diff --git a/packages/server/src/api/routes/model.js b/packages/server/src/api/routes/model.js index b5ab9b3f95..10882aa057 100644 --- a/packages/server/src/api/routes/model.js +++ b/packages/server/src/api/routes/model.js @@ -6,7 +6,7 @@ const { BUILDER, READ_MODEL } = require("../../utilities/accessLevels") const router = Router() router - .get("/api/models", modelController.fetch) + .get("/api/models", authorized(BUILDER), modelController.fetch) .get( "/api/models/:id", authorized(READ_MODEL, ctx => ctx.params.id), diff --git a/packages/server/src/api/routes/tests/accesslevel.spec.js b/packages/server/src/api/routes/tests/accesslevel.spec.js index 9cd3495ed8..81ab6a78ad 100644 --- a/packages/server/src/api/routes/tests/accesslevel.spec.js +++ b/packages/server/src/api/routes/tests/accesslevel.spec.js @@ -44,7 +44,7 @@ describe("/accesslevels", () => { it("returns a success message when level is successfully created", async () => { const res = await request - .post(`/api/${instanceId}/accesslevels`) + .post(`/api/accesslevels`) .send({ name: "user" }) .set(defaultHeaders(appId, instanceId)) .expect('Content-Type', /json/) @@ -62,7 +62,7 @@ describe("/accesslevels", () => { it("should list custom levels, plus 2 default levels", async () => { const createRes = await request - .post(`/api/${instanceId}/accesslevels`) + .post(`/api/accesslevels`) .send({ name: "user", permissions: [ { itemId: model._id, name: READ_MODEL }] }) .set(defaultHeaders(appId, instanceId)) .expect('Content-Type', /json/) @@ -71,7 +71,7 @@ describe("/accesslevels", () => { const customLevel = createRes.body const res = await request - .get(`/api/${instanceId}/accesslevels`) + .get(`/api/accesslevels`) .set(defaultHeaders(appId, instanceId)) .expect('Content-Type', /json/) .expect(200) @@ -95,7 +95,7 @@ describe("/accesslevels", () => { describe("destroy", () => { it("should delete custom access level", async () => { const createRes = await request - .post(`/api/${instanceId}/accesslevels`) + .post(`/api/accesslevels`) .send({ name: "user", permissions: [ { itemId: model._id, name: READ_MODEL } ] }) .set(defaultHeaders(appId, instanceId)) .expect('Content-Type', /json/) @@ -104,12 +104,12 @@ describe("/accesslevels", () => { const customLevel = createRes.body await request - .delete(`/api/${instanceId}/accesslevels/${customLevel._id}/${customLevel._rev}`) + .delete(`/api/accesslevels/${customLevel._id}/${customLevel._rev}`) .set(defaultHeaders(appId, instanceId)) .expect(200) await request - .get(`/api/${instanceId}/accesslevels/${customLevel._id}`) + .get(`/api/accesslevels/${customLevel._id}`) .set(defaultHeaders(appId, instanceId)) .expect(404) }) @@ -118,7 +118,7 @@ describe("/accesslevels", () => { describe("patch", () => { it("should add given permissions", async () => { const createRes = await request - .post(`/api/${instanceId}/accesslevels`) + .post(`/api/accesslevels`) .send({ name: "user", permissions: [ { itemId: model._id, name: READ_MODEL }] }) .set(defaultHeaders(appId, instanceId)) .expect('Content-Type', /json/) @@ -127,7 +127,7 @@ describe("/accesslevels", () => { const customLevel = createRes.body await request - .patch(`/api/${instanceId}/accesslevels/${customLevel._id}`) + .patch(`/api/accesslevels/${customLevel._id}`) .send({ _rev: customLevel._rev, addedPermissions: [ { itemId: model._id, name: WRITE_MODEL } ] @@ -137,7 +137,7 @@ describe("/accesslevels", () => { .expect(200) const finalRes = await request - .get(`/api/${instanceId}/accesslevels/${customLevel._id}`) + .get(`/api/accesslevels/${customLevel._id}`) .set(defaultHeaders(appId, instanceId)) .expect(200) @@ -148,7 +148,7 @@ describe("/accesslevels", () => { it("should remove given permissions", async () => { const createRes = await request - .post(`/api/${instanceId}/accesslevels`) + .post(`/api/accesslevels`) .send({ name: "user", permissions: [ @@ -163,7 +163,7 @@ describe("/accesslevels", () => { const customLevel = createRes.body await request - .patch(`/api/${instanceId}/accesslevels/${customLevel._id}`) + .patch(`/api/accesslevels/${customLevel._id}`) .send({ _rev: customLevel._rev, removedPermissions: [ { itemId: model._id, name: WRITE_MODEL }] @@ -173,7 +173,7 @@ describe("/accesslevels", () => { .expect(200) const finalRes = await request - .get(`/api/${instanceId}/accesslevels/${customLevel._id}`) + .get(`/api/accesslevels/${customLevel._id}`) .set(defaultHeaders(appId, instanceId)) .expect(200) diff --git a/packages/server/src/api/routes/tests/application.spec.js b/packages/server/src/api/routes/tests/application.spec.js index 0bde24a02f..d22ab02016 100644 --- a/packages/server/src/api/routes/tests/application.spec.js +++ b/packages/server/src/api/routes/tests/application.spec.js @@ -41,7 +41,7 @@ describe("/applications", () => { expect(res.body._id).toBeDefined() }) - fit("should apply authorization to endpoint", async () => { + it("should apply authorization to endpoint", async () => { const otherApplication = await createApplication(request) const instance = await createInstance(request, otherApplication._id) await builderEndpointShouldBlockNormalUsers({ diff --git a/packages/server/src/api/routes/tests/couchTestUtils.js b/packages/server/src/api/routes/tests/couchTestUtils.js index ebf09e392d..9b8aedd453 100644 --- a/packages/server/src/api/routes/tests/couchTestUtils.js +++ b/packages/server/src/api/routes/tests/couchTestUtils.js @@ -57,7 +57,7 @@ exports.createModel = async (request, appId, instanceId, model) => { } const res = await request - .post(`/api/${instanceId}/models`) + .post(`/api/models`) .set(exports.defaultHeaders(appId, instanceId)) .send(model) return res.body @@ -69,7 +69,7 @@ exports.createView = async (request, appId, instanceId, view) => { } const res = await request - .post(`/api/${instanceId}/views`) + .post(`/api/views`) .set(exports.defaultHeaders(appId, instanceId)) .send(view) return res.body @@ -80,10 +80,10 @@ exports.createClientDatabase = async id => await create(id || TEST_CLIENT_ID) exports.createApplication = async (request, name = "test_application") => { const res = await request .post("/api/applications") - .set(exports.defaultHeaders()) .send({ name, }) + .set(exports.defaultHeaders()) return res.body } @@ -92,10 +92,10 @@ exports.destroyClientDatabase = async () => await destroy(TEST_CLIENT_ID) exports.createInstance = async (request, appId) => { const res = await request .post(`/api/instances`) - .set(exports.defaultHeaders(appId)) .send({ - name: "test-instance", + name: "test-instance2", }) + .set(exports.defaultHeaders(appId)) return res.body } @@ -180,13 +180,13 @@ const createUserWithPermissions = async ( username ) => { const accessRes = await request - .post(`/api/${instanceId}/accesslevels`) + .post(`/api/accesslevels`) .send({ name: "TestLevel", permissions }) .set(exports.defaultHeaders(appId, instanceId)) const password = `password_${username}` await request - .post(`/api/${instanceId}/users`) + .post(`/api/users`) .set(exports.defaultHeaders(appId, instanceId)) .send({ name: username, diff --git a/packages/server/src/api/routes/tests/model.spec.js b/packages/server/src/api/routes/tests/model.spec.js index f4708be58d..4d4e7aeb08 100644 --- a/packages/server/src/api/routes/tests/model.spec.js +++ b/packages/server/src/api/routes/tests/model.spec.js @@ -33,7 +33,7 @@ describe("/models", () => { it("returns a success message when the model is successfully created", done => { request - .post(`/api/${instance._id}/models`) + .post(`/api/models`) .send({ name: "TestModel", key: "name", @@ -55,8 +55,9 @@ describe("/models", () => { await builderEndpointShouldBlockNormalUsers({ request, method: "POST", - url: `/api/${instance._id}/models`, + url: `/api/models`, instanceId: instance._id, + appId: app._id, body: { name: "TestModel", key: "name", @@ -78,7 +79,7 @@ describe("/models", () => { it("returns all the models for that instance in the response body", done => { request - .get(`/api/${instance._id}/models`) + .get(`/api/models`) .set(defaultHeaders(app._id, instance._id)) .expect('Content-Type', /json/) .expect(200) @@ -94,8 +95,9 @@ describe("/models", () => { await builderEndpointShouldBlockNormalUsers({ request, method: "GET", - url: `/api/${instance._id}/models`, + url: `/api/models`, instanceId: instance._id, + appId: app._id, }) }) }); @@ -114,7 +116,7 @@ describe("/models", () => { it("returns a success response when a model is deleted.", async done => { request - .delete(`/api/${instance._id}/models/${testModel._id}/${testModel._rev}`) + .delete(`/api/models/${testModel._id}/${testModel._rev}`) .set(defaultHeaders(app._id, instance._id)) .expect('Content-Type', /json/) .expect(200) @@ -147,7 +149,7 @@ describe("/models", () => { }) request - .delete(`/api/${instance._id}/models/${testModel._id}/${testModel._rev}`) + .delete(`/api/models/${testModel._id}/${testModel._rev}`) .set(defaultHeaders(app._id, instance._id)) .expect('Content-Type', /json/) .expect(200) @@ -163,8 +165,9 @@ describe("/models", () => { await builderEndpointShouldBlockNormalUsers({ request, method: "DELETE", - url: `/api/${instance._id}/models/${testModel._id}/${testModel._rev}`, + url: `/api/models/${testModel._id}/${testModel._rev}`, instanceId: instance._id, + appId: app._id, }) }) diff --git a/packages/server/src/api/routes/tests/record.spec.js b/packages/server/src/api/routes/tests/record.spec.js index c856cfc47a..62cf205b1c 100644 --- a/packages/server/src/api/routes/tests/record.spec.js +++ b/packages/server/src/api/routes/tests/record.spec.js @@ -45,7 +45,7 @@ describe("/records", () => { .expect('Content-Type', /json/) .expect(200) - fit("returns a success message when the record is created", async () => { + it("returns a success message when the record is created", async () => { const res = await createRecord() expect(res.res.statusMessage).toEqual(`${model.name} created successfully`) expect(res.body.name).toEqual("Test Contact") diff --git a/packages/server/src/api/routes/tests/user.spec.js b/packages/server/src/api/routes/tests/user.spec.js index 4900946e45..a17e6fe275 100644 --- a/packages/server/src/api/routes/tests/user.spec.js +++ b/packages/server/src/api/routes/tests/user.spec.js @@ -54,8 +54,9 @@ describe("/users", () => { await testPermissionsForEndpoint({ request, method: "GET", - url: `/api/${instance._id}/users`, + url: `/api/users`, instanceId: instance._id, + appId: app._id, permissionName: LIST_USERS, }) }) @@ -66,7 +67,7 @@ describe("/users", () => { it("returns a success message when a user is successfully created", async () => { const res = await request - .post(`/api/${instance._id}/users`) + .post(`/api/users`) .set(defaultHeaders(app._id, instance._id)) .send({ name: "Bill", username: "bill", password: "bills_password", accessLevelId: POWERUSER_LEVEL_ID }) .expect(200) @@ -81,8 +82,9 @@ describe("/users", () => { request, method: "POST", body: { name: "brandNewUser", username: "brandNewUser", password: "yeeooo", accessLevelId: POWERUSER_LEVEL_ID }, - url: `/api/${instance._id}/users`, + url: `/api/users`, instanceId: instance._id, + appId: app._id, permissionName: USER_MANAGEMENT, }) }) diff --git a/packages/server/src/api/routes/tests/view.spec.js b/packages/server/src/api/routes/tests/view.spec.js index db521ef53b..5a889bed67 100644 --- a/packages/server/src/api/routes/tests/view.spec.js +++ b/packages/server/src/api/routes/tests/view.spec.js @@ -30,7 +30,7 @@ describe("/views", () => { const createView = async () => await request - .post(`/api/${instance._id}/views`) + .post(`/api/views`) .send({ name: "TestView", map: `function(doc) { @@ -62,7 +62,7 @@ describe("/views", () => { it("should only return custom views", async () => { const view = await createView() const res = await request - .get(`/api/${instance._id}/views`) + .get(`/api/views`) .set(defaultHeaders(app._id, instance._id)) .expect('Content-Type', /json/) .expect(200) diff --git a/packages/server/src/api/routes/tests/workflow.spec.js b/packages/server/src/api/routes/tests/workflow.spec.js index bcd1f67120..f8b38c53ec 100644 --- a/packages/server/src/api/routes/tests/workflow.spec.js +++ b/packages/server/src/api/routes/tests/workflow.spec.js @@ -63,7 +63,7 @@ describe("/workflows", () => { describe("create", () => { it("returns a success message when the workflow is successfully created", async () => { const res = await request - .post(`/api/${instance._id}/workflows`) + .post(`/api/workflows`) .set(defaultHeaders(app._id, instance._id)) .send(TEST_WORKFLOW) .expect('Content-Type', /json/) @@ -77,8 +77,9 @@ describe("/workflows", () => { await builderEndpointShouldBlockNormalUsers({ request, method: "POST", - url: `/api/${instance._id}/workflows`, + url: `/api/workflows`, instanceId: instance._id, + appId: app._id, body: TEST_WORKFLOW }) }) @@ -92,7 +93,7 @@ describe("/workflows", () => { workflow.name = "Updated Name"; const res = await request - .put(`/api/${instance._id}/workflows`) + .put(`/api/workflows`) .set(defaultHeaders(app._id, instance._id)) .send(workflow) .expect('Content-Type', /json/) @@ -107,7 +108,7 @@ describe("/workflows", () => { it("return all the workflows for an instance", async () => { await createWorkflow(); const res = await request - .get(`/api/${instance._id}/workflows`) + .get(`/api/workflows`) .set(defaultHeaders(app._id, instance._id)) .expect('Content-Type', /json/) .expect(200) @@ -119,8 +120,9 @@ describe("/workflows", () => { await builderEndpointShouldBlockNormalUsers({ request, method: "GET", - url: `/api/${instance._id}/workflows`, + url: `/api/workflows`, instanceId: instance._id, + appId: app._id, }) }) }) @@ -129,7 +131,7 @@ describe("/workflows", () => { it("deletes a workflow by its ID", async () => { await createWorkflow(); const res = await request - .delete(`/api/${instance._id}/workflows/${workflow.id}/${workflow.rev}`) + .delete(`/api/workflows/${workflow.id}/${workflow.rev}`) .set(defaultHeaders(app._id, instance._id)) .expect('Content-Type', /json/) .expect(200) @@ -142,8 +144,9 @@ describe("/workflows", () => { await builderEndpointShouldBlockNormalUsers({ request, method: "DELETE", - url: `/api/${instance._id}/workflows/${workflow.id}/${workflow._rev}`, + url: `/api/workflows/${workflow.id}/${workflow._rev}`, instanceId: instance._id, + appId: app._id, }) }) }) diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js index 0a3c9c8ef9..2318512eea 100644 --- a/packages/server/src/middleware/authenticated.js +++ b/packages/server/src/middleware/authenticated.js @@ -81,6 +81,8 @@ const getAccessLevel = async (instanceId, accessLevelId) => { const findAccessContext = { params: { levelId: accessLevelId, + }, + user: { instanceId, }, }