1 | require('./utils/trxify-tests')
|
2 |
|
3 | const ACLs = require('./acls')
|
4 | const BaseUser = require('./models/user')
|
5 | const authorizePlugin = require('../src')
|
6 |
|
7 | describe.each(ACLs)('Patch queries (%s)', (library, acl) => {
|
8 | class User extends authorizePlugin(acl, library)(BaseUser) {}
|
9 |
|
10 | test('restrict access with automatically fetched context', async () => {
|
11 |
|
12 | await expect(
|
13 | User.query()
|
14 | .findById(1)
|
15 | .patch({ metadata: { mutableField: 'hello!' } })
|
16 | .authorize({ id: 2, role: 'user' })
|
17 | .fetchResourceContextFromDB()
|
18 | ).rejects.toThrow()
|
19 |
|
20 |
|
21 | await User.query()
|
22 | .findById(2)
|
23 | .patch({ metadata: { mutableField: 'hello!' } })
|
24 | .authorize({ id: 2, role: 'user' })
|
25 | .fetchResourceContextFromDB()
|
26 | })
|
27 |
|
28 | test('restrict access with manually passed context', async () => {
|
29 |
|
30 | await expect(
|
31 | User.query()
|
32 | .findById(1)
|
33 | .patch({ metadata: { mutableField: 'hello!' } })
|
34 | .authorize({ id: 2, role: 'user' }, { id: 1 })
|
35 | ).rejects.toThrow()
|
36 |
|
37 |
|
38 | await User.query()
|
39 | .findById(2)
|
40 | .patch({ metadata: { mutableField: 'hello!' } })
|
41 | .authorize({ id: 2, role: 'user' }, { id: 2 })
|
42 | })
|
43 |
|
44 | test('fetches resource from model instance', async () => {
|
45 | const user = await User.query().findById(1)
|
46 |
|
47 | await expect(
|
48 | user
|
49 | .$query()
|
50 | .patch({ metadata: { mutableField: 'hello' } })
|
51 | .authorize({ id: 2, role: 'user' })
|
52 | ).rejects.toThrow()
|
53 |
|
54 | await user
|
55 | .$query()
|
56 | .patch({ metadata: { mutableField: 'hello!' } })
|
57 | .authorize({ id: 1, role: 'user' })
|
58 | })
|
59 |
|
60 | test('prevent setting an invalid field', async () => {
|
61 | await expect(
|
62 | User.query()
|
63 | .patchAndFetchById(1, { metadata: { fixedField: 'whoops!' } })
|
64 | .authorize({ id: 1, role: 'user' }, { id: 1 })
|
65 | ).rejects.toThrow()
|
66 |
|
67 |
|
68 | await User.query()
|
69 | .patchAndFetchById(1, { metadata: { mutableField: 'hello' } })
|
70 | .authorize({ id: 1, role: 'user' }, { id: 1 })
|
71 | })
|
72 | })
|