Merge remote-tracking branch 'origin/master' into 37-full-text-search-top-bar

2025-12-13 07:46:06 +00:00 · 2019-03-06 18:49:34 +01:00 · 2019-03-06 18:49:34 +01:00 · fcb51e4eda
commit fcb51e4eda
parent adcedb264f 2813de4f8b
8 changed files with 201 additions and 42 deletions
--- a/package.json
+++ b/package.json
@ -75,7 +75,7 @@
    "babel-eslint": "~10.0.1",
    "babel-jest": "~24.1.0",
    "chai": "~4.2.0",
-    "eslint": "~5.15.0",
+    "eslint": "~5.15.1",
    "eslint-config-standard": "~12.0.0",
    "eslint-plugin-import": "~2.16.0",
    "eslint-plugin-jest": "~22.3.0",
--- a/src/middleware/permissionsMiddleware.js
+++ b/src/middleware/permissionsMiddleware.js
@ -25,6 +25,22 @@ const onlyEnabledContent = rule({ cache: 'strict' })(async (parent, args, ctx, i
  return !(disabled || deleted)
 })

+const isAuthor = rule({ cache: 'no_cache' })(async (parent, args, { user, driver }) => {
+  if (!user) return false
+  const session = driver.session()
+  const { id: postId } = args
+  const result = await session.run(`
+  MATCH (post:Post {id: $postId})<-[:WROTE]-(author)
+  RETURN author
+  `, { postId })
+  const [author] = result.records.map((record) => {
+    return record.get('author')
+  })
+  const { properties: { id: authorId } } = author
+  session.close()
+  return authorId === user.id
+})
+
 // Permissions
 const permissions = shield({
  Query: {
@ -34,8 +50,8 @@ const permissions = shield({
  },
  Mutation: {
    CreatePost: isAuthenticated,
-    // TODO UpdatePost: isOwner,
-    // TODO DeletePost: isOwner,
+    UpdatePost: isAuthor,
+    DeletePost: isAuthor,
    report: isAuthenticated,
    CreateBadge: isAdmin,
    UpdateBadge: isAdmin,
--- a/src/middleware/softDeleteMiddleware.js
+++ b/src/middleware/softDeleteMiddleware.js
@ -19,5 +19,8 @@ export default {
    User: async (resolve, root, args, context, info) => {
      return resolve(root, setDefaults(args), context, info)
    }
+  },
+  Mutation: async (resolve, root, args, context, info) => {
+    return resolve(root, setDefaults(args), context, info)
  }
 }
--- a/src/resolvers/posts.js
+++ b/src/resolvers/posts.js
@ -2,21 +2,20 @@ import { neo4jgraphql } from 'neo4j-graphql-js'

 export default {
  Mutation: {
-    CreatePost: async (object, params, ctx, resolveInfo) => {
-      const result = await neo4jgraphql(object, params, ctx, resolveInfo, false)
+    CreatePost: async (object, params, context, resolveInfo) => {
+      const result = await neo4jgraphql(object, params, context, resolveInfo, false)

-      const session = ctx.driver.session()
+      const session = context.driver.session()
      await session.run(
        'MATCH (author:User {id: $userId}), (post:Post {id: $postId}) ' +
        'MERGE (post)<-[:WROTE]-(author) ' +
        'RETURN author', {
-          userId: ctx.user.id,
+          userId: context.user.id,
          postId: result.id
        })
      session.close()

      return result
    }
-
  }
 }
--- a/src/resolvers/posts.spec.js
+++ b/src/resolvers/posts.spec.js
@ -3,6 +3,7 @@ import { GraphQLClient } from 'graphql-request'
 import { host, login } from '../jest/helpers'

 const factory = Factory()
+let client

 beforeEach(async () => {
  await factory.create('User', {
@ -16,37 +17,44 @@ afterEach(async () => {
 })

 describe('CreatePost', () => {
+  const mutation = `
+    mutation {
+      CreatePost(title: "I am a title", content: "Some content") {
+        title
+        content
+        slug
+        disabled
+        deleted
+      }
+    }
+  `
+
  describe('unauthenticated', () => {
-    let client
    it('throws authorization error', async () => {
      client = new GraphQLClient(host)
-      await expect(client.request(`mutation {
-        CreatePost(
-          title: "I am a post",
-          content: "Some content"
-        ) { slug }
-      }`)).rejects.toThrow('Not Authorised')
+      await expect(client.request(mutation)).rejects.toThrow('Not Authorised')
+    })
  })

  describe('authenticated', () => {
    let headers
-      let response
    beforeEach(async () => {
      headers = await login({ email: 'test@example.org', password: '1234' })
      client = new GraphQLClient(host, { headers })
-        response = await client.request(`mutation {
-        CreatePost(
-          title: "A title",
-          content: "Some content"
-        ) { title, content }
-      }`, { headers })
    })

-      it('creates a post', () => {
-        expect(response).toEqual({ CreatePost: { title: 'A title', content: 'Some content' } })
+    it('creates a post', async () => {
+      const expected = {
+        CreatePost: {
+          title: 'I am a title',
+          content: 'Some content'
+        }
+      }
+      await expect(client.request(mutation)).resolves.toMatchObject(expected)
    })

    it('assigns the authenticated user as author', async () => {
+      await client.request(mutation)
      const { User } = await client.request(`{
          User(email:"test@example.org") {
            contributions {
@ -54,8 +62,141 @@ describe('CreatePost', () => {
            }
          }
        }`, { headers })
-        expect(User).toEqual([ { contributions: [ { title: 'A title' } ] } ])
+      expect(User).toEqual([ { contributions: [ { title: 'I am a title' } ] } ])
+    })
+
+    describe('disabled and deleted', () => {
+      it('initially false', async () => {
+        const expected = { CreatePost: { disabled: false, deleted: false } }
+        await expect(client.request(mutation)).resolves.toMatchObject(expected)
      })
    })
  })
 })
+
+describe('UpdatePost', () => {
+  const mutation = `
+    mutation($id: ID!, $content: String) {
+      UpdatePost(id: $id, content: $content) {
+        id
+        content
+      }
+    }
+  `
+
+  let variables = {
+    id: 'p1',
+    content: 'New content'
+  }
+
+  beforeEach(async () => {
+    const asAuthor = Factory()
+    await asAuthor.create('User', {
+      email: 'author@example.org',
+      password: '1234'
+    })
+    await asAuthor.authenticateAs({
+      email: 'author@example.org',
+      password: '1234'
+    })
+    await asAuthor.create('Post', {
+      id: 'p1',
+      content: 'Old content'
+    })
+  })
+
+  describe('unauthenticated', () => {
+    it('throws authorization error', async () => {
+      client = new GraphQLClient(host)
+      await expect(client.request(mutation, variables)).rejects.toThrow('Not Authorised')
+    })
+  })
+
+  describe('authenticated but not the author', () => {
+    let headers
+    beforeEach(async () => {
+      headers = await login({ email: 'test@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+    })
+
+    it('throws authorization error', async () => {
+      await expect(client.request(mutation, variables)).rejects.toThrow('Not Authorised')
+    })
+  })
+
+  describe('authenticated as author', () => {
+    let headers
+    beforeEach(async () => {
+      headers = await login({ email: 'author@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+    })
+
+    it('updates a post', async () => {
+      const expected = { UpdatePost: { id: 'p1', content: 'New content' } }
+      await expect(client.request(mutation, variables)).resolves.toEqual(expected)
+    })
+  })
+})
+
+describe('DeletePost', () => {
+  const mutation = `
+    mutation($id: ID!) {
+      DeletePost(id: $id) {
+        id
+        content
+      }
+    }
+  `
+
+  let variables = {
+    id: 'p1'
+  }
+
+  beforeEach(async () => {
+    const asAuthor = Factory()
+    await asAuthor.create('User', {
+      email: 'author@example.org',
+      password: '1234'
+    })
+    await asAuthor.authenticateAs({
+      email: 'author@example.org',
+      password: '1234'
+    })
+    await asAuthor.create('Post', {
+      id: 'p1',
+      content: 'To be deleted'
+    })
+  })
+
+  describe('unauthenticated', () => {
+    it('throws authorization error', async () => {
+      client = new GraphQLClient(host)
+      await expect(client.request(mutation, variables)).rejects.toThrow('Not Authorised')
+    })
+  })
+
+  describe('authenticated but not the author', () => {
+    let headers
+    beforeEach(async () => {
+      headers = await login({ email: 'test@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+    })
+
+    it('throws authorization error', async () => {
+      await expect(client.request(mutation, variables)).rejects.toThrow('Not Authorised')
+    })
+  })
+
+  describe('authenticated as author', () => {
+    let headers
+    beforeEach(async () => {
+      headers = await login({ email: 'author@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+    })
+
+    it('deletes a post', async () => {
+      const expected = { DeletePost: { id: 'p1', content: 'To be deleted' } }
+      await expect(client.request(mutation, variables)).resolves.toEqual(expected)
+    })
+  })
+})
--- a/src/seed/factories/organizations.js
+++ b/src/seed/factories/organizations.js
@ -4,7 +4,7 @@ import uuid from 'uuid/v4'
 export default function create (params) {
  const {
    id = uuid(),
-    name = faker.comany.companyName(),
+    name = faker.company.companyName(),
    description = faker.company.catchPhrase(),
    disabled = false,
    deleted = false
--- a/src/seed/seed-db.js
+++ b/src/seed/seed-db.js
@ -82,12 +82,12 @@ import Factory from './factories'
    await Promise.all([
      asAdmin.create('Post',     { id: 'p0' }),
      asModerator.create('Post', { id: 'p1' }),
-      asUser.create('Post',      { id: 'p2' }),
+      asUser.create('Post',      { id: 'p2', deleted: true }),
      asTick.create('Post',      { id: 'p3' }),
      asTrick.create('Post',     { id: 'p4' }),
      asTrack.create('Post',     { id: 'p5' }),
      asAdmin.create('Post',     { id: 'p6' }),
-      asModerator.create('Post', { id: 'p7' }),
+      asModerator.create('Post', { id: 'p7', disabled: true }),
      asUser.create('Post',      { id: 'p8' }),
      asTick.create('Post',      { id: 'p9' }),
      asTrick.create('Post',     { id: 'p10' }),
--- a/yarn.lock
+++ b/yarn.lock
@ -2582,10 +2582,10 @@ eslint-visitor-keys@^1.0.0:
  resolved "https://registry.yarnpkg.com/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz#3f3180fb2e291017716acb4c9d6d5b5c34a6a81d"
  integrity sha512-qzm/XxIbxm/FHyH341ZrbnMUpe+5Bocte9xkmFMzPMjRaZMcXww+MpBptFvtU+79L362nqiLhekCxCxDPaUMBQ==

-eslint@~5.15.0:
-  version "5.15.0"
-  resolved "https://registry.yarnpkg.com/eslint/-/eslint-5.15.0.tgz#f313a2f7c7628d39adeefdba4a9c41f842012c9e"
-  integrity sha512-xwG7SS5JLeqkiR3iOmVgtF8Y6xPdtr6AAsN6ph7Q6R/fv+3UlKYoika8SmNzmb35qdRF+RfTY35kMEdtbi+9wg==
+eslint@~5.15.1:
+  version "5.15.1"
+  resolved "https://registry.yarnpkg.com/eslint/-/eslint-5.15.1.tgz#8266b089fd5391e0009a047050795b1d73664524"
+  integrity sha512-NTcm6vQ+PTgN3UBsALw5BMhgO6i5EpIjQF/Xb5tIh3sk9QhrFafujUOczGz4J24JBlzWclSB9Vmx8d+9Z6bFCg==
  dependencies:
    "@babel/code-frame" "^7.0.0"
    ajv "^6.9.1"