Added e2e test checking integration access

refs https://github.com/TryGhost/Team/issues/2790 - The Self-Serve Integration should only be accessible to the Owner and Admin user roles otherwise we risk accidental indirect increase in role permissions - Self-Serve Integration has permissions which editors/contributors don't have.
2025-01-20 22:42:53 -05:00 · 2023-03-24 11:23:42 +01:00 · 2023-03-24 11:23:42 +01:00 · 2231981880
commit 2231981880
parent fe4e9897fc
2 changed files with 61 additions and 0 deletions
--- a/ghost/core/test/e2e-api/admin/snapshots/integrations.test.js.snap
+++ b/ghost/core/test/e2e-api/admin/snapshots/integrations.test.js.snap
@ -0,0 +1,32 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 exports[`Integrations API As Administrator Can't see Self-Serve or any other integration 1: [body] 1`] = `
 Object {
  "errors": Array [
    Object {
      "code": null,
      "context": "You do not have permission to browse integrations",
      "details": null,
      "ghostErrorCode": null,
      "help": null,
      "id": StringMatching /\\[a-f0-9\\]\\{8\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{12\\}/,
      "message": "Permission error, cannot list integrations.",
      "property": null,
      "type": "NoPermissionError",
    },
  ],
 }
 `;
 exports[`Integrations API As Administrator Can't see Self-Serve or any other integration 2: [headers] 1`] = `
 Object {
  "access-control-allow-origin": "http://127.0.0.1:2369",
  "cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
  "content-length": "280",
  "content-type": "application/json; charset=utf-8",
  "content-version": StringMatching /v\\\\d\\+\\\\\\.\\\\d\\+/,
  "etag": StringMatching /\\(\\?:W\\\\/\\)\\?"\\(\\?:\\[ !#-\\\\x7E\\\\x80-\\\\xFF\\]\\*\\|\\\\r\\\\n\\[\\\\t \\]\\|\\\\\\\\\\.\\)\\*"/,
  "vary": "Accept-Version, Origin, Accept-Encoding",
  "x-powered-by": "Express",
 }
 `;
--- a/ghost/core/test/e2e-api/admin/integrations.test.js
+++ b/ghost/core/test/e2e-api/admin/integrations.test.js
@ -4,6 +4,8 @@ const supertest = require('supertest');
 const config = require('../../../core/shared/config');
 const testUtils = require('../../utils');
 const localUtils = require('./utils');
 const {agentProvider, fixtureManager, matchers} = require('../../utils/e2e-framework');
 const {anyEtag, anyErrorId, anyContentVersion} = matchers;
 describe('Integrations API', function () {
    let request;
@ -350,4 +352,31 @@ describe('Integrations API', function () {
        editRes.body.errors[0].context.should.eql('Integration not found.');
    });
    describe('As Administrator', function () {
        let agent;
        before(async function () {
            agent = await agentProvider.getAdminAPIAgent();
            await fixtureManager.init('users', 'integrations');
            await agent.loginAsContributor();
        });
        it('Can\'t see Self-Serve or any other integration', async function () {
            await agent
                .get('integrations')
                .matchHeaderSnapshot({
                    'content-version': anyContentVersion,
                    etag: anyEtag
                })
                .matchBodySnapshot({
                    errors: [
                        {
                            id: anyErrorId
                        }
                    ]
                })
                .expectStatus(403);
        });
    });
 });