1 | var t = require('../test-lib/test.js');
|
2 | var assert = require('assert');
|
3 | var _ = require('@sailshq/lodash');
|
4 |
|
5 | describe('Permissions', function() {
|
6 |
|
7 | this.timeout(t.timeout);
|
8 |
|
9 | var apos;
|
10 |
|
11 | after(function(done) {
|
12 | return t.destroy(apos, function() {
|
13 | return done();
|
14 | });
|
15 | });
|
16 |
|
17 | it('should have a permissions property', function(done) {
|
18 | apos = require('../index.js')({
|
19 | root: module,
|
20 | shortName: 'test',
|
21 | modules: {
|
22 | 'apostrophe-express': {
|
23 | secret: 'xxx',
|
24 | port: 7900
|
25 | }
|
26 | },
|
27 | afterInit: function(callback) {
|
28 | assert(apos.permissions);
|
29 |
|
30 |
|
31 |
|
32 | apos.argv._ = [];
|
33 | return callback(null);
|
34 | },
|
35 | afterListen: function(err) {
|
36 | assert(!err);
|
37 | done();
|
38 | }
|
39 | });
|
40 | });
|
41 |
|
42 |
|
43 | function req(d) {
|
44 | var o = {
|
45 | traceIn: function() {},
|
46 | traceOut: function() {}
|
47 | };
|
48 | _.extend(o, d);
|
49 | return o;
|
50 | }
|
51 |
|
52 | describe('test permissions.can', function() {
|
53 | it('allows view-doc in the generic case', function() {
|
54 | assert(apos.permissions.can(req(), 'view-doc'));
|
55 | });
|
56 | it('rejects edit-doc in the generic case', function() {
|
57 | assert(!apos.permissions.can(req(), 'edit-doc'));
|
58 | });
|
59 | it('forbids view-doc for public with loginRequired', function() {
|
60 | assert(!apos.permissions.can(req(), 'view-doc', { published: true, loginRequired: 'loginRequired' }));
|
61 | });
|
62 | it('permits view-doc for public without loginRequired', function() {
|
63 | assert(apos.permissions.can(req(), 'view-doc', { published: true }));
|
64 | });
|
65 | it('prohibits view-doc for public without published', function() {
|
66 | assert(!apos.permissions.can(req(), 'view-doc', {}));
|
67 | });
|
68 | it('prohibits view-doc for public with loginRequired', function() {
|
69 | assert(!apos.permissions.can(req(), 'view-doc', { published: true, loginRequired: 'loginRequired' }));
|
70 | });
|
71 | it('permits view-doc for guest user with loginRequired', function() {
|
72 | assert(apos.permissions.can(req({ user: { _permissions: { guest: 1 } } }), 'view-doc', { published: true, loginRequired: 'loginRequired' }));
|
73 | });
|
74 | it('permits view-doc for individual with proper id', function() {
|
75 | assert(apos.permissions.can(req({ user: { _id: 1 } }), 'view-doc', { published: true, loginRequired: 'certainUsers', docPermissions: [ 'view-1' ] }));
|
76 | });
|
77 | it('forbids view-doc for individual with wrong id', function() {
|
78 | assert(!apos.permissions.can(req({ user: { _id: 2 } }), 'view-doc', { published: true, loginRequired: 'certainUsers', docPermissions: [ 'view-1' ] }));
|
79 | });
|
80 | it('permits view-doc for individual with group id', function() {
|
81 | assert(apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ] } }), 'view-doc', { published: true, loginRequired: 'certainUsers', docPermissions: [ 'view-1002' ] }));
|
82 | });
|
83 | it('forbids view-doc for individual with wrong group id', function() {
|
84 | assert(!apos.permissions.can(req({ user: { _id: 2, groupIds: [ 1001, 1002 ] } }), 'view-doc', { published: true, loginRequired: 'certainUsers', docPermissions: [ 'view-1003' ] }));
|
85 | });
|
86 | it('certainUsers will not let you slide past to an unpublished doc', function() {
|
87 | assert(!apos.permissions.can(req({ user: { _id: 1 } }), 'view-doc', { loginRequired: 'certainUsers', docPermissions: [ 'view-1' ] }));
|
88 | });
|
89 | it('permits view-doc for unpublished doc for individual with group id for editing', function() {
|
90 | assert(apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ] } }), 'view-doc', { docPermissions: [ 'edit-1002' ] }));
|
91 | });
|
92 | it('permits edit-doc for individual with group id for editing and the edit permission', function() {
|
93 | assert(apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ], _permissions: { edit: true } } }), 'edit-doc', { docPermissions: [ 'edit-1002' ] }));
|
94 | });
|
95 | it('forbids edit-doc for individual with group id for editing but no edit permission', function() {
|
96 | assert(!apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ] } }), 'edit-doc', { docPermissions: [ 'edit-1002' ] }));
|
97 | });
|
98 | it('permits edit-doc for individual with group id for managing and edit permission', function() {
|
99 | assert(apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ], _permissions: { edit: true } } }), 'edit-doc', { docPermissions: [ 'publish-1002' ] }));
|
100 | });
|
101 | it('forbids edit-doc for other person', function() {
|
102 | assert(!apos.permissions.can(req({ user: { _id: 7 } }), 'edit-doc', { docPermissions: [ 'publish-1002' ] }));
|
103 | });
|
104 | });
|
105 | });
|