test post invisibility for unauthenticated users

2025-12-13 07:45:56 +00:00 · 2022-10-04 02:28:42 +02:00 · 2022-10-04 02:28:42 +02:00 · 4331c73414
commit 4331c73414
parent 32d3c5e904
2 changed files with 50 additions and 2 deletions
--- a/backend/src/schema/resolvers/helpers/filterInvisiblePosts.js
+++ b/backend/src/schema/resolvers/helpers/filterInvisiblePosts.js
@ -4,7 +4,8 @@ const getInvisiblePosts = async (context) => {
  const session = context.driver.session()
  const readTxResultPromise = await session.readTransaction(async (transaction) => {
    let cypher = ''
-    if (context.user) {
+    const { user } = context
+    if (user && user.id) {
      cypher = `
        MATCH (post:Post)<-[:CANNOT_SEE]-(user:User { id: $userId })
        RETURN collect(post.id) AS invisiblePostIds`
@ -14,7 +15,9 @@ const getInvisiblePosts = async (context) => {
        WHERE NOT group.groupType = 'public'
        RETURN  collect(post.id) AS invisiblePostIds`
    }
-    const invisiblePostIdsResponse = await transaction.run(cypher, { userId: context.user.id })
+    const invisiblePostIdsResponse = await transaction.run(cypher, {
+      userId: user ? user.id : null,
+    })
    return invisiblePostIdsResponse.records.map((record) => record.get('invisiblePostIds'))
  })
  try {
--- a/backend/src/schema/resolvers/postsInGroups.spec.js
+++ b/backend/src/schema/resolvers/postsInGroups.spec.js
@ -359,6 +359,51 @@ describe('Posts in Groups', () => {

  describe('visibility of posts', () => {
    describe('query post by ID', () => {
+      describe('without authentication', () => {
+        beforeEach(async () => {
+          authenticatedUser = null
+        })
+
+        it('shows a post of the public group', async () => {
+          await expect(
+            query({ query: postQuery(), variables: { id: 'post-to-public-group' } }),
+          ).resolves.toMatchObject({
+            data: {
+              Post: expect.arrayContaining([
+                {
+                  id: 'post-to-public-group',
+                  title: 'A post to a public group',
+                  content: 'I am posting into a public group as a member of the group',
+                },
+              ]),
+            },
+            errors: undefined,
+          })
+        })
+
+        it('does not show a post of a closed group', async () => {
+          await expect(
+            query({ query: postQuery(), variables: { id: 'post-to-closed-group' } }),
+          ).resolves.toMatchObject({
+            data: {
+              Post: [],
+            },
+            errors: undefined,
+          })
+        })
+
+        it('does not show a post of a hidden group', async () => {
+          await expect(
+            query({ query: postQuery(), variables: { id: 'post-to-hidden-group' } }),
+          ).resolves.toMatchObject({
+            data: {
+              Post: [],
+            },
+            errors: undefined,
+          })
+        })
+      })
+
      describe('without membership of group', () => {
        beforeEach(async () => {
          authenticatedUser = await anyUser.toJson()