From 4331c7341479328256eb38211f53ad87c782d39c Mon Sep 17 00:00:00 2001
From: Moriz Wahl <moriz.wahl@gmx.de>
Date: Tue, 4 Oct 2022 02:28:42 +0200
Subject: [PATCH] test post invisibility for unauthenticated users

---
 .../resolvers/helpers/filterInvisiblePosts.js |  7 ++-
 .../schema/resolvers/postsInGroups.spec.js    | 45 +++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/backend/src/schema/resolvers/helpers/filterInvisiblePosts.js b/backend/src/schema/resolvers/helpers/filterInvisiblePosts.js
index ba44850e8..108f9c007 100644
--- a/backend/src/schema/resolvers/helpers/filterInvisiblePosts.js
+++ b/backend/src/schema/resolvers/helpers/filterInvisiblePosts.js
@@ -4,7 +4,8 @@ const getInvisiblePosts = async (context) => {
   const session = context.driver.session()
   const readTxResultPromise = await session.readTransaction(async (transaction) => {
     let cypher = ''
-    if (context.user) {
+    const { user } = context
+    if (user && user.id) {
       cypher = `
         MATCH (post:Post)<-[:CANNOT_SEE]-(user:User { id: $userId })
         RETURN collect(post.id) AS invisiblePostIds`
@@ -14,7 +15,9 @@ const getInvisiblePosts = async (context) => {
         WHERE NOT group.groupType = 'public'
         RETURN  collect(post.id) AS invisiblePostIds`
     }
-    const invisiblePostIdsResponse = await transaction.run(cypher, { userId: context.user.id })
+    const invisiblePostIdsResponse = await transaction.run(cypher, {
+      userId: user ? user.id : null,
+    })
     return invisiblePostIdsResponse.records.map((record) => record.get('invisiblePostIds'))
   })
   try {
diff --git a/backend/src/schema/resolvers/postsInGroups.spec.js b/backend/src/schema/resolvers/postsInGroups.spec.js
index 9760df4e9..87f3a13ea 100644
--- a/backend/src/schema/resolvers/postsInGroups.spec.js
+++ b/backend/src/schema/resolvers/postsInGroups.spec.js
@@ -359,6 +359,51 @@ describe('Posts in Groups', () => {
 
   describe('visibility of posts', () => {
     describe('query post by ID', () => {
+      describe('without authentication', () => {
+        beforeEach(async () => {
+          authenticatedUser = null
+        })
+
+        it('shows a post of the public group', async () => {
+          await expect(
+            query({ query: postQuery(), variables: { id: 'post-to-public-group' } }),
+          ).resolves.toMatchObject({
+            data: {
+              Post: expect.arrayContaining([
+                {
+                  id: 'post-to-public-group',
+                  title: 'A post to a public group',
+                  content: 'I am posting into a public group as a member of the group',
+                },
+              ]),
+            },
+            errors: undefined,
+          })
+        })
+
+        it('does not show a post of a closed group', async () => {
+          await expect(
+            query({ query: postQuery(), variables: { id: 'post-to-closed-group' } }),
+          ).resolves.toMatchObject({
+            data: {
+              Post: [],
+            },
+            errors: undefined,
+          })
+        })
+
+        it('does not show a post of a hidden group', async () => {
+          await expect(
+            query({ query: postQuery(), variables: { id: 'post-to-hidden-group' } }),
+          ).resolves.toMatchObject({
+            data: {
+              Post: [],
+            },
+            errors: undefined,
+          })
+        })
+      })
+
       describe('without membership of group', () => {
         beforeEach(async () => {
           authenticatedUser = await anyUser.toJson()