UNPKG

objection-authorize/tests/patch.test.js

Version:

2.28 kBJavaScriptView Raw

1require('./utils/trxify-tests')
2
3const ACLs = require('./acls')
4const BaseUser = require('./models/user')
5const authorizePlugin = require('../src')
6
7describe.each(ACLs)('Patch queries (%s)', (library, acl) => {
class User extends authorizePlugin(acl, library)(BaseUser) {}
9
test('restrict access with automatically fetched context', async () => {
  // you shouldn't be able to delete a user as someone else...
  await expect(
    User.query()
      .findById(1)
      .patch({ metadata: { mutableField: 'hello!' } })
      .authorize({ id: 2, role: 'user' })
      .fetchResourceContextFromDB()
  ).rejects.toThrow()
19
  // but a user should be able to delete their own account
  await User.query()
    .findById(2)
    .patch({ metadata: { mutableField: 'hello!' } })
    .authorize({ id: 2, role: 'user' })
    .fetchResourceContextFromDB()
})
27
test('restrict access with manually passed context', async () => {
  // you shouldn't be able to change a user as someone else...
  await expect(
    User.query()
      .findById(1)
      .patch({ metadata: { mutableField: 'hello!' } })
      .authorize({ id: 2, role: 'user' }, { id: 1 })
  ).rejects.toThrow()
36
  // but a user should be able to change their own account
  await User.query()
    .findById(2)
    .patch({ metadata: { mutableField: 'hello!' } })
    .authorize({ id: 2, role: 'user' }, { id: 2 })
})
43
test('fetches resource from model instance', async () => {
  const user = await User.query().findById(1)
46
  await expect(
    user
      .$query()
      .patch({ metadata: { mutableField: 'hello' } })
      .authorize({ id: 2, role: 'user' })
  ).rejects.toThrow()
53
  await user
    .$query()
    .patch({ metadata: { mutableField: 'hello!' } })
    .authorize({ id: 1, role: 'user' })
})
59
test('prevent setting an invalid field', async () => {
  await expect(
    User.query()
      .patchAndFetchById(1, { metadata: { fixedField: 'whoops!' } })
      .authorize({ id: 1, role: 'user' }, { id: 1 })
  ).rejects.toThrow()
66
  // also testing patchAndFetchById
  await User.query()
    .patchAndFetchById(1, { metadata: { mutableField: 'hello' } })
    .authorize({ id: 1, role: 'user' }, { id: 1 })
})
72})

1	`require('./utils/trxify-tests')`
2
3	`const ACLs = require('./acls')`
4	`const BaseUser = require('./models/user')`
5	`const authorizePlugin = require('../src')`
6
7	`describe.each(ACLs)('Patch queries (%s)', (library, acl) => {`
8	`class User extends authorizePlugin(acl, library)(BaseUser) {}`
9
10	`test('restrict access with automatically fetched context', async () => {`
11	`// you shouldn't be able to delete a user as someone else...`
12	`await expect(`
13	`User.query()`
14	`.findById(1)`
15	`.patch({ metadata: { mutableField: 'hello!' } })`
16	`.authorize({ id: 2, role: 'user' })`
17	`.fetchResourceContextFromDB()`
18	`).rejects.toThrow()`
19
20	`// but a user should be able to delete their own account`
21	`await User.query()`
22	`.findById(2)`
23	`.patch({ metadata: { mutableField: 'hello!' } })`
24	`.authorize({ id: 2, role: 'user' })`
25	`.fetchResourceContextFromDB()`
26	`})`
27
28	`test('restrict access with manually passed context', async () => {`
29	`// you shouldn't be able to change a user as someone else...`
30	`await expect(`
31	`User.query()`
32	`.findById(1)`
33	`.patch({ metadata: { mutableField: 'hello!' } })`
34	`.authorize({ id: 2, role: 'user' }, { id: 1 })`
35	`).rejects.toThrow()`
36
37	`// but a user should be able to change their own account`
38	`await User.query()`
39	`.findById(2)`
40	`.patch({ metadata: { mutableField: 'hello!' } })`
41	`.authorize({ id: 2, role: 'user' }, { id: 2 })`
42	`})`
43
44	`test('fetches resource from model instance', async () => {`
45	`const user = await User.query().findById(1)`
46
47	`await expect(`
48	`user`
49	`.$query()`
50	`.patch({ metadata: { mutableField: 'hello' } })`
51	`.authorize({ id: 2, role: 'user' })`
52	`).rejects.toThrow()`
53
54	`await user`
55	`.$query()`
56	`.patch({ metadata: { mutableField: 'hello!' } })`
57	`.authorize({ id: 1, role: 'user' })`
58	`})`
59
60	`test('prevent setting an invalid field', async () => {`
61	`await expect(`
62	`User.query()`
63	`.patchAndFetchById(1, { metadata: { fixedField: 'whoops!' } })`
64	`.authorize({ id: 1, role: 'user' }, { id: 1 })`
65	`).rejects.toThrow()`
66
67	`// also testing patchAndFetchById`
68	`await User.query()`
69	`.patchAndFetchById(1, { metadata: { mutableField: 'hello' } })`
70	`.authorize({ id: 1, role: 'user' }, { id: 1 })`
71	`})`
72	`})`