[permissions] Writing permission does not go without reading permission (#12573)
Closes https://github.com/twentyhq/core-team-issues/issues/868 We should not allow to grant any writing permission (update, soft delete, delete) on an object or at role-level without the reading permission at the same level. This has been implemented in the front-end at role level, and is yet to be done at object level (@Weiko)
This commit is contained in:
Marie
@ -0,0 +1,421 @@
|
||||
import gql from 'graphql-tag';
|
||||
import { default as request } from 'supertest';
|
||||
import { createRoleOperation } from 'test/integration/graphql/utils/create-custom-role-operation-factory.util';
|
||||
import { deleteRole } from 'test/integration/graphql/utils/delete-one-role.util';
|
||||
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
|
||||
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
|
||||
import { createUpsertObjectPermissionsOperation } from 'test/integration/graphql/utils/upsert-object-permission-operation-factory.util';
|
||||
import { makeMetadataAPIRequest } from 'test/integration/metadata/suites/utils/make-metadata-api-request.util';
|
||||
|
||||
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
|
||||
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
|
||||
import { SEED_APPLE_WORKSPACE_ID } from 'src/engine/workspace-manager/dev-seeder/core/utils/seed-workspaces.util';
|
||||
|
||||
const client = request(`http://localhost:${APP_PORT}`);
|
||||
|
||||
describe('Object Permissions Validation', () => {
|
||||
let customRoleId: string;
|
||||
let personObjectId: string;
|
||||
let companyObjectId: string;
|
||||
|
||||
beforeAll(async () => {
|
||||
const enablePermissionsQuery = updateFeatureFlagFactory(
|
||||
SEED_APPLE_WORKSPACE_ID,
|
||||
'IS_PERMISSIONS_V2_ENABLED',
|
||||
true,
|
||||
);
|
||||
|
||||
await makeGraphqlAPIRequest(enablePermissionsQuery);
|
||||
// Get object metadata IDs for Person and Company
|
||||
const getObjectMetadataOperation = {
|
||||
query: gql`
|
||||
query {
|
||||
objects(paging: { first: 1000 }) {
|
||||
edges {
|
||||
node {
|
||||
id
|
||||
nameSingular
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
`,
|
||||
};
|
||||
|
||||
const objectMetadataResponse = await makeMetadataAPIRequest(
|
||||
getObjectMetadataOperation,
|
||||
);
|
||||
const objects = objectMetadataResponse.body.data.objects.edges;
|
||||
|
||||
personObjectId = objects.find(
|
||||
(obj: any) => obj.node.nameSingular === 'person',
|
||||
)?.node.id;
|
||||
companyObjectId = objects.find(
|
||||
(obj: any) => obj.node.nameSingular === 'company',
|
||||
)?.node.id;
|
||||
|
||||
expect(personObjectId).toBeDefined();
|
||||
expect(companyObjectId).toBeDefined();
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
const disablePermissionsQuery = updateFeatureFlagFactory(
|
||||
SEED_APPLE_WORKSPACE_ID,
|
||||
'IS_PERMISSIONS_V2_ENABLED',
|
||||
false,
|
||||
);
|
||||
|
||||
await makeGraphqlAPIRequest(disablePermissionsQuery);
|
||||
});
|
||||
|
||||
describe('cases with role with all rights by default', () => {
|
||||
beforeEach(async () => {
|
||||
// Create a custom role for each test
|
||||
const roleOperation = createRoleOperation({
|
||||
label: 'TestRole',
|
||||
description: 'Test role for object permission validation',
|
||||
canUpdateAllSettings: true,
|
||||
canReadAllObjectRecords: true,
|
||||
canUpdateAllObjectRecords: true,
|
||||
canSoftDeleteAllObjectRecords: true,
|
||||
canDestroyAllObjectRecords: true,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(roleOperation);
|
||||
|
||||
customRoleId = response.body.data.createOneRole.id;
|
||||
});
|
||||
|
||||
afterEach(async () => {
|
||||
// Clean up the role after each test
|
||||
if (customRoleId) {
|
||||
await deleteRole(client, customRoleId);
|
||||
}
|
||||
});
|
||||
|
||||
describe('validateObjectPermissionsOrThrow - basic valid cases', () => {
|
||||
it('should allow read=true with any write permissions', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(customRoleId, [
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: true,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: true,
|
||||
canDestroyObjectRecords: true,
|
||||
},
|
||||
]);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.upsertObjectPermissions).toHaveLength(1);
|
||||
expect(response.body.data.upsertObjectPermissions[0]).toMatchObject({
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: true,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: true,
|
||||
canDestroyObjectRecords: true,
|
||||
});
|
||||
});
|
||||
|
||||
it('should allow read=false with all write permissions=false', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(customRoleId, [
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: false,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
]);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.upsertObjectPermissions).toHaveLength(1);
|
||||
expect(response.body.data.upsertObjectPermissions[0]).toMatchObject({
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: false,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('validateObjectPermissionsOrThrow - Invalid Cases', () => {
|
||||
it('should throw error when read=false but canUpdateObjectRecords=true', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
customRoleId,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
],
|
||||
[
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canUpdateObjectRecords',
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
|
||||
it('should throw error when read=false but canSoftDeleteObjectRecords=true', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
customRoleId,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: false,
|
||||
canSoftDeleteObjectRecords: true,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
],
|
||||
[
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canSoftDeleteObjectRecords',
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
|
||||
it('should throw error when read=false but canDestroyObjectRecords=true', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
customRoleId,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: false,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: true,
|
||||
},
|
||||
],
|
||||
[
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canDestroyObjectRecords',
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
|
||||
it('should throw error when read=false but multiple write permissions=true', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
customRoleId,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: true,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
],
|
||||
[
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canUpdateObjectRecords',
|
||||
'canSoftDeleteObjectRecords',
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe('validateObjectPermissionsOrThrow - Multiple Objects', () => {
|
||||
it('should validate permissions across multiple objects correctly', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
customRoleId,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: true,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
{
|
||||
objectMetadataId: companyObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: false,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
],
|
||||
[
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canUpdateObjectRecords',
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.upsertObjectPermissions).toHaveLength(2);
|
||||
});
|
||||
|
||||
it('should throw error when one object has invalid permissions', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
customRoleId,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: true,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
{
|
||||
objectMetadataId: companyObjectId,
|
||||
canReadObjectRecords: false,
|
||||
canUpdateObjectRecords: true, // This should fail
|
||||
canSoftDeleteObjectRecords: false,
|
||||
canDestroyObjectRecords: false,
|
||||
},
|
||||
],
|
||||
[
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canUpdateObjectRecords',
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('cases with role with no rights by default', () => {
|
||||
let roleWithoutPermissions: string;
|
||||
|
||||
beforeEach(async () => {
|
||||
// Create a role with write permissions as defaults
|
||||
const roleWithoutPermissionsQuery = createRoleOperation({
|
||||
label: 'TestRoleWithNoRights',
|
||||
description: 'Test role with no rights',
|
||||
canUpdateAllSettings: false,
|
||||
canReadAllObjectRecords: false,
|
||||
canUpdateAllObjectRecords: false,
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
canDestroyAllObjectRecords: false,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(roleWithoutPermissionsQuery);
|
||||
|
||||
roleWithoutPermissions = response.body.data.createOneRole.id;
|
||||
});
|
||||
|
||||
afterEach(async () => {
|
||||
if (roleWithoutPermissions) {
|
||||
await deleteRole(client, roleWithoutPermissions);
|
||||
}
|
||||
});
|
||||
|
||||
it('should throw error when read=true and write permissions inherit false from role defaults', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
roleWithoutPermissions,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canUpdateObjectRecords: true,
|
||||
},
|
||||
],
|
||||
['objectMetadataId', 'canReadObjectRecords'],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_ON_NON_READABLE_OBJECT,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
|
||||
it('should work when read=true and update=true', async () => {
|
||||
const operation = createUpsertObjectPermissionsOperation(
|
||||
roleWithoutPermissions,
|
||||
[
|
||||
{
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: true,
|
||||
canUpdateObjectRecords: true,
|
||||
},
|
||||
],
|
||||
);
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.upsertObjectPermissions).toHaveLength(1);
|
||||
expect(response.body.data.upsertObjectPermissions[0]).toMatchObject({
|
||||
objectMetadataId: personObjectId,
|
||||
canReadObjectRecords: true,
|
||||
canUpdateObjectRecords: true,
|
||||
canSoftDeleteObjectRecords: null,
|
||||
canDestroyObjectRecords: null,
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
@ -0,0 +1,347 @@
|
||||
import gql from 'graphql-tag';
|
||||
import { default as request } from 'supertest';
|
||||
import { createRoleOperation } from 'test/integration/graphql/utils/create-custom-role-operation-factory.util';
|
||||
import { deleteRole } from 'test/integration/graphql/utils/delete-one-role.util';
|
||||
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
|
||||
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
|
||||
|
||||
import { ErrorCode } from 'src/engine/core-modules/graphql/utils/graphql-errors.util';
|
||||
import { PermissionsExceptionMessage } from 'src/engine/metadata-modules/permissions/permissions.exception';
|
||||
import { SEED_APPLE_WORKSPACE_ID } from 'src/engine/workspace-manager/dev-seeder/core/utils/seed-workspaces.util';
|
||||
|
||||
const client = request(`http://localhost:${APP_PORT}`);
|
||||
|
||||
describe('Role Permissions Validation', () => {
|
||||
beforeAll(async () => {
|
||||
const enablePermissionsQuery = updateFeatureFlagFactory(
|
||||
SEED_APPLE_WORKSPACE_ID,
|
||||
'IS_PERMISSIONS_V2_ENABLED',
|
||||
true,
|
||||
);
|
||||
|
||||
await makeGraphqlAPIRequest(enablePermissionsQuery);
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
const disablePermissionsQuery = updateFeatureFlagFactory(
|
||||
SEED_APPLE_WORKSPACE_ID,
|
||||
'IS_PERMISSIONS_V2_ENABLED',
|
||||
false,
|
||||
);
|
||||
|
||||
await makeGraphqlAPIRequest(disablePermissionsQuery);
|
||||
});
|
||||
|
||||
describe('validateRoleDoesNotHaveWritingPermissionsWithoutReadingPermissionsOrThrow', () => {
|
||||
describe('createRole - Valid Cases', () => {
|
||||
it('should allow creating role with read=true and any write permissions', async () => {
|
||||
const operation = createRoleOperation({
|
||||
label: 'ValidRole',
|
||||
description: 'Valid role with read and write permissions',
|
||||
canUpdateAllSettings: true,
|
||||
canReadAllObjectRecords: true,
|
||||
canUpdateAllObjectRecords: true,
|
||||
canSoftDeleteAllObjectRecords: true,
|
||||
canDestroyAllObjectRecords: true,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.createOneRole).toBeDefined();
|
||||
expect(response.body.data.createOneRole.label).toBe('ValidRole');
|
||||
});
|
||||
|
||||
it('should allow creating role with read=false and all write permissions=false', async () => {
|
||||
const operation = createRoleOperation({
|
||||
label: 'ValidNoWriteRole',
|
||||
description: 'Valid role with no write permissions',
|
||||
canUpdateAllSettings: false,
|
||||
canReadAllObjectRecords: false,
|
||||
canUpdateAllObjectRecords: false,
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
canDestroyAllObjectRecords: false,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.createOneRole).toBeDefined();
|
||||
expect(response.body.data.createOneRole.label).toBe('ValidNoWriteRole');
|
||||
});
|
||||
});
|
||||
|
||||
describe('createRole - Invalid Cases', () => {
|
||||
it('should throw error when creating role with read=false but canDestroyAllObjectRecords=true', async () => {
|
||||
const operation = createRoleOperation({
|
||||
label: 'InvalidDestroyRole',
|
||||
description: 'Invalid role with destroy permission but no read',
|
||||
canUpdateAllSettings: false,
|
||||
canReadAllObjectRecords: false,
|
||||
canUpdateAllObjectRecords: false,
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
canDestroyAllObjectRecords: true,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_WITHOUT_READING_PERMISSION,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe('updateRole - Valid Cases', () => {
|
||||
let baseRoleId: string;
|
||||
|
||||
beforeEach(async () => {
|
||||
const operation = createRoleOperation({
|
||||
label: 'BaseRole',
|
||||
description: 'Base role for update tests',
|
||||
canUpdateAllSettings: false,
|
||||
canReadAllObjectRecords: true,
|
||||
canUpdateAllObjectRecords: false,
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
canDestroyAllObjectRecords: false,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
baseRoleId = response.body.data.createOneRole.id;
|
||||
});
|
||||
|
||||
afterEach(async () => {
|
||||
if (baseRoleId) {
|
||||
await deleteRole(client, baseRoleId);
|
||||
}
|
||||
});
|
||||
|
||||
it('should allow updating role to have read=true and any write permissions', async () => {
|
||||
const updateRoleOperation = {
|
||||
query: gql`
|
||||
mutation UpdateOneRole($updateRoleInput: UpdateRoleInput!) {
|
||||
updateOneRole(updateRoleInput: $updateRoleInput) {
|
||||
id
|
||||
canReadAllObjectRecords
|
||||
canUpdateAllObjectRecords
|
||||
canSoftDeleteAllObjectRecords
|
||||
canDestroyAllObjectRecords
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
updateRoleInput: {
|
||||
id: baseRoleId,
|
||||
update: {
|
||||
canUpdateAllObjectRecords: true,
|
||||
canSoftDeleteAllObjectRecords: true,
|
||||
canDestroyAllObjectRecords: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
const response = await makeGraphqlAPIRequest(updateRoleOperation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.updateOneRole).toBeDefined();
|
||||
expect(response.body.data.updateOneRole.canReadAllObjectRecords).toBe(
|
||||
true,
|
||||
);
|
||||
expect(response.body.data.updateOneRole.canUpdateAllObjectRecords).toBe(
|
||||
true,
|
||||
);
|
||||
expect(
|
||||
response.body.data.updateOneRole.canSoftDeleteAllObjectRecords,
|
||||
).toBe(true);
|
||||
expect(
|
||||
response.body.data.updateOneRole.canDestroyAllObjectRecords,
|
||||
).toBe(true);
|
||||
});
|
||||
|
||||
it('should allow updating role to have read=false and all write permissions=false', async () => {
|
||||
const updateRoleOperation = {
|
||||
query: gql`
|
||||
mutation UpdateOneRole($updateRoleInput: UpdateRoleInput!) {
|
||||
updateOneRole(updateRoleInput: $updateRoleInput) {
|
||||
id
|
||||
canReadAllObjectRecords
|
||||
canUpdateAllObjectRecords
|
||||
canSoftDeleteAllObjectRecords
|
||||
canDestroyAllObjectRecords
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
updateRoleInput: {
|
||||
id: baseRoleId,
|
||||
update: {
|
||||
canReadAllObjectRecords: false,
|
||||
canUpdateAllObjectRecords: false,
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
canDestroyAllObjectRecords: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
const response = await makeGraphqlAPIRequest(updateRoleOperation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.updateOneRole).toBeDefined();
|
||||
expect(response.body.data.updateOneRole.canReadAllObjectRecords).toBe(
|
||||
false,
|
||||
);
|
||||
expect(response.body.data.updateOneRole.canUpdateAllObjectRecords).toBe(
|
||||
false,
|
||||
);
|
||||
expect(
|
||||
response.body.data.updateOneRole.canSoftDeleteAllObjectRecords,
|
||||
).toBe(false);
|
||||
expect(
|
||||
response.body.data.updateOneRole.canDestroyAllObjectRecords,
|
||||
).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
describe('updateRole - Invalid Cases', () => {
|
||||
let roleWithWritePermissionsId: string;
|
||||
|
||||
beforeEach(async () => {
|
||||
const operation = createRoleOperation({
|
||||
label: 'RoleWithWritePermissions',
|
||||
description: 'Role with write permissions for update tests',
|
||||
canUpdateAllSettings: false,
|
||||
canReadAllObjectRecords: true,
|
||||
canUpdateAllObjectRecords: true,
|
||||
canSoftDeleteAllObjectRecords: true,
|
||||
canDestroyAllObjectRecords: true,
|
||||
});
|
||||
|
||||
const response = await makeGraphqlAPIRequest(operation);
|
||||
|
||||
roleWithWritePermissionsId = response.body.data.createOneRole.id;
|
||||
});
|
||||
|
||||
afterEach(async () => {
|
||||
if (roleWithWritePermissionsId) {
|
||||
await deleteRole(client, roleWithWritePermissionsId);
|
||||
}
|
||||
});
|
||||
|
||||
it('should throw error when updating role to read=false but keeping write permissions', async () => {
|
||||
const updateRoleOperation = {
|
||||
query: gql`
|
||||
mutation UpdateOneRole($updateRoleInput: UpdateRoleInput!) {
|
||||
updateOneRole(updateRoleInput: $updateRoleInput) {
|
||||
id
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
updateRoleInput: {
|
||||
id: roleWithWritePermissionsId,
|
||||
update: {
|
||||
canReadAllObjectRecords: false,
|
||||
// Not explicitly setting write permissions, so they keep existing values (true)
|
||||
},
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
const response = await makeGraphqlAPIRequest(updateRoleOperation);
|
||||
|
||||
expect(response.body.data).toBeNull();
|
||||
expect(response.body.errors).toBeDefined();
|
||||
expect(response.body.errors[0].message).toBe(
|
||||
PermissionsExceptionMessage.CANNOT_GIVE_WRITING_PERMISSION_WITHOUT_READING_PERMISSION,
|
||||
);
|
||||
expect(response.body.errors[0].extensions.code).toBe(
|
||||
ErrorCode.BAD_USER_INPUT,
|
||||
);
|
||||
});
|
||||
|
||||
it('should allow updating role to read=false when explicitly setting all write permissions to false', async () => {
|
||||
const updateRoleOperation = {
|
||||
query: gql`
|
||||
mutation UpdateOneRole($updateRoleInput: UpdateRoleInput!) {
|
||||
updateOneRole(updateRoleInput: $updateRoleInput) {
|
||||
id
|
||||
canReadAllObjectRecords
|
||||
canUpdateAllObjectRecords
|
||||
canSoftDeleteAllObjectRecords
|
||||
canDestroyAllObjectRecords
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
updateRoleInput: {
|
||||
id: roleWithWritePermissionsId,
|
||||
update: {
|
||||
canReadAllObjectRecords: false,
|
||||
canUpdateAllObjectRecords: false,
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
canDestroyAllObjectRecords: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
const response = await makeGraphqlAPIRequest(updateRoleOperation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.updateOneRole).toBeDefined();
|
||||
expect(response.body.data.updateOneRole.canReadAllObjectRecords).toBe(
|
||||
false,
|
||||
);
|
||||
expect(response.body.data.updateOneRole.canUpdateAllObjectRecords).toBe(
|
||||
false,
|
||||
);
|
||||
expect(
|
||||
response.body.data.updateOneRole.canSoftDeleteAllObjectRecords,
|
||||
).toBe(false);
|
||||
expect(
|
||||
response.body.data.updateOneRole.canDestroyAllObjectRecords,
|
||||
).toBe(false);
|
||||
});
|
||||
|
||||
it('should allow updating role to read=false when explicitly setting some write permissions to false', async () => {
|
||||
const updateRoleOperation = {
|
||||
query: gql`
|
||||
mutation UpdateOneRole($updateRoleInput: UpdateRoleInput!) {
|
||||
updateOneRole(updateRoleInput: $updateRoleInput) {
|
||||
id
|
||||
canReadAllObjectRecords
|
||||
canUpdateAllObjectRecords
|
||||
canSoftDeleteAllObjectRecords
|
||||
canDestroyAllObjectRecords
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
updateRoleInput: {
|
||||
id: roleWithWritePermissionsId,
|
||||
update: {
|
||||
canSoftDeleteAllObjectRecords: false,
|
||||
// Keep other permissions as they are
|
||||
},
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
const response = await makeGraphqlAPIRequest(updateRoleOperation);
|
||||
|
||||
expect(response.body.errors).toBeUndefined();
|
||||
expect(response.body.data.updateOneRole).toBeDefined();
|
||||
expect(
|
||||
response.body.data.updateOneRole.canSoftDeleteAllObjectRecords,
|
||||
).toBe(false);
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
@ -477,7 +477,7 @@ describe('roles permissions', () => {
|
||||
roleId: string;
|
||||
}) => `
|
||||
mutation UpsertObjectPermissions {
|
||||
upsertObjectPermissions(upsertObjectPermissionsInput: { roleId: "${roleId}", objectPermissions: [{objectMetadataId: "${objectMetadataId}", canUpdateObjectRecords: true}]}) {
|
||||
upsertObjectPermissions(upsertObjectPermissionsInput: { roleId: "${roleId}", objectPermissions: [{objectMetadataId: "${objectMetadataId}", canUpdateObjectRecords: true, canReadObjectRecords: true}]}) {
|
||||
objectMetadataId
|
||||
canUpdateObjectRecords
|
||||
}
|
||||
|
||||
@ -0,0 +1,39 @@
|
||||
import gql from 'graphql-tag';
|
||||
|
||||
export const createRoleOperation = ({
|
||||
label,
|
||||
description,
|
||||
canUpdateAllSettings,
|
||||
canReadAllObjectRecords,
|
||||
canDestroyAllObjectRecords,
|
||||
canUpdateAllObjectRecords,
|
||||
canSoftDeleteAllObjectRecords,
|
||||
}: {
|
||||
label: string;
|
||||
description: string;
|
||||
canUpdateAllSettings: boolean;
|
||||
canReadAllObjectRecords: boolean;
|
||||
canDestroyAllObjectRecords: boolean;
|
||||
canUpdateAllObjectRecords: boolean;
|
||||
canSoftDeleteAllObjectRecords: boolean;
|
||||
}) => ({
|
||||
query: gql`
|
||||
mutation CreateOneRole($createRoleInput: CreateRoleInput!) {
|
||||
createOneRole(createRoleInput: $createRoleInput) {
|
||||
id
|
||||
label
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
createRoleInput: {
|
||||
label,
|
||||
description,
|
||||
canUpdateAllSettings,
|
||||
canReadAllObjectRecords,
|
||||
canUpdateAllObjectRecords,
|
||||
canSoftDeleteAllObjectRecords,
|
||||
canDestroyAllObjectRecords,
|
||||
},
|
||||
},
|
||||
});
|
||||
@ -0,0 +1,39 @@
|
||||
import gql from 'graphql-tag';
|
||||
|
||||
export const createUpsertObjectPermissionsOperation = (
|
||||
roleId: string,
|
||||
objectPermissions: Array<{
|
||||
objectMetadataId: string;
|
||||
canReadObjectRecords?: boolean;
|
||||
canUpdateObjectRecords?: boolean;
|
||||
canSoftDeleteObjectRecords?: boolean;
|
||||
canDestroyObjectRecords?: boolean;
|
||||
}>,
|
||||
selectedFields: string[] = [
|
||||
'objectMetadataId',
|
||||
'canReadObjectRecords',
|
||||
'canUpdateObjectRecords',
|
||||
'canSoftDeleteObjectRecords',
|
||||
'canDestroyObjectRecords',
|
||||
],
|
||||
) => ({
|
||||
query: gql`
|
||||
mutation UpsertObjectPermissions(
|
||||
$roleId: String!
|
||||
$objectPermissions: [ObjectPermissionInput!]!
|
||||
) {
|
||||
upsertObjectPermissions(
|
||||
upsertObjectPermissionsInput: {
|
||||
roleId: $roleId
|
||||
objectPermissions: $objectPermissions
|
||||
}
|
||||
) {
|
||||
${selectedFields.join('\n')}
|
||||
}
|
||||
}
|
||||
`,
|
||||
variables: {
|
||||
roleId,
|
||||
objectPermissions,
|
||||
},
|
||||
});
|
||||
Reference in New Issue
Block a user