Only admins are allowed to create badges

2025-12-13 07:45:56 +00:00 · 2019-03-01 15:49:11 +01:00 · 2019-03-01 15:49:11 +01:00 · 6937c60ef8
commit 6937c60ef8
parent d8502ef3a9
2 changed files with 58 additions and 31 deletions
--- a/src/middleware/permissionsMiddleware.js
+++ b/src/middleware/permissionsMiddleware.js
@ -16,8 +16,12 @@ const isModerator = rule()(async (parent, args, ctx, info) => {
 })
 */

-const isMyOwn = rule({ cache: 'no_cache' })(async (parent, args, ctx, info) => {
-  return ctx.user.id === parent.id
+const isAdmin = rule()(async (parent, args, { user }, info) => {
+  return user && (user.role === 'admin')
+})
+
+const isMyOwn = rule({ cache: 'no_cache' })(async (parent, args, context, info) => {
+  return context.user.id === parent.id
 })

 // Permissions
@ -33,7 +37,7 @@ const permissions = shield({
    // TODO UpdatePost: isOwner,
    // TODO DeletePost: isOwner,
    report: isAuthenticated,
-    CreateBadge: isAuthenticated
+    CreateBadge: isAdmin
    // addFruitToBasket: isAuthenticated
    // CreateUser: allow,
  },
--- a/src/resolvers/badges.spec.js
+++ b/src/resolvers/badges.spec.js
@ -4,22 +4,21 @@ import { host, login } from '../jest/helpers'

 const factory = Factory()

-describe('report', () => {
+describe('Badge', () => {
  beforeEach(async () => {
    await factory.create('User', {
      email: 'user@example.org',
+      role: 'user',
      password: '1234'
    })
    await factory.create('User', {
      id: 'u2',
-      name: 'moderator',
      role: 'moderator',
      email: 'moderator@example.org'
    })
    await factory.create('User', {
      id: 'u3',
-      name: 'admin',
-      role: 'moderator',
+      role: 'admin',
      email: 'admin@example.org'
    })
  })
@ -54,32 +53,56 @@ describe('report', () => {
      }`)
      ).rejects.toThrow('Not Authorised')
    })
+  })

-    describe('authenticated admin', () => {
-      let headers
-      let response
-      let { id, key, type, status, icon } = params
-      beforeEach(async () => {
-        headers = await login({ email: 'admin@example.org', password: '1234' })
-        client = new GraphQLClient(host, { headers })
-        response = await client.request(`mutation {
-          CreateBadge(
-              id: "${id}",
-              key: "${key}",
-              type: ${type},
-              status: ${status},
-              icon: "${icon}"
-            ) { id }
-          }`,
-        { headers }
-        )
-      })
-      it('creates a badge', () => {
-        let { id } = response.CreateBadge
-        expect(response).toEqual({
-          CreateBadge: { id }
-        })
+  describe('authenticated admin', () => {
+    let client
+    let headers
+    let response
+    let { id, key, type, status, icon } = params
+    beforeEach(async () => {
+      headers = await login({ email: 'admin@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+      response = await client.request(`mutation {
+        CreateBadge(
+            id: "${id}",
+            key: "${key}",
+            type: ${type},
+            status: ${status},
+            icon: "${icon}"
+          ) { id }
+        }`,
+      { headers }
+      )
+    })
+    it('creates a badge', () => {
+      let { id } = response.CreateBadge
+      expect(response).toEqual({
+        CreateBadge: { id }
      })
    })
  })
+
+  describe('authenticated moderator', () => {
+    let client
+    let headers
+    let { id, key, type, status, icon } = params
+    beforeEach(async () => {
+      headers = await login({ email: 'moderator@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+    })
+    it('throws authorization error', async () => {
+      await expect(client.request(`mutation {
+        CreateBadge(
+            id: "${id}",
+            key: "${key}",
+            type: ${type},
+            status: ${status},
+            icon: "${icon}"
+          ) { id }
+        }`,
+      { headers }
+      )).rejects.toThrow('Not Authorised')
+    })
+  })
 })