c8753ae59e
Closes https://github.com/twentyhq/core-team-issues/issues/1217 We should only query and return the fields that are readable when using the rest api. This is behind a feature flag.
175 lines
4.9 KiB
TypeScript
175 lines
4.9 KiB
TypeScript
import gql from 'graphql-tag';
|
|
import { TEST_PERSON_1_ID } from 'test/integration/constants/test-person-ids.constants';
|
|
import { makeGraphqlAPIRequest } from 'test/integration/graphql/utils/make-graphql-api-request.util';
|
|
import { updateFeatureFlagFactory } from 'test/integration/graphql/utils/update-feature-flag-factory.util';
|
|
import { upsertFieldPermissions } from 'test/integration/graphql/utils/upsert-field-permissions.util';
|
|
import { makeMetadataAPIRequest } from 'test/integration/metadata/suites/utils/make-metadata-api-request.util';
|
|
import { makeRestAPIRequest } from 'test/integration/rest/utils/make-rest-api-request.util';
|
|
import { generateRecordName } from 'test/integration/utils/generate-record-name';
|
|
|
|
import { SEED_APPLE_WORKSPACE_ID } from 'src/engine/workspace-manager/dev-seeder/core/utils/seed-workspaces.util';
|
|
|
|
describe('Restricted fields', () => {
|
|
let personCity: string;
|
|
let adminRoleId: string;
|
|
let personObjectId: string;
|
|
let emailsFieldId: string;
|
|
|
|
beforeAll(async () => {
|
|
personCity = generateRecordName(TEST_PERSON_1_ID);
|
|
|
|
await makeRestAPIRequest({
|
|
method: 'post',
|
|
path: '/people',
|
|
body: {
|
|
id: TEST_PERSON_1_ID,
|
|
city: personCity,
|
|
emails: {
|
|
primaryEmail: 'test@test.com',
|
|
},
|
|
},
|
|
});
|
|
|
|
// Get object metadata IDs for Person and Company
|
|
const getObjectMetadataOperation = {
|
|
query: gql`
|
|
query {
|
|
objects(paging: { first: 1000 }) {
|
|
edges {
|
|
node {
|
|
id
|
|
nameSingular
|
|
}
|
|
}
|
|
}
|
|
}
|
|
`,
|
|
};
|
|
|
|
const objectMetadataResponse = await makeMetadataAPIRequest(
|
|
getObjectMetadataOperation,
|
|
);
|
|
const objects = objectMetadataResponse.body.data.objects.edges;
|
|
|
|
personObjectId = objects.find(
|
|
(obj: any) => obj.node.nameSingular === 'person',
|
|
)?.node.id;
|
|
|
|
// Get field metadata ID for email field
|
|
const getFieldMetadataOperation = {
|
|
query: gql`
|
|
query {
|
|
fields(paging: { first: 1000 }) {
|
|
edges {
|
|
node {
|
|
id
|
|
name
|
|
object {
|
|
nameSingular
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
`,
|
|
};
|
|
|
|
const fieldMetadataResponse = await makeMetadataAPIRequest(
|
|
getFieldMetadataOperation,
|
|
);
|
|
const fields = fieldMetadataResponse.body.data.fields.edges;
|
|
|
|
emailsFieldId = fields.find(
|
|
(field: any) =>
|
|
field.node.name === 'emails' &&
|
|
field.node.object.nameSingular === 'person',
|
|
).node.id;
|
|
|
|
// Get admin role ID
|
|
const getRolesOperation = {
|
|
query: gql`
|
|
query {
|
|
getRoles {
|
|
id
|
|
label
|
|
}
|
|
}
|
|
`,
|
|
};
|
|
|
|
const rolesResponse = await makeMetadataAPIRequest(getRolesOperation);
|
|
|
|
adminRoleId = rolesResponse.body.data.getRoles.find(
|
|
(role: any) => role.label === 'Member',
|
|
)?.id;
|
|
|
|
// Create field permission restricting read access to email field
|
|
await upsertFieldPermissions({
|
|
roleId: adminRoleId,
|
|
fieldPermissions: [
|
|
{
|
|
objectMetadataId: personObjectId,
|
|
fieldMetadataId: emailsFieldId,
|
|
canReadFieldValue: false,
|
|
canUpdateFieldValue: null,
|
|
},
|
|
],
|
|
});
|
|
});
|
|
|
|
describe('With Feature flag enabled', () => {
|
|
beforeAll(async () => {
|
|
const enablePermissionsQuery = updateFeatureFlagFactory(
|
|
SEED_APPLE_WORKSPACE_ID,
|
|
'IS_FIELDS_PERMISSIONS_ENABLED',
|
|
true,
|
|
);
|
|
|
|
await makeGraphqlAPIRequest(enablePermissionsQuery);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
const disablePermissionsQuery = updateFeatureFlagFactory(
|
|
SEED_APPLE_WORKSPACE_ID,
|
|
'IS_FIELDS_PERMISSIONS_ENABLED',
|
|
false,
|
|
);
|
|
|
|
await makeGraphqlAPIRequest(disablePermissionsQuery);
|
|
});
|
|
it('should hide fields when user has restricted read permissions', async () => {
|
|
await makeRestAPIRequest({
|
|
method: 'get',
|
|
path: `/people/${TEST_PERSON_1_ID}`,
|
|
bearer: APPLE_JONY_MEMBER_ACCESS_TOKEN,
|
|
})
|
|
.expect(200)
|
|
.expect((res) => {
|
|
const person = res.body.data.person;
|
|
|
|
expect(person).toBeDefined();
|
|
expect(person.id).toBeDefined();
|
|
expect(person.emails).toBeUndefined();
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('With feature flag disabled', () => {
|
|
it('should query all fields despite field permission restriction', async () => {
|
|
await makeRestAPIRequest({
|
|
method: 'get',
|
|
path: `/people/${TEST_PERSON_1_ID}`,
|
|
bearer: APPLE_JONY_MEMBER_ACCESS_TOKEN,
|
|
})
|
|
.expect(200)
|
|
.expect((res) => {
|
|
const person = res.body.data.person;
|
|
|
|
expect(person).toBeDefined();
|
|
expect(person.id).toBeDefined();
|
|
expect(person.emails).toBeDefined();
|
|
});
|
|
});
|
|
});
|
|
});
|