UNPKG

objection-authorize/tests/delete.test.js

Version:

1.2 kBJavaScriptView Raw

1require('./utils/trxify-tests')
2
3const ACLs = require('./acls')
4const BaseUser = require('./models/user')
5const authorizePlugin = require('../src')
6
7describe.each(ACLs)('Delete queries (%s)', (library, acl) => {
8  class User extends authorizePlugin(acl, library)(BaseUser) {}
9
10  test('restrict access with automatically fetched context', async () => {
11    // you shouldn't be able to delete a user as someone else...
12    await expect(
13      User.query()
14        .deleteById(1)
15        .authorize({ id: 2, role: 'user' })
16        .fetchResourceContextFromDB()
17    ).rejects.toThrow()
18
19    // but a user should be able to delete their own account
20    await User.query()
21      .deleteById(2)
22      .authorize({ id: 2, role: 'user' })
23      .fetchResourceContextFromDB()
24  })
25
26  test('restrict access with manually passed context', async () => {
27    // you shouldn't be able to delete a user as someone else...
28    await expect(
29      User.query().deleteById(1).authorize({ id: 2, role: 'user' }, { id: 1 })
30    ).rejects.toThrow()
31
32    // but a user should be able to delete their own account
33    await User.query()
34      .deleteById(2)
35      .authorize({ id: 2, role: 'user' }, { id: 2 })
36  })
37})

1	`require('./utils/trxify-tests')`
2
3	`const ACLs = require('./acls')`
4	`const BaseUser = require('./models/user')`
5	`const authorizePlugin = require('../src')`
6
7	`describe.each(ACLs)('Delete queries (%s)', (library, acl) => {`
8	`class User extends authorizePlugin(acl, library)(BaseUser) {}`
9
10	`test('restrict access with automatically fetched context', async () => {`
11	`// you shouldn't be able to delete a user as someone else...`
12	`await expect(`
13	`User.query()`
14	`.deleteById(1)`
15	`.authorize({ id: 2, role: 'user' })`
16	`.fetchResourceContextFromDB()`
17	`).rejects.toThrow()`
18
19	`// but a user should be able to delete their own account`
20	`await User.query()`
21	`.deleteById(2)`
22	`.authorize({ id: 2, role: 'user' })`
23	`.fetchResourceContextFromDB()`
24	`})`
25
26	`test('restrict access with manually passed context', async () => {`
27	`// you shouldn't be able to delete a user as someone else...`
28	`await expect(`
29	`User.query().deleteById(1).authorize({ id: 2, role: 'user' }, { id: 1 })`
30	`).rejects.toThrow()`
31
32	`// but a user should be able to delete their own account`
33	`await User.query()`
34	`.deleteById(2)`
35	`.authorize({ id: 2, role: 'user' }, { id: 2 })`
36	`})`
37	`})`