From 972cc9916babfc6427624a0e042142f6985aecf6 Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Thu, 24 Aug 2023 09:39:38 +0200
Subject: [PATCH] Add inheritance tests

---
 .../src/api/routes/tests/permissions.spec.ts  | 26 +++++++++++++++++++
 .../server/src/tests/utilities/api/viewV2.ts  |  8 ++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/packages/server/src/api/routes/tests/permissions.spec.ts b/packages/server/src/api/routes/tests/permissions.spec.ts
index 118d35f8fd..3437f65a46 100644
--- a/packages/server/src/api/routes/tests/permissions.spec.ts
+++ b/packages/server/src/api/routes/tests/permissions.spec.ts
@@ -12,6 +12,7 @@ import {
   PermissionLevel,
   Row,
   Table,
+  ViewV2,
 } from "@budibase/types"
 import * as setup from "./utilities"
 
@@ -27,6 +28,7 @@ describe("/permission", () => {
   let table: Table & { _id: string }
   let perms: Document[]
   let row: Row
+  let view: ViewV2
 
   afterAll(setup.afterAll)
 
@@ -39,6 +41,7 @@ describe("/permission", () => {
 
     table = (await config.createTable()) as typeof table
     row = await config.createRow()
+    view = await config.api.viewV2.create({ tableId: table._id })
     perms = await config.api.permission.set({
       roleId: STD_ROLE_ID,
       resourceId: table._id,
@@ -162,6 +165,29 @@ describe("/permission", () => {
       expect(res.body[0]._id).toEqual(row._id)
     })
 
+    it("should be able to access the view data when the table is set to public and with no view permissions overrides", async () => {
+      // replicate changes before checking permissions
+      await config.publish()
+
+      const res = await config.api.viewV2.search(view.id, undefined, {
+        usePublicUser: true,
+      })
+      expect(res.body.rows[0]._id).toEqual(row._id)
+    })
+
+    it("should be able to access the view data when the table is set to public and with no view permissions overrides", async () => {
+      await config.api.permission.revoke({
+        roleId: STD_ROLE_ID,
+        resourceId: table._id,
+        level: PermissionLevel.READ,
+      })
+
+      await config.api.viewV2.search(view.id, undefined, {
+        expectStatus: 403,
+        usePublicUser: true,
+      })
+    })
+
     it("shouldn't allow writing from a public user", async () => {
       const res = await request
         .post(`/api/${table._id}/rows`)
diff --git a/packages/server/src/tests/utilities/api/viewV2.ts b/packages/server/src/tests/utilities/api/viewV2.ts
index 1520154641..bba65e187f 100644
--- a/packages/server/src/tests/utilities/api/viewV2.ts
+++ b/packages/server/src/tests/utilities/api/viewV2.ts
@@ -77,12 +77,16 @@ export class ViewV2API extends TestAPI {
   search = async (
     viewId: string,
     params?: SearchViewRowRequest,
-    { expectStatus } = { expectStatus: 200 }
+    { expectStatus = 200, usePublicUser = false } = {}
   ) => {
     return this.request
       .post(`/api/v2/views/${viewId}/search`)
       .send(params)
-      .set(this.config.defaultHeaders())
+      .set(
+        usePublicUser
+          ? this.config.publicHeaders()
+          : this.config.defaultHeaders()
+      )
       .expect("Content-Type", /json/)
       .expect(expectStatus)
   }