From da3630071aa4ca391d0e58b44dafe1a91b92f2ef Mon Sep 17 00:00:00 2001
From: Sebastian Gierlinger <s.gierlinger@me.com>
Date: Thu, 10 Apr 2014 17:56:56 +0200
Subject: [PATCH] Added and fixed permission tests

- fixed test for db functions
- added tests for different users
---
 core/test/integration/api/api_db_spec.js    | 85 ++++++++++++++++++---
 core/test/integration/api/api_posts_spec.js |  4 +-
 core/test/integration/api/api_users_spec.js | 83 +++++++++++++++++---
 core/test/utils/index.js                    | 14 ++--
 4 files changed, 157 insertions(+), 29 deletions(-)

diff --git a/core/test/integration/api/api_db_spec.js b/core/test/integration/api/api_db_spec.js
index eb0ec2bd3d..5f11154976 100644
--- a/core/test/integration/api/api_db_spec.js
+++ b/core/test/integration/api/api_db_spec.js
@@ -18,13 +18,15 @@ describe('DB API', function () {
     });
 
     beforeEach(function (done) {
-        testUtils.initData()
-            .then(function () {
-                return testUtils.insertDefaultFixtures();
-            })
-            .then(function () {
-                done();
-            }, done);
+        testUtils.initData().then(function () {
+            return testUtils.insertDefaultFixtures();
+        }).then(function () {
+            return testUtils.insertEditorUser();
+        }).then(function () {
+            return testUtils.insertAuthorUser();
+        }).then(function () {
+            done();
+        }, done);
     });
 
     afterEach(function (done) {
@@ -35,7 +37,7 @@ describe('DB API', function () {
 
     it('delete all content', function (done) {
         permissions.init().then(function () {
-            return dbAPI.deleteAllContent();
+            return dbAPI.deleteAllContent.call({user: 1});
         }).then(function (result){
             should.exist(result.message);
             result.message.should.equal('Successfully deleted all content from your blog.')
@@ -50,8 +52,71 @@ describe('DB API', function () {
                 results.posts.length.should.equal(0);
                 done();
             });
-        }).otherwise(function () {
-            done()
+        }).otherwise(function (error) {
+            done(new Error(JSON.stringify(error)));
+        });
+    });
+
+    it('delete all content is denied', function (done) {
+        permissions.init().then(function () {
+            return dbAPI.deleteAllContent.call({user: 2});
+        }).then(function (){
+            done(new Error("Delete all content is not denied for editor."));
+        }, function (error) {
+            error.code.should.eql(403);
+            return dbAPI.deleteAllContent.call({user: 3});
+        }).then(function (){
+            done(new Error("Delete all content is not denied for author."));
+        }, function (error) {
+            error.code.should.eql(403);
+            return dbAPI.deleteAllContent();
+        }).then(function (){
+            done(new Error("Delete all content is not denied without authentication."));
+        }, function (error) {
+            error.code.should.eql(403);
+            done();
+        });
+    });
+
+    it('export content is denied', function (done) {
+        permissions.init().then(function () {
+            return dbAPI.exportContent.call({user: 2});
+        }).then(function (){
+            done(new Error("Export content is not denied for editor."));
+        }, function (error) {
+            error.code.should.eql(403);
+            return dbAPI.exportContent.call({user: 3});
+        }).then(function (){
+            done(new Error("Export content is not denied for author."));
+        }, function (error) {
+            error.code.should.eql(403);
+            return dbAPI.exportContent();
+        }).then(function (){
+            done(new Error("Export content is not denied without authentication."));
+        }, function (error) {
+            error.code.should.eql(403);
+            done();
+        });
+    });
+
+    it('import content is denied', function (done) {
+        permissions.init().then(function () {
+            return dbAPI.importContent.call({user: 2});
+        }).then(function (result){
+            done(new Error("Import content is not denied for editor."));
+        }, function (error) {
+            error.code.should.eql(403);
+            return dbAPI.importContent.call({user: 3});
+        }).then(function (result){
+            done(new Error("Import content is not denied for author."));
+        }, function (error) {
+            error.code.should.eql(403);
+            return dbAPI.importContent();
+        }).then(function (result){
+            done(new Error("Import content is not denied without authentication."));
+        }, function (error) {
+            error.code.should.eql(403);
+            done();
         });
     });
 });
\ No newline at end of file
diff --git a/core/test/integration/api/api_posts_spec.js b/core/test/integration/api/api_posts_spec.js
index f956144e19..a332adfd90 100644
--- a/core/test/integration/api/api_posts_spec.js
+++ b/core/test/integration/api/api_posts_spec.js
@@ -30,7 +30,7 @@ describe('Post API', function () {
         }, done);
     });
 
-    it('can browse', function (done) {
+    it('browse', function (done) {
         PostAPI.browse().then(function (results) {
             should.exist(results);
             testUtils.API.checkResponse(results, 'posts');            
@@ -41,7 +41,7 @@ describe('Post API', function () {
         }).then(null, done);
     });
 
-    it('can read', function (done) {
+    it('read', function (done) {
         var firstPost;
 
         PostAPI.browse().then(function (results) {
diff --git a/core/test/integration/api/api_users_spec.js b/core/test/integration/api/api_users_spec.js
index cf117fa048..ee8de77ef7 100644
--- a/core/test/integration/api/api_users_spec.js
+++ b/core/test/integration/api/api_users_spec.js
@@ -16,13 +16,15 @@ describe('Users API', function () {
     });
 
     beforeEach(function (done) {
-        testUtils.initData()
-            .then(function () {
-                return testUtils.insertDefaultFixtures();
-            })
-            .then(function () {
-                done();
-            }, done);
+        testUtils.initData().then(function () {
+            return testUtils.insertDefaultFixtures();
+        }).then(function () {
+            return testUtils.insertEditorUser();
+        }).then(function () {
+            return testUtils.insertAuthorUser();
+        }).then(function () {
+            done();
+        }, done);
     });
 
     afterEach(function (done) {
@@ -31,16 +33,77 @@ describe('Users API', function () {
         }, done);
     });
 
-    it('can browse', function (done) {
+    it('browse', function (done) {
         permissions.init().then(function () {
-            return UsersAPI.browse.call({user:1})
+            return UsersAPI.browse.call({user: 1});
+        }).then(function (results) {
+            should.exist(results);
+            results.length.should.be.above(0);
+            testUtils.API.checkResponse(results[0], 'user');
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        }).then(function () {
+            return UsersAPI.browse.call({user: 2});
+        }).then(function (results) {
+            should.exist(results);
+            results.length.should.be.above(0);
+            testUtils.API.checkResponse(results[0], 'user');
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        }).then(function () {
+            return UsersAPI.browse.call({user: 3});
         }).then(function (results) {
             should.exist(results);
             results.length.should.be.above(0);
             testUtils.API.checkResponse(results[0], 'user');
             done();
-        }).otherwise(function () {
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        })
+    });
+    it('browse denied', function (done) {
+        permissions.init().then(function () {
+            return UsersAPI.browse();
+        }).then(function (results) {
+            done(new Error("Browse user is not denied without authentication."));
+        }, function () {
             done();
         });
     });
+    it('read', function (done) {
+        permissions.init().then(function () {
+            return UsersAPI.read.call({user: 1}, {id: 1});
+        }).then(function (result) {
+            should.exist(result);
+            result.id.should.eql(1);
+            testUtils.API.checkResponse(result, 'user');
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        }).then(function () {
+            return UsersAPI.read.call({user: 2}, {id: 1});
+        }).then(function (result) {
+            should.exist(result);
+            result.id.should.eql(1);
+            testUtils.API.checkResponse(result, 'user');
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        }).then(function () {
+            return UsersAPI.read.call({user: 3}, {id: 1});
+        }).then(function (result) {
+            should.exist(result);
+            result.id.should.eql(1);
+            testUtils.API.checkResponse(result, 'user');
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        }).then(function () {
+            return UsersAPI.read({id: 1});
+        }).then(function (result) {
+            should.exist(result);
+            result.id.should.eql(1);
+            testUtils.API.checkResponse(result, 'user');
+            done();
+        }, function (error) {
+            done(new Error(JSON.stringify(error)));
+        });
+    });
 });
\ No newline at end of file
diff --git a/core/test/utils/index.js b/core/test/utils/index.js
index bfd2a3ee65..aae3913809 100644
--- a/core/test/utils/index.js
+++ b/core/test/utils/index.js
@@ -104,7 +104,7 @@ function insertEditorUser() {
         userRoles = [];
 
     users.push(DataGenerator.forKnex.createUser(DataGenerator.Content.users[1]));
-    userRoles.push(DataGenerator.forKnex.createUserRole(1, 2));
+    userRoles.push(DataGenerator.forKnex.createUserRole(2, 2));
     return knex('users')
         .insert(users)
         .then(function () {
@@ -117,7 +117,7 @@ function insertAuthorUser() {
         userRoles = [];
 
     users.push(DataGenerator.forKnex.createUser(DataGenerator.Content.users[2]));
-    userRoles.push(DataGenerator.forKnex.createUserRole(1, 3));
+    userRoles.push(DataGenerator.forKnex.createUserRole(3, 3));
     return knex('users')
         .insert(users)
         .then(function () {
@@ -186,11 +186,11 @@ function insertAppWithFields() {
 
 
 function insertDefaultFixtures() {
-    return when(insertDefaultUser().then(function () {
-        return insertPosts().then(function () {
-            return insertApps();
-        });
-    }));
+    return insertDefaultUser().then(function () {
+        return insertPosts()
+    }).then(function () {
+        return insertApps();
+    });
 }
 
 function loadExportFixture(filename) {