Probably exposed #106

2025-12-13 07:45:56 +00:00 · 2019-01-14 23:00:21 +01:00 · 2019-01-14 23:00:21 +01:00 · 70b20302fe
commit 70b20302fe
parent d0b975e782
2 changed files with 44 additions and 30 deletions
--- a/src/middleware/permissionsMiddleware.spec.js
+++ b/src/middleware/permissionsMiddleware.spec.js
@ -5,12 +5,12 @@ describe('authorization', () => {
  describe('given two existing users', () => {
    beforeEach(async () => {
      await create('user', {
-        email: 'test@example.org',
-        password: '1234'
+        email: 'owner@example.org',
+        password: 'iamtheowner'
      })
      await create('user', {
        email: 'someone@example.org',
-        password: 'hello'
+        password: 'else'
      })
    })

@ -18,28 +18,43 @@ describe('authorization', () => {
      await cleanDatabase()
    })

-    describe('logged in', () => {
+    describe('access email address', () => {
      let headers = {}
-
-      beforeEach(async () => {
-        // headers = authenticatedHeaders({
-        //   email: 'test@example.org',
-        //   password: '1234'
-        // })
-      })
-
-      describe('query email', async () => {
-        it('exposes the owner\'s email address', async () => {
-          const options = {
-            headers,
-            query: `{
-                    User(email: "test@example.org") {
+      const action = async (headers) => {
+        const options = {
+          headers,
+          query: `{
+                    User(email: "owner@example.org") {
                      email
                    }
                  }`
-          }
-          const json = await queryServer(options)
-          expect(json).toEqual({ User: [ { email: 'test@example.org' } ] })
+        }
+        return await queryServer(options)
+      }
+
+      describe('not logged in', async () => {
+        it('does not expose the owner\'s email address', async () => {
+          expect(await action(headers)).toEqual({ User: [ { email: null } ] })
+        })
+      })
+
+      describe('as owner', () => {
+        it('exposes the owner\'s email address', async () => {
+          headers = await authenticatedHeaders({
+            email: 'owner@example.org',
+            password: 'iamtheowner'
+          })
+          expect(await action(headers)).toEqual({ User: [ { email: 'owner@example.org' } ] })
+        })
+      })
+
+      describe('as someone else', () => {
+        it('does not expose the owner\'s email address', async () => {
+          headers = await authenticatedHeaders({
+            email: 'someone@example.org',
+            password: 'else'
+          })
+          expect(await action(headers)).toEqual({ User: [ { email: null } ] })
        })
      })
    })
--- a/src/seed/factories/index.js
+++ b/src/seed/factories/index.js
@ -31,17 +31,16 @@ const create = (model, parameters) => {
  return client.mutate({ mutation: gql(buildMutation(model, parameters)) })
 }

-const cleanDatabase = () => {
+const cleanDatabase = async () => {
  const session = driver.session()
  const cypher = 'MATCH (n) DETACH DELETE n'
-  return session
-    .run(cypher)
-    .then(function (result) {
-      session.close()
-    })
-    .catch(function (error) {
-      console.log(error)
-    })
+  try {
+    const result = await session.run(cypher)
+    session.close()
+    return result
+  } catch (error) {
+    console.log(error)
+  }
 }

 export {