Test for loops in role save API.

2024-10-16 12:27:15 +01:00 · 2024-10-16 12:27:15 +01:00 · 189b176060
parent 171ffd8aa3
commit 189b176060
2 changed files with 23 additions and 1 deletions
--- a/packages/server/src/api/controllers/role.ts
+++ b/packages/server/src/api/controllers/role.ts
@ -81,7 +81,10 @@ export async function save(ctx: UserCtx<SaveRoleRequest, SaveRoleResponse>) {
    _id = dbCore.prefixRoleID(_id)
  }

-  const allRoles = await roles.getAllRoles()
+  const allRoles = (await roles.getAllRoles()).map(role => ({
+    ...role,
+    _id: dbCore.prefixRoleID(role._id!),
+  }))
  let dbRole: Role | undefined
  if (!isCreate && _id?.startsWith(DocumentType.ROLE)) {
    dbRole = allRoles.find(role => role._id === _id)
--- a/packages/server/src/api/routes/tests/role.spec.ts
+++ b/packages/server/src/api/routes/tests/role.spec.ts
@ -47,6 +47,25 @@ describe("/roles", () => {
      expect(events.role.updated).toHaveBeenCalledTimes(1)
      expect(events.role.updated).toHaveBeenCalledWith(res)
    })
+
+    it("disallow loops", async () => {
+      let role1 = basicRole()
+      role1 = await config.api.roles.save(role1, {
+        status: 200,
+      })
+      let role2 = basicRole()
+      role2.inherits = [role1._id!]
+      role2 = await config.api.roles.save(role2, {
+        status: 200,
+      })
+      role1.inherits = [role2._id!]
+      await config.api.roles.save(role1, {
+        status: 400,
+        body: {
+          message: "Role inheritance contains a loop, this is not supported",
+        },
+      })
+    })
  })

  describe("fetch", () => {