unleash.unleash/src/lib/middleware/rbac-middleware.test.ts

import test from 'ava';

import sinon from 'sinon';

import rbacMiddleware from './rbac-middleware';
import ffStore from '../../test/fixtures/fake-feature-toggle-store';
import User from '../user';
import perms from '../permissions';
import { IUnleashConfig } from '../types/option';
import { createTestConfig } from '../../test/config/test-config';

let config: IUnleashConfig;
let featureToggleStore: any;

test.beforeEach(() => {
    featureToggleStore = ffStore();
    config = createTestConfig();
});

test('should add checkRbac to request', t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();

    const req = sinon.fake();

    func(req, undefined, cb);

    t.truthy(req.checkRbac);
    t.is(typeof req.checkRbac, 'function');
});

test('should give api-user ADMIN permission', async t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'api',
            permissions: [perms.ADMIN],
            isAPI: true,
        }),
    };

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    t.true(hasAccess);
});

test('should not give api-user ADMIN permission', async t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'api',
            permissions: [perms.CLIENT],
            isAPI: true,
        }),
    };

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    t.false(hasAccess);
    t.is(accessService.hasPermission.callCount, 0);
});

test('should not allow user to miss userId', async t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'user',
            permissions: [perms.ADMIN],
        }),
    };

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    t.false(hasAccess);
});

test('should return false for missing user', async t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {};

    func(req, undefined, cb);

    const hasAccess = await req.checkRbac(perms.ADMIN);

    t.false(hasAccess);
    t.is(accessService.hasPermission.callCount, 0);
});

test('should verify permission for root resource', async t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {},
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.ADMIN);

    t.true(accessService.hasPermission.calledOnce);
    t.is(accessService.hasPermission.firstArg, req.user);
    t.is(accessService.hasPermission.args[0][1], perms.ADMIN);
    t.is(accessService.hasPermission.args[0][2], undefined);
});

test('should lookup projectId from params', async t => {
    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {
            projectId: 'some-proj',
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_PROJECT);

    t.is(accessService.hasPermission.args[0][2], req.params.projectId);
});

test('should lookup projectId from feature toggle', async t => {
    const projectId = 'some-project-33';
    const featureName = 'some-feature-toggle';

    const accessService = {
        hasPermission: sinon.fake(),
    };

    featureToggleStore.getProjectId = sinon.fake.returns(projectId);

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {
            featureName,
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.UPDATE_FEATURE);

    t.is(accessService.hasPermission.args[0][2], projectId);
    t.is(featureToggleStore.getProjectId.firstArg, featureName);
});

test('should lookup projectId from data', async t => {
    const projectId = 'some-project-33';
    const featureName = 'some-feature-toggle';

    const accessService = {
        hasPermission: sinon.fake(),
    };

    const func = rbacMiddleware(config, { featureToggleStore }, accessService);

    const cb = sinon.fake();
    const req: any = {
        user: new User({
            username: 'user',
            id: 1,
        }),
        params: {},
        body: {
            featureName,
            project: projectId,
        },
    };

    func(req, undefined, cb);

    await req.checkRbac(perms.CREATE_FEATURE);

    t.is(accessService.hasPermission.args[0][2], projectId);
});
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`import test from 'ava';`

			`import sinon from 'sinon';`

			`import rbacMiddleware from './rbac-middleware';`
			`import ffStore from '../../test/fixtures/fake-feature-toggle-store';`
			`import User from '../user';`
			`import perms from '../permissions';`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`import { IUnleashConfig } from '../types/option';`
fix: convert AUTH_TYPE to uppercase (#797) Make sure we support both `AUTH_TYPE=demo` and `AUTH_TYPE=DEMO` Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-04-22 15:04:08 +02:00			`import { createTestConfig } from '../../test/config/test-config';`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`let config: IUnleashConfig;`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`let featureToggleStore: any;`

			`test.beforeEach(() => {`
			`featureToggleStore = ffStore();`
fix: convert AUTH_TYPE to uppercase (#797) Make sure we support both `AUTH_TYPE=demo` and `AUTH_TYPE=DEMO` Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-04-22 15:04:08 +02:00			`config = createTestConfig();`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`});`

fix: migrate all permissions to rbac (#782) * fix: migrate all permissions to rbac * fix: update migration guide fixes #782 2021-04-12 20:25:03 +02:00			`test('should add checkRbac to request', t => {`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`

			`const req = sinon.fake();`

			`func(req, undefined, cb);`

			`t.truthy(req.checkRbac);`
			`t.is(typeof req.checkRbac, 'function');`
			`});`

			`test('should give api-user ADMIN permission', async t => {`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'api',`
			`permissions: [perms.ADMIN],`
			`isAPI: true,`
			`}),`
			`};`

			`func(req, undefined, cb);`

			`const hasAccess = await req.checkRbac(perms.ADMIN);`

			`t.true(hasAccess);`
			`});`

			`test('should not give api-user ADMIN permission', async t => {`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'api',`
			`permissions: [perms.CLIENT],`
			`isAPI: true,`
			`}),`
			`};`

			`func(req, undefined, cb);`

			`const hasAccess = await req.checkRbac(perms.ADMIN);`

			`t.false(hasAccess);`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`t.is(accessService.hasPermission.callCount, 0);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`});`

			`test('should not allow user to miss userId', async t => {`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'user',`
			`permissions: [perms.ADMIN],`
			`}),`
			`};`

			`func(req, undefined, cb);`

			`const hasAccess = await req.checkRbac(perms.ADMIN);`

			`t.false(hasAccess);`
			`});`

			`test('should return false for missing user', async t => {`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {};`

			`func(req, undefined, cb);`

			`const hasAccess = await req.checkRbac(perms.ADMIN);`

			`t.false(hasAccess);`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`t.is(accessService.hasPermission.callCount, 0);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`});`

			`test('should verify permission for root resource', async t => {`
			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`

Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'user',`
			`id: 1,`
			`}),`
			`params: {},`
			`};`

			`func(req, undefined, cb);`

			`await req.checkRbac(perms.ADMIN);`

			`t.true(accessService.hasPermission.calledOnce);`
			`t.is(accessService.hasPermission.firstArg, req.user);`
			`t.is(accessService.hasPermission.args[0][1], perms.ADMIN);`
			`t.is(accessService.hasPermission.args[0][2], undefined);`
			`});`

			`test('should lookup projectId from params', async t => {`
			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`

Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'user',`
			`id: 1,`
			`}),`
			`params: {`
			`projectId: 'some-proj',`
			`},`
			`};`

			`func(req, undefined, cb);`

			`await req.checkRbac(perms.UPDATE_PROJECT);`

			`t.is(accessService.hasPermission.args[0][2], req.params.projectId);`
			`});`

			`test('should lookup projectId from feature toggle', async t => {`
			`const projectId = 'some-project-33';`
			`const featureName = 'some-feature-toggle';`

			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`

			`featureToggleStore.getProjectId = sinon.fake.returns(projectId);`

Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'user',`
			`id: 1,`
			`}),`
			`params: {`
			`featureName,`
			`},`
			`};`

			`func(req, undefined, cb);`

			`await req.checkRbac(perms.UPDATE_FEATURE);`

			`t.is(accessService.hasPermission.args[0][2], projectId);`
			`t.is(featureToggleStore.getProjectId.firstArg, featureName);`
			`});`

			`test('should lookup projectId from data', async t => {`
			`const projectId = 'some-project-33';`
			`const featureName = 'some-feature-toggle';`

			`const accessService = {`
			`hasPermission: sinon.fake(),`
			`};`

Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const func = rbacMiddleware(config, { featureToggleStore }, accessService);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const cb = sinon.fake();`
			`const req: any = {`
			`user: new User({`
			`username: 'user',`
			`id: 1,`
			`}),`
			`params: {},`
			`body: {`
			`featureName,`
			`project: projectId,`
			`},`
			`};`

			`func(req, undefined, cb);`

			`await req.checkRbac(perms.CREATE_FEATURE);`

			`t.is(accessService.hasPermission.args[0][2], projectId);`
			`});`