Adding basic permissions test which proves a public user can read from a table, but cannot write.
This commit is contained in:
parent
fee073fcfe
commit
31d7a7a378
|
@ -40,6 +40,17 @@ exports.defaultHeaders = appId => {
|
||||||
return headers
|
return headers
|
||||||
}
|
}
|
||||||
|
|
||||||
|
exports.publicHeaders = appId => {
|
||||||
|
const headers = {
|
||||||
|
Accept: "application/json",
|
||||||
|
}
|
||||||
|
if (appId) {
|
||||||
|
headers["x-budibase-app-id"] = appId
|
||||||
|
}
|
||||||
|
|
||||||
|
return headers
|
||||||
|
}
|
||||||
|
|
||||||
exports.BASE_TABLE = {
|
exports.BASE_TABLE = {
|
||||||
name: "TestTable",
|
name: "TestTable",
|
||||||
type: "table",
|
type: "table",
|
||||||
|
@ -73,13 +84,17 @@ exports.createTable = async (request, appId, table, removeId = true) => {
|
||||||
return res.body
|
return res.body
|
||||||
}
|
}
|
||||||
|
|
||||||
exports.createRow = async (request, appId, tableId, row = null) => {
|
exports.makeBasicRow = tableId => {
|
||||||
row = row || {
|
return {
|
||||||
name: "Test Contact",
|
name: "Test Contact",
|
||||||
description: "original description",
|
description: "original description",
|
||||||
status: "new",
|
status: "new",
|
||||||
tableId: tableId,
|
tableId: tableId,
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
exports.createRow = async (request, appId, tableId, row = null) => {
|
||||||
|
row = row || exports.makeBasicRow(tableId)
|
||||||
const res = await request
|
const res = await request
|
||||||
.post(`/api/${tableId}/rows`)
|
.post(`/api/${tableId}/rows`)
|
||||||
.send(row)
|
.send(row)
|
||||||
|
|
|
@ -5,6 +5,8 @@ const {
|
||||||
supertest,
|
supertest,
|
||||||
defaultHeaders,
|
defaultHeaders,
|
||||||
addPermission,
|
addPermission,
|
||||||
|
publicHeaders,
|
||||||
|
makeBasicRow,
|
||||||
} = require("./couchTestUtils")
|
} = require("./couchTestUtils")
|
||||||
const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
|
const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles")
|
||||||
|
|
||||||
|
@ -102,7 +104,22 @@ describe("/permission", () => {
|
||||||
|
|
||||||
describe("check public user allowed", () => {
|
describe("check public user allowed", () => {
|
||||||
it("should be able to read the row", async () => {
|
it("should be able to read the row", async () => {
|
||||||
// TODO
|
const res = await request
|
||||||
|
.get(`/api/${table._id}/rows`)
|
||||||
|
.set(publicHeaders(appId))
|
||||||
|
.expect("Content-Type", /json/)
|
||||||
|
.expect(200)
|
||||||
|
expect(res.body[0]._id).toEqual(row._id)
|
||||||
|
})
|
||||||
|
|
||||||
|
it("shouldn't allow writing from a public user", async () => {
|
||||||
|
const res = await request
|
||||||
|
.post(`/api/${table._id}/rows`)
|
||||||
|
.send(makeBasicRow(table._id))
|
||||||
|
.set(publicHeaders(appId))
|
||||||
|
.expect("Content-Type", /json/)
|
||||||
|
.expect(403)
|
||||||
|
expect(res.status).toEqual(403)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
|
@ -5,6 +5,7 @@ const {
|
||||||
defaultHeaders,
|
defaultHeaders,
|
||||||
createLinkedTable,
|
createLinkedTable,
|
||||||
createAttachmentTable,
|
createAttachmentTable,
|
||||||
|
makeBasicRow,
|
||||||
} = require("./couchTestUtils");
|
} = require("./couchTestUtils");
|
||||||
const { enrichRows } = require("../../../utilities")
|
const { enrichRows } = require("../../../utilities")
|
||||||
const env = require("../../../environment")
|
const env = require("../../../environment")
|
||||||
|
@ -30,12 +31,7 @@ describe("/rows", () => {
|
||||||
app = await createApplication(request)
|
app = await createApplication(request)
|
||||||
appId = app.instance._id
|
appId = app.instance._id
|
||||||
table = await createTable(request, appId)
|
table = await createTable(request, appId)
|
||||||
row = {
|
row = makeBasicRow(table._id)
|
||||||
name: "Test Contact",
|
|
||||||
description: "original description",
|
|
||||||
status: "new",
|
|
||||||
tableId: table._id
|
|
||||||
}
|
|
||||||
})
|
})
|
||||||
|
|
||||||
const createRow = async r =>
|
const createRow = async r =>
|
||||||
|
|
|
@ -43,12 +43,8 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
|
||||||
// don't expose builder endpoints in the cloud
|
// don't expose builder endpoints in the cloud
|
||||||
if (env.CLOUD && permType === PermissionTypes.BUILDER) return
|
if (env.CLOUD && permType === PermissionTypes.BUILDER) return
|
||||||
|
|
||||||
if (!ctx.auth.authenticated) {
|
|
||||||
ctx.throw(403, "Session not authenticated")
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!ctx.user) {
|
if (!ctx.user) {
|
||||||
ctx.throw(403, "User not found")
|
ctx.throw(403, "No user info found")
|
||||||
}
|
}
|
||||||
|
|
||||||
const role = ctx.user.role
|
const role = ctx.user.role
|
||||||
|
@ -56,11 +52,15 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
|
||||||
ctx.appId,
|
ctx.appId,
|
||||||
role._id
|
role._id
|
||||||
)
|
)
|
||||||
if (ADMIN_ROLES.indexOf(role._id) !== -1) {
|
const isAdmin = ADMIN_ROLES.indexOf(role._id) !== -1
|
||||||
return next()
|
const isAuthed = ctx.auth.authenticated
|
||||||
}
|
|
||||||
|
|
||||||
if (permType === PermissionTypes.BUILDER) {
|
// this may need to change in the future, right now only admins
|
||||||
|
// can have access to builder features, this is hard coded into
|
||||||
|
// our rules
|
||||||
|
if (isAdmin && isAuthed) {
|
||||||
|
return next()
|
||||||
|
} else if (permType === PermissionTypes.BUILDER) {
|
||||||
ctx.throw(403, "Not Authorized")
|
ctx.throw(403, "Not Authorized")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,6 +71,10 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
|
||||||
return next()
|
return next()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!isAuthed) {
|
||||||
|
ctx.throw(403, "Session not authenticated")
|
||||||
|
}
|
||||||
|
|
||||||
if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
|
if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
|
||||||
ctx.throw(403, "User does not have permission")
|
ctx.throw(403, "User does not have permission")
|
||||||
}
|
}
|
||||||
|
|
|
@ -77,7 +77,7 @@ exports.getRole = async (appId, roleId) => {
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
const db = new CouchDB(appId)
|
const db = new CouchDB(appId)
|
||||||
const dbRole = await db.get(roleId)
|
const dbRole = await db.get(exports.getDBRoleID(roleId))
|
||||||
role = Object.assign(role, dbRole)
|
role = Object.assign(role, dbRole)
|
||||||
// finalise the ID
|
// finalise the ID
|
||||||
role._id = exports.getExternalRoleID(role._id)
|
role._id = exports.getExternalRoleID(role._id)
|
||||||
|
|
Loading…
Reference in New Issue