					/* If we do not have access, raise hell */
+					if (this.app.user.isRoleAllowed(role, access) === false) {
+						console.warn(`NO ACCESS TO FIELD '${key}'`);
+						console.warn(`Current permission level: ${role}`);
+						console.warn(`Required permission level: ${access}`);
+						delete request.body[key];
+					}
+				}
+			}
+
+			/* Go through every rule */
+			const rules = this.app.storage.getRules(collection);
+			for (const key in rules) {
+				/* If inserting, and a field with a default value is missing, apply default */
+				if (parts.length <= 2 && !(key in request.body) && 'default' in rules[key]) {
+					request.body[key] = rules[key].default;
 				}
 			}
 		}
@@ -161,21 +203,18 @@ export default class Request {
 	 * @param {object} request Request object from Express
 	 * @param {object} response Response object from Express
 	 */
-	validateData(request, response) {
-		const { collection, body, session, type } = request;
+	validateData(request) {
+		const { collection, body, type } = request;
 
 		/* Get the collection definition */
 		const rules = this.app.storage.getRules(collection);
 
 		let errors = [];
 		const data = body || {};
 
-		/* Get the role from session, if any */
-		const role = this.app.user.getRole({ session });
-
 		/* Model must be defined before pushing data */
 		if (Object.keys(rules).length === 0 && this.app.config.strict) {
-			new Response(this.app, request, response, new SaplingError({
+			return [{
 				status: '500',
 				code: '1010',
 				title: 'Non-existent',
@@ -184,30 +223,17 @@ export default class Request {
 					type: 'data',
 					error: 'nonexistent',
 				},
-			}));
-			return false;
+			}];
 		}
 
 		/* Go through every key in incoming data */
 		for (const key in data) {
 			if (Object.prototype.hasOwnProperty.call(data, key)) {
-				/* Ignore CSRF tokens */
-				if (key === '_csrf') {
-					delete data[key];
-				}
-
 				/* Get the corresponding ruleset */
 				const rule = this.app.storage.getRule(key, collection);
 
-				/* If the field isn't defined */
+				/* If the field isn't defined, skip */
 				if (!rule) {
-					/* In strict mode, don't allow unknown fields */
-					if (this.app.config.strict) {
-						console.warn('UNKNOWN FIELD', key);
-						delete data[key];
-					}
-
-					/* Otherwise skip this field */
 					continue;
 				}
 
@@ -216,27 +242,6 @@ export default class Request {
 				if (error.length > 0) {
 					errors = error;
 				}
-
-				/* If this field has no defined access level, we can skip the rest of the checks */
-				if (!rule.access) {
-					continue;
-				}
-
-				/* Get the write access level */
-				const access = rule.access.w || rule.access;
-
-				/* If the field is owner-only, defer to individual op methods to check against it */
-				if (access === 'owner') {
-					continue;
-				}
-
-				/* If we do not have access, raise hell */
-				if (this.app.user.isRoleAllowed(role, access) === false) {
-					console.warn(`NO ACCESS TO FIELD '${key}'`);
-					console.warn('Current permission level:', role);
-					console.warn('Required permission level:', access);
-					delete data[key];
-				}
 			}
 		}
 
@@ -249,10 +254,6 @@ export default class Request {
 					continue;
 				}
 
-				if (typeof rules[key] !== 'object') {
-					continue;
-				}
-
 				/* We now know the given field does not have a corresponding value
 				   in the incoming data */
 
@@ -269,11 +270,6 @@ export default class Request {
 						},
 					});
 				}
-
-				/* Set the data to the default value, if provided */
-				if ('default' in rules[key]) {
-					data[key] = rules[key].default;
-				}
 			}
 		}