From 2231981880679a77726147befd54309073413181 Mon Sep 17 00:00:00 2001 From: Naz Date: Fri, 24 Mar 2023 11:23:42 +0100 Subject: [PATCH] Added e2e test checking integration access refs https://github.com/TryGhost/Team/issues/2790 - The Self-Serve Integration should only be accessible to the Owner and Admin user roles otherwise we risk accidental indirect increase in role permissions - Self-Serve Integration has permissions which editors/contributors don't have. --- .../__snapshots__/integrations.test.js.snap | 32 +++++++++++++++++++ .../test/e2e-api/admin/integrations.test.js | 29 +++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 ghost/core/test/e2e-api/admin/__snapshots__/integrations.test.js.snap diff --git a/ghost/core/test/e2e-api/admin/__snapshots__/integrations.test.js.snap b/ghost/core/test/e2e-api/admin/__snapshots__/integrations.test.js.snap new file mode 100644 index 0000000000..f72997f12f --- /dev/null +++ b/ghost/core/test/e2e-api/admin/__snapshots__/integrations.test.js.snap @@ -0,0 +1,32 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`Integrations API As Administrator Can't see Self-Serve or any other integration 1: [body] 1`] = ` +Object { + "errors": Array [ + Object { + "code": null, + "context": "You do not have permission to browse integrations", + "details": null, + "ghostErrorCode": null, + "help": null, + "id": StringMatching /\\[a-f0-9\\]\\{8\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{12\\}/, + "message": "Permission error, cannot list integrations.", + "property": null, + "type": "NoPermissionError", + }, + ], +} +`; + +exports[`Integrations API As Administrator Can't see Self-Serve or any other integration 2: [headers] 1`] = ` +Object { + "access-control-allow-origin": "http://127.0.0.1:2369", + "cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0", + "content-length": "280", + "content-type": "application/json; charset=utf-8", + "content-version": StringMatching /v\\\\d\\+\\\\\\.\\\\d\\+/, + "etag": StringMatching /\\(\\?:W\\\\/\\)\\?"\\(\\?:\\[ !#-\\\\x7E\\\\x80-\\\\xFF\\]\\*\\|\\\\r\\\\n\\[\\\\t \\]\\|\\\\\\\\\\.\\)\\*"/, + "vary": "Accept-Version, Origin, Accept-Encoding", + "x-powered-by": "Express", +} +`; diff --git a/ghost/core/test/e2e-api/admin/integrations.test.js b/ghost/core/test/e2e-api/admin/integrations.test.js index e0003f6393..71a2d6a746 100644 --- a/ghost/core/test/e2e-api/admin/integrations.test.js +++ b/ghost/core/test/e2e-api/admin/integrations.test.js @@ -4,6 +4,8 @@ const supertest = require('supertest'); const config = require('../../../core/shared/config'); const testUtils = require('../../utils'); const localUtils = require('./utils'); +const {agentProvider, fixtureManager, matchers} = require('../../utils/e2e-framework'); +const {anyEtag, anyErrorId, anyContentVersion} = matchers; describe('Integrations API', function () { let request; @@ -350,4 +352,31 @@ describe('Integrations API', function () { editRes.body.errors[0].context.should.eql('Integration not found.'); }); + + describe('As Administrator', function () { + let agent; + + before(async function () { + agent = await agentProvider.getAdminAPIAgent(); + await fixtureManager.init('users', 'integrations'); + await agent.loginAsContributor(); + }); + + it('Can\'t see Self-Serve or any other integration', async function () { + await agent + .get('integrations') + .matchHeaderSnapshot({ + 'content-version': anyContentVersion, + etag: anyEtag + }) + .matchBodySnapshot({ + errors: [ + { + id: anyErrorId + } + ] + }) + .expectStatus(403); + }); + }); });