From 6937c60ef8de53458a8ea09e0ec311594462b217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= Date: Fri, 1 Mar 2019 15:49:11 +0100 Subject: [PATCH] Only admins are allowed to create badges --- src/middleware/permissionsMiddleware.js | 10 +++- src/resolvers/badges.spec.js | 79 ++++++++++++++++--------- 2 files changed, 58 insertions(+), 31 deletions(-) diff --git a/src/middleware/permissionsMiddleware.js b/src/middleware/permissionsMiddleware.js index 928137847..d2dc45094 100644 --- a/src/middleware/permissionsMiddleware.js +++ b/src/middleware/permissionsMiddleware.js @@ -16,8 +16,12 @@ const isModerator = rule()(async (parent, args, ctx, info) => { }) */ -const isMyOwn = rule({ cache: 'no_cache' })(async (parent, args, ctx, info) => { - return ctx.user.id === parent.id +const isAdmin = rule()(async (parent, args, { user }, info) => { + return user && (user.role === 'admin') +}) + +const isMyOwn = rule({ cache: 'no_cache' })(async (parent, args, context, info) => { + return context.user.id === parent.id }) // Permissions @@ -33,7 +37,7 @@ const permissions = shield({ // TODO UpdatePost: isOwner, // TODO DeletePost: isOwner, report: isAuthenticated, - CreateBadge: isAuthenticated + CreateBadge: isAdmin // addFruitToBasket: isAuthenticated // CreateUser: allow, }, diff --git a/src/resolvers/badges.spec.js b/src/resolvers/badges.spec.js index abaa85995..3574dae6d 100644 --- a/src/resolvers/badges.spec.js +++ b/src/resolvers/badges.spec.js @@ -4,22 +4,21 @@ import { host, login } from '../jest/helpers' const factory = Factory() -describe('report', () => { +describe('Badge', () => { beforeEach(async () => { await factory.create('User', { email: 'user@example.org', + role: 'user', password: '1234' }) await factory.create('User', { id: 'u2', - name: 'moderator', role: 'moderator', email: 'moderator@example.org' }) await factory.create('User', { id: 'u3', - name: 'admin', - role: 'moderator', + role: 'admin', email: 'admin@example.org' }) }) @@ -54,32 +53,56 @@ describe('report', () => { }`) ).rejects.toThrow('Not Authorised') }) + }) - describe('authenticated admin', () => { - let headers - let response - let { id, key, type, status, icon } = params - beforeEach(async () => { - headers = await login({ email: 'admin@example.org', password: '1234' }) - client = new GraphQLClient(host, { headers }) - response = await client.request(`mutation { - CreateBadge( - id: "${id}", - key: "${key}", - type: ${type}, - status: ${status}, - icon: "${icon}" - ) { id } - }`, - { headers } - ) - }) - it('creates a badge', () => { - let { id } = response.CreateBadge - expect(response).toEqual({ - CreateBadge: { id } - }) + describe('authenticated admin', () => { + let client + let headers + let response + let { id, key, type, status, icon } = params + beforeEach(async () => { + headers = await login({ email: 'admin@example.org', password: '1234' }) + client = new GraphQLClient(host, { headers }) + response = await client.request(`mutation { + CreateBadge( + id: "${id}", + key: "${key}", + type: ${type}, + status: ${status}, + icon: "${icon}" + ) { id } + }`, + { headers } + ) + }) + it('creates a badge', () => { + let { id } = response.CreateBadge + expect(response).toEqual({ + CreateBadge: { id } }) }) }) + + describe('authenticated moderator', () => { + let client + let headers + let { id, key, type, status, icon } = params + beforeEach(async () => { + headers = await login({ email: 'moderator@example.org', password: '1234' }) + client = new GraphQLClient(host, { headers }) + }) + it('throws authorization error', async () => { + await expect(client.request(`mutation { + CreateBadge( + id: "${id}", + key: "${key}", + type: ${type}, + status: ${status}, + icon: "${icon}" + ) { id } + }`, + { headers } + )).rejects.toThrow('Not Authorised') + }) + }) })