UNPKG

32.2 kBJavaScriptView Raw
1/* eslint-env mocha */
2'use strict';
3
4var request = require('supertest');
5var assert = require('assert');
6var _ = require('lodash');
7var async = require('async');
8var docker = process.env.DOCKER;
9var chance = new (require('chance'))();
10
11module.exports = function(app, template, hook) {
12 var Helper = require('./helper')(app);
13
14 describe('Roles', function() {
15 // Store the temp role for this test suite.
16 var tempRole = {
17 title: 'TestRole',
18 description: 'A test role.'
19 };
20
21 describe('CRUD Operations', function() {
22 it('An administrator should be able to Create a Role', function(done) {
23 request(app)
24 .post(hook.alter('url', '/role', template))
25 .set('x-jwt-token', template.users.admin.token)
26 .send(tempRole)
27 .expect('Content-Type', /json/)
28 .expect(201)
29 .end(function(err, res) {
30 if (err) {
31 return done(err);
32 }
33
34 var response = res.body;
35 assert(response.hasOwnProperty('_id'), 'Each role in the response should contain an `_id`.');
36 assert(response.hasOwnProperty('modified'), 'Each role in the response should contain a `modified` timestamp.');
37 assert(response.hasOwnProperty('created'), 'Each role in the response should contain a `created` timestamp.');
38 assert.equal(response.title, tempRole.title);
39 assert.equal(response.description, tempRole.description);
40
41 // Store this temp role for later use.
42 template.roles.tempRole = response;
43
44 // Store the JWT for future API calls.
45 template.users.admin.token = res.headers['x-jwt-token'];
46
47 done();
48 });
49 });
50
51 it('A user should NOT be able to create a role', function(done) {
52 request(app)
53 .post(hook.alter('url', '/role', template))
54 .set('x-jwt-token', template.users.user1.token)
55 .send(tempRole)
56 .expect(401)
57 .end(done);
58 });
59
60 it('An administrator should be able to Read an available Role', function(done) {
61 request(app)
62 .get(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
63 .set('x-jwt-token', template.users.admin.token)
64 .expect('Content-Type', /json/)
65 .expect(200)
66 .end(function(err, res) {
67 if (err) {
68 return done(err);
69 }
70
71 var response = res.body;
72 assert.deepEqual(response, template.roles.tempRole);
73
74 // Store the JWT for future API calls.
75 template.users.admin.token = res.headers['x-jwt-token'];
76
77 done();
78 });
79 });
80
81 it('A user should NOT be able to Read an available Role', function(done) {
82 request(app)
83 .get(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
84 .set('x-jwt-token', template.users.user1.token)
85 .expect(401)
86 .end(done);
87 });
88
89 it('An administrator should be able to Update an available Role', function(done) {
90 var updatedRole = _.clone(template.roles.tempRole);
91 updatedRole.title = 'Update';
92
93 request(app)
94 .put(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
95 .set('x-jwt-token', template.users.admin.token)
96 .send({title: updatedRole.title})
97 .expect('Content-Type', /json/)
98 .expect(200)
99 .end(function(err, res) {
100 if (err) {
101 return done(err);
102 }
103
104 var response = res.body;
105 // Update the modified timestamp, before comparison.
106 updatedRole.modified = response.modified;
107 assert.deepEqual(response, updatedRole);
108
109 // Store this temp role for later use.
110 template.roles.tempRole = response;
111
112 // Store the JWT for future API calls.
113 template.users.admin.token = res.headers['x-jwt-token'];
114
115 done();
116 });
117 });
118
119 it('A user should NOT be able to update an available Role', function(done) {
120 request(app)
121 .put(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
122 .set('x-jwt-token', template.users.user1.token)
123 .send({title: 'THIS SHOULD NOT WORK!!!'})
124 .expect(401)
125 .end(done);
126 });
127
128 it('An administrator should be able to Read the Index of available Roles', function(done) {
129 request(app)
130 .get(hook.alter('url', '/role?limit=9999', template))
131 .set('x-jwt-token', template.users.admin.token)
132 .expect('Content-Type', /json/)
133 .expect(200)
134 .end(function(err, res) {
135 if (err) {
136 return done(err);
137 }
138
139 var response = res.body;
140 assert.equal(response.length, 4);
141
142 // Iterate the roles and determine if they contain the correct data.
143 for (var a = 0; a < response.length; a++) {
144 assert(response[a].hasOwnProperty('_id'), 'Each role in the response should contain an `_id`.');
145 assert(response[a].hasOwnProperty('modified'), 'Each role in the response should contain a `modified` timestamp.');
146 assert(response[a].hasOwnProperty('created'), 'Each role in the response should contain a `created` timestamp.');
147
148 // Store the response data, because the order is unsure (Dont store dummy template.roles.tempRole).
149 if (response[a].title === 'Administrator') {
150 assert.equal(response[a].title, 'Administrator');
151 assert.equal(response[a].description, 'A role for Administrative Users.');
152 }
153 else if (response[a].title === 'Authenticated') {
154 assert.equal(response[a].title, 'Authenticated');
155 assert.equal(response[a].description, 'A role for Authenticated Users.');
156 }
157 else if (response[a].title === 'Anonymous') {
158 assert.equal(response[a].title, 'Anonymous');
159 assert.equal(response[a].description, 'A role for Anonymous Users.');
160 }
161 }
162
163 // Store the JWT for future API calls.
164 template.users.admin.token = res.headers['x-jwt-token'];
165
166 done();
167 });
168 });
169
170 it('Cant access a Role without a valid Role Id', function(done) {
171 request(app)
172 .get(hook.alter('url', '/role/2342342344234', template))
173 .set('x-jwt-token', template.users.admin.token)
174 .expect('Content-Type', /json/)
175 .expect(400)
176 .end(function(err, res) {
177 if (err) {
178 return done(err);
179 }
180
181 // Store the JWT for future API calls.
182 template.users.admin.token = res.headers['x-jwt-token'];
183
184 done();
185 });
186 });
187
188 it('A USER should NOT be able to Read the Index of available Roles', function(done) {
189 request(app)
190 .get(hook.alter('url', '/role', template))
191 .set('x-jwt-token', template.users.user1.token)
192 .expect(401)
193 .end(done);
194 });
195
196 it('should not be able to PATCH a role', function(done) {
197 request(app)
198 .patch(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
199 .set('x-jwt-token', template.users.admin.token)
200 .send([{op: 'replace', path: 'default', value: false}])
201 .expect(405)
202 .end(done);
203 });
204 });
205
206 describe('Permissions - Project Level - Anonymous User', function() {
207 it('An Anonymous user should not be able to Create a Role for a User-Created Project', function(done) {
208 request(app)
209 .post(hook.alter('url', '/role', template))
210 .send(template.roles.tempRole)
211 .expect('Content-Type', /text\/plain/)
212 .expect(401)
213 .end(done);
214 });
215
216 it('An Anonymous user should not be able to Read a Role for a User-Created Project', function(done) {
217 request(app)
218 .get(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
219 .expect('Content-Type', /text\/plain/)
220 .expect(401)
221 .end(done);
222 });
223
224 it('An Anonymous user should not be able to Update a Role for a User-Created Project', function(done) {
225 request(app)
226 .get(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
227 .send({title: 'Some Update'})
228 .expect('Content-Type', /text\/plain/)
229 .expect(401)
230 .end(done);
231 });
232
233 it('An Anonymous user should not be able to Read the Index of Roles for a User-Created Project', function(done) {
234 request(app)
235 .get(hook.alter('url', '/role', template))
236 .expect('Content-Type', /text\/plain/)
237 .expect(401)
238 .end(done);
239 });
240
241 it('An Anonymous user should not be able to Delete a Role for a User-Created Project', function(done) {
242 request(app)
243 .delete(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
244 .expect('Content-Type', /text\/plain/)
245 .expect(401)
246 .end(done);
247 });
248 });
249
250 describe('Other Role Tests', function() {
251 it('The defaultAccess Role for a Project cannot be deleted', function(done) {
252 request(app)
253 .delete(hook.alter('url', '/role/' + template.roles.anonymous._id, template))
254 .set('x-jwt-token', template.users.admin.token)
255 .expect('Content-Type', /text\/plain/)
256 .expect(405)
257 .end(function(err, res) {
258 if (err) {
259 return done(err);
260 }
261
262 var response = res.text;
263 assert.equal(response, 'Method Not Allowed');
264
265 // Store the JWT for future API calls.
266 template.users.admin.token = res.headers['x-jwt-token'];
267
268 done();
269 });
270 });
271
272 it('The default Admin Role for a Project cannot be deleted', function(done) {
273 request(app)
274 .delete(hook.alter('url', '/role/' + template.roles.administrator._id, template))
275 .set('x-jwt-token', template.users.admin.token)
276 .expect('Content-Type', /text\/plain/)
277 .expect(405)
278 .end(function(err, res) {
279 if (err) {
280 return done(err);
281 }
282
283 var response = res.text;
284 assert.equal(response, 'Method Not Allowed');
285
286 // Store the JWT for future API calls.
287 template.users.admin.token = res.headers['x-jwt-token'];
288
289 done();
290 });
291 });
292 });
293
294 describe('Role Normalization', function() {
295 it('A Form.io Project Owner should be able to Delete a Role', function(done) {
296 request(app)
297 .delete(hook.alter('url', '/role/' + template.roles.tempRole._id, template))
298 .set('x-jwt-token', template.users.admin.token)
299 .expect(200)
300 .end(function(err, res) {
301 if (err) {
302 return done(err);
303 }
304
305 var response = res.body;
306 assert.deepEqual(response, {});
307
308 // Store the JWT for future API calls.
309 template.users.admin.token = res.headers['x-jwt-token'];
310
311 done();
312 });
313 });
314
315 if (!docker)
316 it('Deleted roles should remain in the DB', function(done) {
317 var formio = hook.alter('formio', app.formio);
318 formio.resources.role.model.findOne({_id: template.roles.tempRole._id}, function(err, role) {
319 if (err) {
320 return done(err);
321 }
322 if (!role) {
323 return done('No role found with _id: ' + template.roles.tempRole._id + ', expected 1.');
324 }
325
326 role = role.toObject();
327 assert.notEqual(role.deleted, null);
328 done();
329 });
330 });
331
332 it('The default Project Roles should still be available', function(done) {
333 request(app)
334 .get(hook.alter('url', '/role?limit=9999', template))
335 .set('x-jwt-token', template.users.admin.token)
336 .expect('Content-Type', /json/)
337 .expect(200)
338 .end(function(err, res) {
339 if (err) {
340 return done(err);
341 }
342
343 var response = res.body;
344 assert.equal(response.length, 3);
345
346 // Store the JWT for future API calls.
347 template.users.admin.token = res.headers['x-jwt-token'];
348
349 done();
350 });
351 });
352 });
353
354 describe('Form access on role modification', function() {
355 var f1 = {
356 title: 'Temp Form',
357 name: 'tempForm',
358 path: 'temp/form',
359 type: 'form',
360 access: [],
361 submissionAccess: [],
362 components: [
363 {
364 type: 'textfield',
365 validate: {
366 custom: '',
367 pattern: '',
368 maxLength: '',
369 minLength: '',
370 required: false
371 },
372 defaultValue: '',
373 multiple: false,
374 suffix: '',
375 prefix: '',
376 placeholder: 'foo',
377 key: 'foo',
378 label: 'foo',
379 inputMask: '',
380 inputType: 'text',
381 input: true
382 }
383 ]
384 };
385 var f2 = {
386 title: 'Temp Form',
387 name: 'tempForm2',
388 path: 'temp/form2',
389 type: 'form',
390 access: [],
391 submissionAccess: [],
392 components: [
393 {
394 type: 'textfield',
395 validate: {
396 custom: '',
397 pattern: '',
398 maxLength: '',
399 minLength: '',
400 required: false
401 },
402 defaultValue: '',
403 multiple: false,
404 suffix: '',
405 prefix: '',
406 placeholder: 'foo',
407 key: 'foo',
408 label: 'foo',
409 inputMask: '',
410 inputType: 'text',
411 input: true
412 }
413 ]
414 };
415 var r1 = _.clone(tempRole);
416
417 describe('Role tests', function() {
418 it('Create a test form', function(done) {
419 request(app)
420 .post(hook.alter('url', '/form', template))
421 .set('x-jwt-token', template.users.admin.token)
422 .send(f1)
423 .expect('Content-Type', /json/)
424 .expect(201)
425 .end(function(err, res) {
426 if (err) {
427 return done(err);
428 }
429
430 var response = res.body;
431 assert.notEqual(response.access, []);
432 assert.equal(response.access.length, 1);
433 assert.equal(response.access[0].type, 'read_all');
434 assert.equal(response.access[0].roles.length, 3);
435 f1 = response;
436
437 // Store the JWT for future API calls.
438 template.users.admin.token = res.headers['x-jwt-token'];
439
440 done();
441 });
442 });
443
444 it('Create a test role', function(done) {
445 request(app)
446 .post(hook.alter('url', '/role', template))
447 .set('x-jwt-token', template.users.admin.token)
448 .send(r1)
449 .expect('Content-Type', /json/)
450 .expect(201)
451 .end(function(err, res) {
452 if (err) {
453 return done(err);
454 }
455
456 r1 = res.body;
457
458 // Store the JWT for future API calls.
459 template.users.admin.token = res.headers['x-jwt-token'];
460
461 done();
462 });
463 });
464
465 it('Existing forms should get updated with any new roles', function(done) {
466 request(app)
467 .get(hook.alter('url', '/form/' + f1._id, template))
468 .set('x-jwt-token', template.users.admin.token)
469 .expect('Content-Type', /json/)
470 .expect(200)
471 .end(function(err, res) {
472 if (err) {
473 return done(err);
474 }
475
476 var response = res.body;
477 assert.notEqual(response.access, []);
478 assert.equal(response.access.length, 1);
479 assert.equal(response.access[0].type, 'read_all');
480 assert.equal(response.access[0].roles.length, 4);
481 assert.notEqual(response.access[0].roles.indexOf(r1._id), -1);
482 f1 = response;
483
484 // Store the JWT for future API calls.
485 template.users.admin.token = res.headers['x-jwt-token'];
486
487 done();
488 });
489 });
490
491 it('New forms should allow read access from all roles', function(done) {
492 request(app)
493 .post(hook.alter('url', '/form', template))
494 .set('x-jwt-token', template.users.admin.token)
495 .send(f2)
496 .expect('Content-Type', /json/)
497 .expect(201)
498 .end(function(err, res) {
499 if (err) {
500 return done(err);
501 }
502
503 var response = res.body;
504 assert.notEqual(response.access, []);
505 assert.equal(response.access.length, 1);
506 assert.equal(response.access[0].type, 'read_all');
507 assert.equal(response.access[0].roles.length, 4);
508 assert.notEqual(response.access[0].roles.indexOf(r1._id), -1);
509 f2 = response;
510
511 // Store the JWT for future API calls.
512 template.users.admin.token = res.headers['x-jwt-token'];
513
514 done();
515 });
516 });
517
518 it('Any custom role can be removed', function(done) {
519 request(app)
520 .delete(hook.alter('url', '/role/' + r1._id, template))
521 .set('x-jwt-token', template.users.admin.token)
522 .expect(200)
523 .end(function(err, res) {
524 if (err) {
525 return done(err);
526 }
527
528 var response = res.body;
529 assert.deepEqual(response, {});
530
531 // Store the JWT for future API calls.
532 template.users.admin.token = res.headers['x-jwt-token'];
533
534 done();
535 });
536 });
537
538 it('Forms existing before new roles are added, should be updated after a role is removed', function(done) {
539 request(app)
540 .get(hook.alter('url', '/form/' + f1._id, template))
541 .set('x-jwt-token', template.users.admin.token)
542 .expect('Content-Type', /json/)
543 .expect(200)
544 .end(function(err, res) {
545 if (err) {
546 return done(err);
547 }
548
549 var response = res.body;
550 assert.notEqual(response.access, []);
551 assert.equal(response.access.length, 1);
552 assert.equal(response.access[0].type, 'read_all');
553 assert.equal(response.access[0].roles.length, 3);
554 assert.equal(response.access[0].roles.indexOf(r1._id), -1);
555 f1 = response;
556
557 // Store the JWT for future API calls.
558 template.users.admin.token = res.headers['x-jwt-token'];
559
560 done();
561 });
562 });
563
564 it('Forms existing after new roles are added, should be updated after a role is removed', function(done) {
565 request(app)
566 .get(hook.alter('url', '/form/' + f2._id, template))
567 .set('x-jwt-token', template.users.admin.token)
568 .expect('Content-Type', /json/)
569 .expect(200)
570 .end(function(err, res) {
571 if (err) {
572 return done(err);
573 }
574
575 var response = res.body;
576 assert.notEqual(response.access, []);
577 assert.equal(response.access.length, 1);
578 assert.equal(response.access[0].type, 'read_all');
579 assert.equal(response.access[0].roles.length, 3);
580 assert.equal(response.access[0].roles.indexOf(r1._id), -1);
581 f2 = response;
582
583 // Store the JWT for future API calls.
584 template.users.admin.token = res.headers['x-jwt-token'];
585
586 done();
587 });
588 });
589 });
590
591 describe('Suite normalization', function() {
592 it('Clean up the test forms', function(done) {
593 async.each([f1, f2], function(form, cb) {
594 request(app)
595 .delete(hook.alter('url', '/form/' + form._id, template))
596 .set('x-jwt-token', template.users.admin.token)
597 .expect(200)
598 .end(function(err, res) {
599 if (err) {
600 return cb(err);
601 }
602
603 var response = res.body;
604 assert.deepEqual(response, {});
605
606 // Store the JWT for future API calls.
607 template.users.admin.token = res.headers['x-jwt-token'];
608
609 cb();
610 });
611 }, function(err) {
612 if (err) {
613 return done(err);
614 }
615
616 done();
617 });
618 });
619 });
620 });
621
622 describe('Role MachineNames', function() {
623 var _role;
624 var name = chance.word();
625 var helper;
626
627 before(function() {
628 helper = new Helper(template.users.admin, template);
629 });
630
631 after(function(done) {
632 helper.deleteRole(name, done);
633 });
634
635 it('Roles expose their machineNames through the api', function(done) {
636 helper
637 .role({
638 title: name
639 })
640 .execute(function(err, result) {
641 if (err) {
642 return done(err);
643 }
644
645 var role = result.getRole(name);
646 assert(role.hasOwnProperty('machineName'));
647 _role = role;
648 done();
649 });
650 });
651
652 it('A user can modify their role machineNames', function(done) {
653 var newMachineName = chance.word();
654
655 helper
656 .role(name, {
657 _id: _role._id,
658 machineName: newMachineName
659 })
660 .execute(function(err, result) {
661 if (err) {
662 return done(err);
663 }
664
665 var role = result.getRole(name);
666 assert(role.hasOwnProperty('machineName'));
667 assert.equal(role.machineName, newMachineName);
668 done();
669 });
670 });
671 });
672 });
673
674 describe('Submission Role Access', () => {
675 let accessHelper = null;
676 let manager = null;
677 let employee = null;
678 it('Bootstrap', (done) => {
679 const owner = (app.hasProjects || docker) ? template.formio.owner : template.users.admin;
680 accessHelper = new Helper(owner, null, hook);
681 accessHelper
682 .project()
683 .role({
684 title: 'access-manager'
685 })
686 .role({
687 title: 'access-employee'
688 })
689 .resource('access-manager', [
690 {
691 type: 'email',
692 key: 'email',
693 label: 'Email'
694 },
695 {
696 type: 'password',
697 key: 'password',
698 label: 'Password'
699 }
700 ], {
701 submissionAccess: [
702 {
703 type: 'create_all',
704 roles: ['anonymous']
705 },
706 {
707 type: 'update_own',
708 roles: ['access-manager']
709 }
710 ]
711 })
712 .action('access-manager', {
713 title: 'Save Submission',
714 name: 'save',
715 handler: ['before'],
716 method: ['create', 'update'],
717 priority: 11,
718 settings: {}
719 })
720 .action('access-manager', {
721 title: 'Role Assignment',
722 name: 'role',
723 priority: 1,
724 handler: ['after'],
725 method: ['create'],
726 settings: {
727 association: 'new',
728 type: 'add',
729 role: 'access-manager'
730 }
731 })
732 .action('access-manager', {
733 title: 'Role Assignment',
734 name: 'role',
735 priority: 2,
736 handler: ['after'],
737 method: ['create'],
738 settings: {
739 association: 'new',
740 type: 'add',
741 role: 'access-employee'
742 }
743 })
744 .resource('access-employee', [
745 {
746 type: 'email',
747 key: 'email',
748 label: 'Email'
749 },
750 {
751 type: 'password',
752 key: 'password',
753 label: 'Password'
754 }
755 ], {
756 submissionAccess: [
757 {
758 type: 'create_all',
759 roles: ['anonymous']
760 },
761 {
762 type: 'update_own',
763 roles: ['access-employee']
764 }
765 ]
766 })
767 .action('access-employee', {
768 title: 'Save Submission',
769 name: 'save',
770 handler: ['before'],
771 method: ['create', 'update'],
772 priority: 11,
773 settings: {}
774 })
775 .action('access-employee', {
776 title: 'Role Assignment',
777 name: 'role',
778 priority: 1,
779 handler: ['after'],
780 method: ['create'],
781 settings: {
782 association: 'new',
783 type: 'add',
784 role: 'access-employee'
785 }
786 })
787 .form('access-login', [
788 {
789 type: 'email',
790 key: 'email',
791 label: 'Email'
792 },
793 {
794 type: 'password',
795 key: 'password',
796 label: 'Password'
797 }
798 ], {
799 submissionAccess: [
800 {
801 type: 'create_own',
802 roles: ['anonymous']
803 }
804 ]
805 })
806 .action('access-login', {
807 title: 'Login',
808 name: 'login',
809 handler: ['before'],
810 method: ['create'],
811 priority: 0,
812 settings: {
813 resources: ['access-manager', 'access-employee'],
814 username: 'email',
815 password: 'password'
816 }
817 })
818 .execute(function(err) {
819 if (err) {
820 return done(err);
821 }
822 done();
823 });
824 });
825
826 it('Should allow an anonymous user to create a Manager record.', (done) => {
827 accessHelper.submission('access-manager', {
828 email: 'manager@example.com',
829 password: 'manager123'
830 }, null).execute((err) => {
831 if (err) {
832 return done(err);
833 }
834
835 manager = accessHelper.getLastSubmission();
836
837 // Make sure that the owner is set for the manager.
838 assert.equal(manager._id, manager.owner);
839 assert.equal(_.intersection(manager.roles, [
840 accessHelper.template.roles['access-manager']._id.toString(),
841 accessHelper.template.roles['access-employee']._id.toString()]
842 ).length, 2);
843 done();
844 });
845 });
846
847 it('Should allow an anonymous user to create an Employee record.', (done) => {
848 accessHelper.submission('access-employee', {
849 email: 'employee@example.com',
850 password: 'employee123'
851 }, null).execute((err) => {
852 if (err) {
853 return done(err);
854 }
855
856 employee = accessHelper.getLastSubmission();
857
858 // Make sure that the owner is set for the manager.
859 assert.equal(employee._id, employee.owner);
860 assert.deepEqual(employee.roles, [
861 accessHelper.template.roles['access-employee']._id.toString()
862 ]);
863 done();
864 });
865 });
866
867 it('Should allow the manager to log in', (done) => {
868 accessHelper.submission('access-login', {
869 email: 'manager@example.com',
870 password: 'manager123'
871 }, null).execute((err) => {
872 if (err) {
873 return done(err);
874 }
875
876 manager.token = accessHelper.lastResponse.headers['x-jwt-token'];
877 assert(!!manager.token, 'No token was created');
878 done();
879 });
880 });
881
882 it('Should allow the employee to log in', (done) => {
883 accessHelper.submission('access-login', {
884 email: 'employee@example.com',
885 password: 'employee123'
886 }, null).execute((err) => {
887 if (err) {
888 return done(err);
889 }
890
891 employee.token = accessHelper.lastResponse.headers['x-jwt-token'];
892 assert(!!employee.token, 'No token was created');
893 done();
894 });
895 });
896
897 it('Should allow the manager to update their own record, but not roles.', (done) => {
898 manager.data.email = 'manager2@example.com';
899 manager.roles = [
900 accessHelper.template.roles['access-manager']._id.toString(),
901 accessHelper.template.roles['access-employee']._id.toString(),
902 accessHelper.template.roles.authenticated._id.toString()
903 ];
904 accessHelper.submission('access-manager', manager, manager)
905 .execute((err) => {
906 if (err) {
907 return done(err);
908 }
909
910 // Make sure they cannot add roles.
911 const updated = accessHelper.getLastSubmission();
912 assert.equal(updated.data.email, 'manager2@example.com');
913 assert.equal(_.intersection(updated.roles, [
914 accessHelper.template.roles['access-manager']._id.toString(),
915 accessHelper.template.roles['access-employee']._id.toString()]
916 ).length, 2);
917 _.assign(manager, updated);
918 done();
919 });
920 });
921
922 it('Should not allow an anonymous user to update the manager record', (done) => {
923 manager.data.email = 'manager3@example.com';
924 accessHelper.submission('access-manager', manager, null, [/text\/plain/, 401]).execute((err) => {
925 if (err) {
926 return done(err);
927 }
928
929 manager.data.email = 'manager2@example.com';
930 done();
931 });
932 });
933
934 it('Should not allow an employee user to update the manager record', (done) => {
935 manager.data.email = 'manager3@example.com';
936 accessHelper.submission('access-manager', manager, employee, [/text\/plain/, 401]).execute((err) => {
937 if (err) {
938 return done(err);
939 }
940
941 manager.data.email = 'manager2@example.com';
942 done();
943 });
944 });
945
946 it('Should allow the manager to remove a role, but not add one.', (done) => {
947 manager.roles = [
948 accessHelper.template.roles['access-manager']._id.toString(),
949 accessHelper.template.roles.authenticated._id.toString()
950 ];
951 accessHelper.submission('access-manager', manager, manager).execute((err) => {
952 if (err) {
953 return done(err);
954 }
955
956 const updated = accessHelper.getLastSubmission();
957 assert.deepEqual(updated.roles, [
958 accessHelper.template.roles['access-manager']._id.toString()
959 ]);
960 _.assign(manager, updated);
961 done();
962 });
963 });
964
965 it('Should not allow the manager to re-add the roles since they do not have access.', (done) => {
966 manager.roles = [
967 accessHelper.template.roles['access-manager']._id.toString(),
968 accessHelper.template.roles['access-employee']._id.toString()
969 ];
970 accessHelper.submission('access-manager', manager, manager).execute((err) => {
971 if (err) {
972 return done(err);
973 }
974
975 const updated = accessHelper.getLastSubmission();
976 assert.deepEqual(updated.roles, [
977 accessHelper.template.roles['access-manager']._id.toString()
978 ]);
979 _.assign(manager, updated);
980 done();
981 });
982 });
983
984 it('Cleanup', (done) => {
985 accessHelper
986 .deleteForm('access-manager')
987 .deleteForm('access-employee')
988 .deleteForm('access-login')
989 .execute((err) => {
990 if (err) {
991 return done(err);
992 }
993
994 async.series(
995 [
996 (next) => accessHelper.deleteRole('access-manager', next),
997 (next) => accessHelper.deleteRole('access-employee', next)
998 ],
999 (err) => {
1000 if (err) {
1001 return done(err);
1002 }
1003
1004 done();
1005 }
1006 );
1007 });
1008 });
1009 });
1010};