2013-09-06 17:07:25 +01:00
|
|
|
/*globals describe, before, beforeEach, afterEach, it*/
|
2013-11-07 14:26:47 +01:00
|
|
|
var testUtils = require('../utils'),
|
2013-06-25 12:43:15 +01:00
|
|
|
should = require('should'),
|
|
|
|
sinon = require('sinon'),
|
2013-09-06 17:07:25 +01:00
|
|
|
when = require('when'),
|
2014-02-05 00:40:30 -08:00
|
|
|
_ = require("lodash"),
|
2014-05-09 12:11:29 +02:00
|
|
|
errors = require('../../server/errors'),
|
2013-09-06 17:07:25 +01:00
|
|
|
|
|
|
|
// Stuff we are testing
|
2013-07-11 20:02:18 +01:00
|
|
|
permissions = require('../../server/permissions'),
|
2014-02-11 21:40:39 -06:00
|
|
|
effectivePerms = require('../../server/permissions/effective'),
|
2013-07-11 20:02:18 +01:00
|
|
|
Models = require('../../server/models'),
|
2013-06-25 12:43:15 +01:00
|
|
|
UserProvider = Models.User,
|
|
|
|
PermissionsProvider = Models.Permission,
|
|
|
|
PostProvider = Models.Post;
|
|
|
|
|
2013-10-07 20:39:33 -05:00
|
|
|
describe('Permissions', function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
|
2014-02-11 21:40:39 -06:00
|
|
|
var sandbox;
|
|
|
|
|
2013-08-24 15:51:58 -05:00
|
|
|
before(function (done) {
|
2013-11-24 15:29:36 +01:00
|
|
|
testUtils.clearData().then(function () {
|
2013-08-24 15:51:58 -05:00
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-08-24 15:51:58 -05:00
|
|
|
});
|
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
beforeEach(function (done) {
|
2014-02-11 21:40:39 -06:00
|
|
|
sandbox = sinon.sandbox.create();
|
2013-09-06 17:07:25 +01:00
|
|
|
testUtils.initData()
|
2014-02-11 21:40:39 -06:00
|
|
|
.then(testUtils.insertDefaultUser)
|
|
|
|
.then(testUtils.insertDefaultApp)
|
|
|
|
.then(function () {
|
2013-08-24 15:51:58 -05:00
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-08-24 15:51:58 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
afterEach(function (done) {
|
2014-02-11 21:40:39 -06:00
|
|
|
sandbox.restore();
|
2013-09-06 17:07:25 +01:00
|
|
|
testUtils.clearData()
|
2013-08-24 15:51:58 -05:00
|
|
|
.then(function () {
|
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-11-24 15:29:36 +01:00
|
|
|
after(function (done) {
|
|
|
|
testUtils.clearData().then(function () {
|
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-11-24 15:29:36 +01:00
|
|
|
});
|
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
var testPerms = [
|
|
|
|
{ act: "edit", obj: "post" },
|
|
|
|
{ act: "edit", obj: "tag" },
|
|
|
|
{ act: "edit", obj: "user" },
|
|
|
|
{ act: "edit", obj: "page" },
|
|
|
|
{ act: "add", obj: "post" },
|
|
|
|
{ act: "add", obj: "user" },
|
|
|
|
{ act: "add", obj: "page" },
|
|
|
|
{ act: "remove", obj: "post" },
|
|
|
|
{ act: "remove", obj: "user" }
|
|
|
|
],
|
|
|
|
currTestPermId = 1,
|
|
|
|
// currTestUserId = 1,
|
2013-09-11 23:04:49 +01:00
|
|
|
// createTestUser = function (email) {
|
|
|
|
// if (!email) {
|
2013-06-25 12:43:15 +01:00
|
|
|
// currTestUserId += 1;
|
2013-09-11 23:04:49 +01:00
|
|
|
// email = "test" + currTestPermId + "@test.com";
|
2013-06-25 12:43:15 +01:00
|
|
|
// }
|
|
|
|
|
|
|
|
// var newUser = {
|
|
|
|
// id: currTestUserId,
|
2013-09-11 23:04:49 +01:00
|
|
|
// email: email,
|
2013-06-25 12:43:15 +01:00
|
|
|
// password: "testing123"
|
|
|
|
// };
|
|
|
|
|
|
|
|
// return UserProvider.add(newUser);
|
|
|
|
// },
|
|
|
|
createPermission = function (name, act, obj) {
|
|
|
|
if (!name) {
|
|
|
|
currTestPermId += 1;
|
|
|
|
name = "test" + currTestPermId;
|
|
|
|
}
|
|
|
|
|
|
|
|
var newPerm = {
|
|
|
|
name: name,
|
|
|
|
action_type: act,
|
|
|
|
object_type: obj
|
|
|
|
};
|
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
return PermissionsProvider.add(newPerm, {user: 1});
|
2013-06-25 12:43:15 +01:00
|
|
|
},
|
|
|
|
createTestPermissions = function () {
|
|
|
|
var createActions = _.map(testPerms, function (testPerm) {
|
|
|
|
return createPermission(null, testPerm.act, testPerm.obj);
|
2013-06-14 23:12:04 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
return when.all(createActions);
|
|
|
|
};
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('can load an actions map from existing permissions', function (done) {
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
createTestPermissions()
|
|
|
|
.then(permissions.init)
|
|
|
|
.then(function (actionsMap) {
|
|
|
|
should.exist(actionsMap);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2014-05-13 14:33:34 +00:00
|
|
|
actionsMap.edit.sort().should.eql(['post', 'tag', 'user', 'page', 'theme', 'setting'].sort());
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
actionsMap.should.equal(permissions.actionsMap);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('can add user to role', function (done) {
|
|
|
|
var existingUserRoles;
|
2013-06-04 22:47:11 -05:00
|
|
|
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
UserProvider.findOne({id: 1}, { withRelated: ['roles'] }).then(function (foundUser) {
|
2013-06-25 12:43:15 +01:00
|
|
|
var testRole = new Models.Role({
|
|
|
|
name: 'testrole1',
|
|
|
|
description: 'testrole1 description'
|
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
should.exist(foundUser);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
should.exist(foundUser.roles());
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
existingUserRoles = foundUser.related('roles').length;
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
return testRole.save(null, {user: 1}).then(function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
return foundUser.roles().attach(testRole);
|
|
|
|
});
|
|
|
|
}).then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findOne({id: 1}, { withRelated: ['roles'] });
|
2013-06-25 12:43:15 +01:00
|
|
|
}).then(function (updatedUser) {
|
|
|
|
should.exist(updatedUser);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
updatedUser.related('roles').length.should.equal(existingUserRoles + 1);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('can add user permissions', function (done) {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
UserProvider.findOne({id: 1}, { withRelated: ['permissions']}).then(function (testUser) {
|
2013-06-25 12:43:15 +01:00
|
|
|
var testPermission = new Models.Permission({
|
|
|
|
name: "test edit posts",
|
|
|
|
action_type: 'edit',
|
|
|
|
object_type: 'post'
|
|
|
|
});
|
|
|
|
|
|
|
|
testUser.related('permissions').length.should.equal(0);
|
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
return testPermission.save(null, {user: 1}).then(function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
return testUser.permissions().attach(testPermission);
|
2013-06-04 22:47:11 -05:00
|
|
|
});
|
2013-06-25 12:43:15 +01:00
|
|
|
}).then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findOne({id: 1}, { withRelated: ['permissions']});
|
2013-06-25 12:43:15 +01:00
|
|
|
}).then(function (updatedUser) {
|
|
|
|
should.exist(updatedUser);
|
|
|
|
|
|
|
|
updatedUser.related('permissions').length.should.equal(1);
|
|
|
|
|
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
it('can add role permissions', function (done) {
|
|
|
|
var testRole = new Models.Role({
|
|
|
|
name: "test2",
|
|
|
|
description: "test2 description"
|
2013-06-04 22:47:11 -05:00
|
|
|
});
|
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
testRole.save(null, {user: 1})
|
2013-06-25 12:43:15 +01:00
|
|
|
.then(function () {
|
|
|
|
return testRole.load('permissions');
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
var rolePermission = new Models.Permission({
|
2013-06-04 22:47:11 -05:00
|
|
|
name: "test edit posts",
|
|
|
|
action_type: 'edit',
|
|
|
|
object_type: 'post'
|
|
|
|
});
|
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
testRole.related('permissions').length.should.equal(0);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
return rolePermission.save(null, {user: 1}).then(function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
return testRole.permissions().attach(rolePermission);
|
2013-06-04 22:47:11 -05:00
|
|
|
});
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
|
|
|
.then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return Models.Role.findOne({id: testRole.id}, { withRelated: ['permissions']});
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
|
|
|
.then(function (updatedRole) {
|
|
|
|
should.exist(updatedRole);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
updatedRole.related('permissions').length.should.equal(1);
|
2013-06-04 22:47:11 -05:00
|
|
|
|
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('does not allow edit post without permission', function (done) {
|
|
|
|
var fakePage = {
|
|
|
|
id: 1
|
|
|
|
};
|
|
|
|
|
|
|
|
createTestPermissions()
|
|
|
|
.then(permissions.init)
|
|
|
|
.then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findOne({id: 1});
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
|
|
|
.then(function (foundUser) {
|
|
|
|
var canThisResult = permissions.canThis(foundUser);
|
|
|
|
|
|
|
|
should.exist(canThisResult.edit);
|
|
|
|
should.exist(canThisResult.edit.post);
|
|
|
|
|
|
|
|
return canThisResult.edit.page(fakePage);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
errors.logError(new Error("Allowed edit post without permission"));
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('allows edit post with permission', function (done) {
|
|
|
|
var fakePost = {
|
|
|
|
id: "1"
|
|
|
|
};
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
createTestPermissions()
|
|
|
|
.then(permissions.init)
|
|
|
|
.then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findOne({id: 1});
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
|
|
|
.then(function (foundUser) {
|
|
|
|
var newPerm = new Models.Permission({
|
|
|
|
name: "test3 edit post",
|
|
|
|
action_type: "edit",
|
|
|
|
object_type: "post"
|
2013-06-04 22:47:11 -05:00
|
|
|
});
|
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
return newPerm.save(null, {user: 1}).then(function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
return foundUser.permissions().attach(newPerm);
|
2013-06-04 22:47:11 -05:00
|
|
|
});
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
|
|
|
.then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findOne({id: 1}, { withRelated: ['permissions']});
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
|
|
|
.then(function (updatedUser) {
|
2013-06-04 22:47:11 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
// TODO: Verify updatedUser.related('permissions') has the permission?
|
2013-08-15 18:22:08 -05:00
|
|
|
var canThisResult = permissions.canThis(updatedUser.id);
|
2013-06-25 12:43:15 +01:00
|
|
|
|
|
|
|
should.exist(canThisResult.edit);
|
|
|
|
should.exist(canThisResult.edit.post);
|
|
|
|
|
|
|
|
return canThisResult.edit.post(fakePost);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('can use permissable function on Model to allow something', function (done) {
|
|
|
|
var testUser,
|
2014-02-11 21:40:39 -06:00
|
|
|
permissableStub = sandbox.stub(PostProvider, 'permissable', function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
return when.resolve();
|
|
|
|
});
|
2013-06-14 23:12:04 +01:00
|
|
|
|
2014-04-08 15:40:33 +02:00
|
|
|
testUtils.insertAuthorUser()
|
|
|
|
.then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findAll();
|
2014-04-08 15:40:33 +02:00
|
|
|
})
|
2013-06-25 12:43:15 +01:00
|
|
|
.then(function (foundUser) {
|
2014-04-08 15:40:33 +02:00
|
|
|
testUser = foundUser.models[1];
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
return permissions.canThis(testUser).edit.post(123);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
permissableStub.restore();
|
2014-04-08 15:40:33 +02:00
|
|
|
permissableStub.calledWith(123, { user: testUser.id, app: null, internal: false }).should.equal(true);
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
done();
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
permissableStub.restore();
|
|
|
|
errors.logError(new Error("Did not allow testUser"));
|
2013-07-11 13:50:31 +01:00
|
|
|
|
|
|
|
done();
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
|
|
|
});
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
it('can use permissable function on Model to forbid something', function (done) {
|
|
|
|
var testUser,
|
2014-02-11 21:40:39 -06:00
|
|
|
permissableStub = sandbox.stub(PostProvider, 'permissable', function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
return when.reject();
|
|
|
|
});
|
2013-06-14 23:12:04 +01:00
|
|
|
|
2014-04-08 15:40:33 +02:00
|
|
|
testUtils.insertAuthorUser()
|
|
|
|
.then(function () {
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findAll();
|
2014-04-08 15:40:33 +02:00
|
|
|
})
|
2013-06-25 12:43:15 +01:00
|
|
|
.then(function (foundUser) {
|
2014-04-08 15:40:33 +02:00
|
|
|
testUser = foundUser.models[1];
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
return permissions.canThis(testUser).edit.post(123);
|
|
|
|
})
|
|
|
|
.then(function () {
|
|
|
|
permissableStub.restore();
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2014-02-11 21:40:39 -06:00
|
|
|
done(new Error("Allowed testUser to edit post"));
|
2013-06-25 12:43:15 +01:00
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2013-06-25 12:43:15 +01:00
|
|
|
permissableStub.restore();
|
2014-04-08 15:40:33 +02:00
|
|
|
permissableStub.calledWith(123, { user: testUser.id, app: null, internal: false }).should.equal(true);
|
2014-02-11 21:40:39 -06:00
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it("can get effective user permissions", function (done) {
|
|
|
|
effectivePerms.user(1).then(function (effectivePermissions) {
|
|
|
|
should.exist(effectivePermissions);
|
|
|
|
|
|
|
|
effectivePermissions.length.should.be.above(0);
|
|
|
|
|
|
|
|
done();
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2014-02-11 21:40:39 -06:00
|
|
|
});
|
|
|
|
|
|
|
|
it('can check an apps effective permissions', function (done) {
|
|
|
|
effectivePerms.app('Kudos')
|
|
|
|
.then(function (effectivePermissions) {
|
|
|
|
should.exist(effectivePermissions);
|
|
|
|
|
|
|
|
effectivePermissions.length.should.be.above(0);
|
2013-06-08 18:39:24 -05:00
|
|
|
|
2013-06-25 12:43:15 +01:00
|
|
|
done();
|
2014-02-11 21:40:39 -06:00
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(done);
|
2014-02-11 21:40:39 -06:00
|
|
|
});
|
2014-03-20 18:48:06 -05:00
|
|
|
|
2014-02-11 21:40:39 -06:00
|
|
|
it('does not allow an app to edit a post without permission', function (done) {
|
|
|
|
// Change the author of the post so the author override doesn't affect the test
|
|
|
|
PostProvider.edit({id: 1, 'author_id': 2})
|
|
|
|
.then(function (updatedPost) {
|
|
|
|
// Add user permissions
|
Consistency in model method naming
- The API has the BREAD naming for methods
- The model now has findAll, findOne, findPage (where needed), edit, add and destroy, meaning it is similar but with a bit more flexibility
- browse, read, update, create, and delete, which were effectively just aliases, have all been removed.
- added jsDoc for the model methods
2014-05-05 16:18:38 +01:00
|
|
|
return UserProvider.findOne({id: 1})
|
2014-02-11 21:40:39 -06:00
|
|
|
.then(function (foundUser) {
|
|
|
|
var newPerm = new Models.Permission({
|
|
|
|
name: "app test edit post",
|
|
|
|
action_type: "edit",
|
|
|
|
object_type: "post"
|
|
|
|
});
|
|
|
|
|
2014-04-03 15:03:09 +02:00
|
|
|
return newPerm.save(null, {user: 1}).then(function () {
|
2014-02-11 21:40:39 -06:00
|
|
|
return foundUser.permissions().attach(newPerm).then(function () {
|
|
|
|
return when.all([updatedPost, foundUser]);
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
})
|
|
|
|
.then(function (results) {
|
|
|
|
var updatedPost = results[0],
|
|
|
|
updatedUser = results[1];
|
|
|
|
|
|
|
|
return permissions.canThis({ user: updatedUser.id })
|
|
|
|
.edit
|
|
|
|
.post(updatedPost.id)
|
|
|
|
.then(function () {
|
|
|
|
return results;
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function (err) {
|
2014-02-11 21:40:39 -06:00
|
|
|
done(new Error("Did not allow user 1 to edit post 1"));
|
|
|
|
});
|
|
|
|
})
|
|
|
|
.then(function (results) {
|
|
|
|
var updatedPost = results[0],
|
|
|
|
updatedUser = results[1];
|
|
|
|
|
|
|
|
// Confirm app cannot edit it.
|
|
|
|
return permissions.canThis({ app: 'Hemingway', user: updatedUser.id })
|
|
|
|
.edit
|
|
|
|
.post(updatedPost.id)
|
|
|
|
.then(function () {
|
|
|
|
done(new Error("Allowed an edit of post 1"));
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2014-02-11 21:40:39 -06:00
|
|
|
done();
|
|
|
|
});
|
2014-05-05 21:58:58 +01:00
|
|
|
}).catch(done);
|
2014-02-11 21:40:39 -06:00
|
|
|
});
|
2014-03-20 18:48:06 -05:00
|
|
|
|
2014-02-11 21:40:39 -06:00
|
|
|
it('allows an app to edit a post with permission', function (done) {
|
|
|
|
permissions.canThis({ app: 'Kudos', user: 1 })
|
|
|
|
.edit
|
|
|
|
.post(1)
|
|
|
|
.then(function () {
|
|
|
|
done();
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2014-02-11 21:40:39 -06:00
|
|
|
done(new Error("Allowed an edit of post 1"));
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|
2013-06-04 22:47:11 -05:00
|
|
|
});
|
2014-03-20 18:48:06 -05:00
|
|
|
|
|
|
|
it('checks for null context passed and rejects', function (done) {
|
|
|
|
permissions.canThis(undefined)
|
|
|
|
.edit
|
|
|
|
.post(1)
|
|
|
|
.then(function () {
|
|
|
|
done(new Error("Should not allow editing post"));
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2014-03-20 18:48:06 -05:00
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('allows \'internal\' to be passed for internal requests', function (done) {
|
|
|
|
// Using tag here because post implements the custom permissable interface
|
|
|
|
permissions.canThis('internal')
|
|
|
|
.edit
|
|
|
|
.tag(1)
|
|
|
|
.then(function () {
|
|
|
|
done();
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2014-03-20 18:48:06 -05:00
|
|
|
done(new Error("Should allow editing post with 'internal'"));
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
it('allows { internal: true } to be passed for internal requests', function (done) {
|
|
|
|
// Using tag here because post implements the custom permissable interface
|
|
|
|
permissions.canThis({ internal: true })
|
|
|
|
.edit
|
|
|
|
.tag(1)
|
|
|
|
.then(function () {
|
|
|
|
done();
|
|
|
|
})
|
2014-05-05 21:58:58 +01:00
|
|
|
.catch(function () {
|
2014-03-20 18:48:06 -05:00
|
|
|
done(new Error("Should allow editing post with { internal: true }"));
|
|
|
|
});
|
|
|
|
});
|
2013-06-25 12:43:15 +01:00
|
|
|
});
|