diff --git a/packages/server/src/api/routes/tests/rowAction.spec.ts b/packages/server/src/api/routes/tests/rowAction.spec.ts index 6d8eb1907e..a98cca5bf2 100644 --- a/packages/server/src/api/routes/tests/rowAction.spec.ts +++ b/packages/server/src/api/routes/tests/rowAction.spec.ts @@ -651,13 +651,27 @@ describe("/rowsActions", () => { }) describe("trigger", () => { - let row: Row + let viewId: string + let rowId: string let rowAction: RowActionResponse beforeEach(async () => { - row = await config.api.row.save(tableId, {}) + const row = await config.api.row.save(tableId, {}) + rowId = row._id! rowAction = await createRowAction(tableId, createRowActionRequest()) + viewId = ( + await config.api.viewV2.create( + setup.structures.viewV2.createRequest(tableId) + ) + ).id + + await config.api.rowAction.setViewPermission( + tableId, + viewId, + rowAction.id + ) + await config.publish() tk.travel(Date.now() + 100) }) @@ -673,9 +687,7 @@ describe("/rowsActions", () => { it("can trigger an automation given valid data", async () => { expect(await getAutomationLogs()).toBeEmpty() - await config.api.rowAction.trigger(tableId, rowAction.id, { - rowId: row._id!, - }) + await config.api.rowAction.trigger(viewId, rowAction.id, { rowId }) const automationLogs = await getAutomationLogs() expect(automationLogs).toEqual([ @@ -687,8 +699,11 @@ describe("/rowsActions", () => { inputs: null, outputs: { fields: {}, - row: await config.api.row.get(tableId, row._id!), - table: await config.api.table.get(tableId), + row: await config.api.row.get(tableId, rowId), + table: { + ...(await config.api.table.get(tableId)), + views: expect.anything(), + }, automation: expect.objectContaining({ _id: rowAction.automationId, }), @@ -709,9 +724,7 @@ describe("/rowsActions", () => { await config.api.rowAction.trigger( viewId, rowAction.id, - { - rowId: row._id!, - }, + { rowId }, { status: 403, body: { @@ -738,10 +751,9 @@ describe("/rowsActions", () => { ) await config.publish() + expect(await getAutomationLogs()).toBeEmpty() - await config.api.rowAction.trigger(viewId, rowAction.id, { - rowId: row._id!, - }) + await config.api.rowAction.trigger(viewId, rowAction.id, { rowId }) const automationLogs = await getAutomationLogs() expect(automationLogs).toEqual([ @@ -751,46 +763,7 @@ describe("/rowsActions", () => { ]) }) - describe.each([ - [ - "table", - async () => ({ permissionResource: tableId, triggerResouce: tableId }), - ], - [ - "view (with implicit views)", - async () => { - const viewId = ( - await config.api.viewV2.create( - setup.structures.viewV2.createRequest(tableId) - ) - ).id - - await config.api.rowAction.setViewPermission( - tableId, - viewId, - rowAction.id - ) - return { permissionResource: viewId, triggerResouce: viewId } - }, - ], - [ - "view (without implicit views)", - async () => { - const viewId = ( - await config.api.viewV2.create( - setup.structures.viewV2.createRequest(tableId) - ) - ).id - - await config.api.rowAction.setViewPermission( - tableId, - viewId, - rowAction.id - ) - return { permissionResource: tableId, triggerResouce: viewId } - }, - ], - ])("role permission checks (for %s)", (_, getResources) => { + describe("role permission checks", () => { beforeAll(() => { mocks.licenses.useViewPermissions() }) @@ -831,40 +804,104 @@ describe("/rowsActions", () => { ) })() - it.each(allowedRoleConfig)( - "allows triggering if the user has read permission (user %s, table %s)", - async (userRole, resourcePermission) => { - const { permissionResource, triggerResouce } = await getResources() + describe.each([ + [ + "view (with implicit views)", + async () => { + const viewId = ( + await config.api.viewV2.create( + setup.structures.viewV2.createRequest(tableId) + ) + ).id - await config.api.permission.add({ - level: PermissionLevel.READ, - resourceId: permissionResource, - roleId: resourcePermission, - }) - - const normalUser = await createUser(userRole) - - await config.withUser(normalUser, async () => { - await config.publish() - await config.api.rowAction.trigger( - triggerResouce, - rowAction.id, - { - rowId: row._id!, - }, - { status: 200 } + await config.api.rowAction.setViewPermission( + tableId, + viewId, + rowAction.id ) - }) - } - ) + return { permissionResource: viewId, triggerResouce: viewId } + }, + ], + [ + "view (without implicit views)", + async () => { + const viewId = ( + await config.api.viewV2.create( + setup.structures.viewV2.createRequest(tableId) + ) + ).id - it.each(disallowedRoleConfig)( - "rejects if the user does not have table read permission (user %s, table %s)", + await config.api.rowAction.setViewPermission( + tableId, + viewId, + rowAction.id + ) + return { permissionResource: tableId, triggerResouce: viewId } + }, + ], + ])("checks for %s", (_, getResources) => { + it.each(allowedRoleConfig)( + "allows triggering if the user has read permission (user %s, table %s)", + async (userRole, resourcePermission) => { + const { permissionResource, triggerResouce } = await getResources() + + await config.api.permission.add({ + level: PermissionLevel.READ, + resourceId: permissionResource, + roleId: resourcePermission, + }) + + const normalUser = await createUser(userRole) + + await config.withUser(normalUser, async () => { + await config.publish() + await config.api.rowAction.trigger( + triggerResouce, + rowAction.id, + { rowId }, + { status: 200 } + ) + }) + } + ) + + it.each(disallowedRoleConfig)( + "rejects if the user does not have table read permission (user %s, table %s)", + async (userRole, resourcePermission) => { + const { permissionResource, triggerResouce } = await getResources() + await config.api.permission.add({ + level: PermissionLevel.READ, + resourceId: permissionResource, + roleId: resourcePermission, + }) + + const normalUser = await createUser(userRole) + + await config.withUser(normalUser, async () => { + await config.publish() + await config.api.rowAction.trigger( + triggerResouce, + rowAction.id, + { rowId }, + { + status: 403, + body: { message: "User does not have permission" }, + } + ) + + const automationLogs = await getAutomationLogs() + expect(automationLogs).toBeEmpty() + }) + } + ) + }) + + it.each(allowedRoleConfig)( + "does not allow running row actions for tables by default even", async (userRole, resourcePermission) => { - const { permissionResource, triggerResouce } = await getResources() await config.api.permission.add({ level: PermissionLevel.READ, - resourceId: permissionResource, + resourceId: tableId, roleId: resourcePermission, }) @@ -873,14 +910,14 @@ describe("/rowsActions", () => { await config.withUser(normalUser, async () => { await config.publish() await config.api.rowAction.trigger( - triggerResouce, + tableId, rowAction.id, - { - rowId: row._id!, - }, + { rowId }, { status: 403, - body: { message: "User does not have permission" }, + body: { + message: `Row action '${rowAction.id}' is not enabled for table '${tableId}'`, + }, } )