78 lines
2.1 KiB
JavaScript
78 lines
2.1 KiB
JavaScript
const assert = require('node:assert/strict');
|
|
const test = require('node:test');
|
|
|
|
const RolesDBApi = require('../src/db/api/roles');
|
|
const AccessPolicy = require('../src/services/access-policy');
|
|
|
|
const originalFindBy = RolesDBApi.findBy;
|
|
RolesDBApi.findBy = async () => ({
|
|
id: 'public-role',
|
|
name: 'Public',
|
|
permissions: [],
|
|
});
|
|
|
|
const { checkCrudPermissions } = require('../src/middlewares/check-permissions');
|
|
|
|
test.after(() => {
|
|
RolesDBApi.findBy = originalFindBy;
|
|
});
|
|
|
|
test('checkCrudPermissions honors explicit permission override', async () => {
|
|
const originalHasPermission = AccessPolicy.hasPermission;
|
|
const seenPermissions = [];
|
|
|
|
AccessPolicy.hasPermission = async (_user, permission) => {
|
|
seenPermissions.push(permission);
|
|
return permission === 'UPDATE_PAGE_ELEMENTS';
|
|
};
|
|
|
|
try {
|
|
const req = {
|
|
method: 'DELETE',
|
|
path: '/project/project-id/env/dev',
|
|
currentUser: { id: 'user-1' },
|
|
permissionNameOverride: 'UPDATE_PAGE_ELEMENTS',
|
|
};
|
|
|
|
await new Promise((resolve, reject) => {
|
|
checkCrudPermissions('page_elements')(req, {}, (error) => {
|
|
if (error) reject(error);
|
|
else resolve();
|
|
});
|
|
});
|
|
|
|
assert.deepEqual(seenPermissions, ['UPDATE_PAGE_ELEMENTS']);
|
|
} finally {
|
|
AccessPolicy.hasPermission = originalHasPermission;
|
|
}
|
|
});
|
|
|
|
test('checkCrudPermissions keeps default method-derived permission without override', async () => {
|
|
const originalHasPermission = AccessPolicy.hasPermission;
|
|
const seenPermissions = [];
|
|
|
|
AccessPolicy.hasPermission = async (_user, permission) => {
|
|
seenPermissions.push(permission);
|
|
return permission === 'DELETE_PAGE_ELEMENTS';
|
|
};
|
|
|
|
try {
|
|
const req = {
|
|
method: 'DELETE',
|
|
path: '/project/project-id/env/dev',
|
|
currentUser: { id: 'user-1' },
|
|
};
|
|
|
|
await new Promise((resolve, reject) => {
|
|
checkCrudPermissions('page_elements')(req, {}, (error) => {
|
|
if (error) reject(error);
|
|
else resolve();
|
|
});
|
|
});
|
|
|
|
assert.deepEqual(seenPermissions, ['DELETE_PAGE_ELEMENTS']);
|
|
} finally {
|
|
AccessPolicy.hasPermission = originalHasPermission;
|
|
}
|
|
});
|