2018-12-19 10:36:56 +01:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
const test = require('ava');
|
|
|
|
const store = require('./../test/fixtures/store');
|
2018-12-19 13:17:44 +01:00
|
|
|
const { requirePermission } = require('./permissions');
|
2018-12-19 10:36:56 +01:00
|
|
|
const supertest = require('supertest');
|
|
|
|
const getApp = require('./app');
|
|
|
|
|
|
|
|
const { EventEmitter } = require('events');
|
|
|
|
const eventBus = new EventEmitter();
|
|
|
|
|
|
|
|
function getSetup(preRouterHook) {
|
|
|
|
const base = `/random${Math.round(Math.random() * 1000)}`;
|
|
|
|
const stores = store.createStores();
|
|
|
|
const app = getApp({
|
|
|
|
baseUriPath: base,
|
|
|
|
stores,
|
|
|
|
eventBus,
|
|
|
|
extendedPermissions: true,
|
|
|
|
preRouterHook(_app) {
|
|
|
|
preRouterHook(_app);
|
|
|
|
|
|
|
|
_app.get(
|
|
|
|
`${base}/protectedResource`,
|
2018-12-19 13:17:44 +01:00
|
|
|
requirePermission('READ'),
|
2018-12-19 10:36:56 +01:00
|
|
|
(req, res) => {
|
|
|
|
res.status(200)
|
|
|
|
.json({ message: 'OK' })
|
|
|
|
.end();
|
|
|
|
}
|
|
|
|
);
|
|
|
|
},
|
|
|
|
});
|
|
|
|
|
|
|
|
return {
|
|
|
|
base,
|
|
|
|
request: supertest(app),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
test('should return 403 when missing permission', t => {
|
|
|
|
t.plan(0);
|
|
|
|
const { base, request } = getSetup(() => {});
|
|
|
|
|
|
|
|
return request.get(`${base}/protectedResource`).expect(403);
|
|
|
|
});
|
|
|
|
|
|
|
|
test('should allow access with correct permissions', t => {
|
|
|
|
const { base, request } = getSetup(app => {
|
|
|
|
app.use((req, res, next) => {
|
|
|
|
req.user = { email: 'some@email.com', permissions: ['READ'] };
|
|
|
|
next();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
return request
|
|
|
|
.get(`${base}/protectedResource`)
|
|
|
|
.expect(200)
|
|
|
|
.expect(res => {
|
|
|
|
t.is(res.body.message, 'OK');
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
test('should allow access with admin permissions', t => {
|
|
|
|
const { base, request } = getSetup(app => {
|
|
|
|
app.use((req, res, next) => {
|
|
|
|
req.user = { email: 'some@email.com', permissions: ['ADMIN'] };
|
|
|
|
next();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
return request
|
|
|
|
.get(`${base}/protectedResource`)
|
|
|
|
.expect(200)
|
|
|
|
.expect(res => {
|
|
|
|
t.is(res.body.message, 'OK');
|
|
|
|
});
|
|
|
|
});
|