Skip to content

Commit

Permalink
enforce MANAGE perm on invite create
Browse files Browse the repository at this point in the history
  • Loading branch information
@TimCsaky
TimCsaky committed Apr 25, 2024
1 parent 97defba commit 3c610a3
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 10 deletions.
4 changes: 2 additions & 2 deletions app/src/controllers/invite.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ const controller = {
const { bucketId } = await objectService.read(resource);

// Check for manage permission
if (req.currentUser?.AuthType === AuthType.BEARER) {
if (req.currentUser?.authType === AuthType.BEARER) {
let bucketPermissions = [];
const objectPermissions = await objectPermissionService.searchPermissions({
userId: userId,
Expand Down Expand Up @@ -97,7 +97,7 @@ const controller = {
await bucketService.read(resource);

// Check for manage permission
if (req.currentUser?.AuthType === AuthType.BEARER) {
if (req.currentUser?.authType === AuthType.BEARER) {
const bucketPermissions = await bucketPermissionService.searchPermissions({
userId: userId,
bucketId: resource,
Expand Down
22 changes: 14 additions & 8 deletions app/tests/unit/controllers/invite.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ const {
const utils = require('../../../src/components/utils');
const { Permissions, ResourceType, AuthType } = require('../../../src/components/constants');

// Mock out utils library and use a spy to observe behavior
jest.mock('../../../src/components/utils');
const SYSTEM_TIME = new Date('2024-03-08T19:00:00.000Z');
const mockResponse = () => {
const res = {};
Expand Down Expand Up @@ -47,6 +49,7 @@ describe('createInvite', () => {
const bucketSearchPermissionSpy = jest.spyOn(bucketPermissionService, 'searchPermissions');
const getCurrentIdentitySpy = jest.spyOn(utils, 'getCurrentIdentity');
const getCurrentUserIdSpy = jest.spyOn(userService, 'getCurrentUserId');
const addDashesToUuidSpy = jest.spyOn(utils, 'addDashesToUuid');
const inviteCreateSpy = jest.spyOn(inviteService, 'create');
const objectReadSpy = jest.spyOn(objectService, 'read');
const objectSearchPermissionSpy = jest.spyOn(objectPermissionService, 'searchPermissions');
Expand All @@ -58,6 +61,7 @@ describe('createInvite', () => {
beforeEach(() => {
getCurrentIdentitySpy.mockReturnValue(USR_IDENTITY);
getCurrentUserIdSpy.mockResolvedValue(USR_ID);
addDashesToUuidSpy.mockReturnValue(RESOURCE);
});

it('should 422 when expiresAt is more than 7 days away', async () => {
Expand Down Expand Up @@ -113,7 +117,7 @@ describe('createInvite', () => {
it('should 403 when no object manage permission found', async () => {
const req = {
body: { objectId: RESOURCE },
currentUser: { AuthType: AuthType.BEARER }
currentUser: { authType: AuthType.BEARER }
};

objectReadSpy.mockResolvedValue({});
Expand All @@ -137,7 +141,7 @@ describe('createInvite', () => {
it('should 403 when no object nor bucket manage permission found', async () => {
const req = {
body: { objectId: RESOURCE },
currentUser: { AuthType: AuthType.BEARER }
currentUser: { authType: AuthType.BEARER }
};

bucketSearchPermissionSpy.mockResolvedValue([]);
Expand Down Expand Up @@ -165,7 +169,7 @@ describe('createInvite', () => {
it('should 201 when object manage permission found', async () => {
const req = {
body: { objectId: RESOURCE },
currentUser: { AuthType: AuthType.BEARER }
currentUser: { authType: AuthType.BEARER }
};

inviteCreateSpy.mockResolvedValue({ token: TOKEN });
Expand Down Expand Up @@ -195,7 +199,7 @@ describe('createInvite', () => {
const email = 'expected@foo.bar';
const req = {
body: { objectId: RESOURCE, email: email },
currentUser: { AuthType: AuthType.BEARER }
currentUser: { authType: AuthType.BEARER }
};

bucketSearchPermissionSpy.mockResolvedValue([{}]);
Expand Down Expand Up @@ -229,7 +233,7 @@ describe('createInvite', () => {
const expiresAt = Math.floor(new Date('2024-03-09T19:00:00.000Z') / 1000);
const req = {
body: { objectId: RESOURCE, expiresAt: expiresAt },
currentUser: { AuthType: AuthType.BASIC }
currentUser: { authType: AuthType.BASIC }
};

inviteCreateSpy.mockResolvedValue({ token: TOKEN });
Expand Down Expand Up @@ -277,7 +281,7 @@ describe('createInvite', () => {
it('should 403 when no bucket manage permission found', async () => {
const req = {
body: { bucketId: RESOURCE },
currentUser: { AuthType: AuthType.BEARER }
currentUser: { authType: AuthType.BEARER }
};

bucketReadSpy.mockResolvedValue({});
Expand All @@ -302,7 +306,7 @@ describe('createInvite', () => {
const email = 'expected@foo.bar';
const req = {
body: { bucketId: RESOURCE, email: email },
currentUser: { AuthType: AuthType.BEARER }
currentUser: { authType: AuthType.BEARER }
};

bucketReadSpy.mockResolvedValue({});
Expand Down Expand Up @@ -332,7 +336,7 @@ describe('createInvite', () => {
const expiresAt = Math.floor(new Date('2024-03-09T19:00:00.000Z') / 1000);
const req = {
body: { bucketId: RESOURCE, expiresAt: expiresAt },
currentUser: { AuthType: AuthType.BASIC }
currentUser: { authType: AuthType.BASIC }
};

bucketReadSpy.mockResolvedValue({ bucketId: RESOURCE });
Expand Down Expand Up @@ -365,6 +369,7 @@ describe('useInvite', () => {
const bucketReadSpy = jest.spyOn(bucketService, 'read');
const getCurrentIdentitySpy = jest.spyOn(utils, 'getCurrentIdentity');
const getCurrentUserIdSpy = jest.spyOn(userService, 'getCurrentUserId');
const addDashesToUuidSpy = jest.spyOn(utils, 'addDashesToUuid');
const inviteDeleteSpy = jest.spyOn(inviteService, 'delete');
const inviteReadSpy = jest.spyOn(inviteService, 'read');
const objectAddPermissionsSpy = jest.spyOn(objectPermissionService, 'addPermissions');
Expand All @@ -377,6 +382,7 @@ describe('useInvite', () => {
beforeEach(() => {
getCurrentIdentitySpy.mockReturnValue(USR_IDENTITY);
getCurrentUserIdSpy.mockResolvedValue(USR_ID);
addDashesToUuidSpy.mockReturnValue(TOKEN);
});


Expand Down

0 comments on commit 3c610a3

Please sign in to comment.