-
-
Notifications
You must be signed in to change notification settings - Fork 741
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
eaed82b
commit 10513c4
Showing
1 changed file
with
56 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -579,7 +579,7 @@ describe('Managing Project access', () => { | |
| email: '[email protected]', | ||
| }); | ||
| const projectCustomer = await stores.userStore.insert({ | ||
| name: 'Some project customer', | ||
| name: 'Some Used to prove that you can not assign a role you do not have via setRolesForGroupproject customer', | ||
| email: '[email protected]', | ||
| }); | ||
| const ownerRole = await stores.roleStore.getRoleByName(RoleName.OWNER); | ||
|
|
@@ -772,81 +772,101 @@ describe('Managing Project access', () => { | |
| ), | ||
| ); | ||
| }); | ||
| test('Users can not assign roles they do not have to a user through explicit roles endpoint', async () => { | ||
|
|
||
| test('Users can not assign roles where they do not hold the same permissions', async () => { | ||
| const project = { | ||
| id: 'user_fail_assign_to_user', | ||
| name: 'user_fail_assign_to_user', | ||
| description: '', | ||
| mode: 'open' as const, | ||
| defaultStickiness: 'clientId', | ||
| }; | ||
|
|
||
| const auditUser = extractAuditInfoFromUser(user); | ||
| await projectService.createProject(project, user, auditUser); | ||
| const projectUser = await stores.userStore.insert({ | ||
| name: 'Some project user', | ||
| email: '[email protected]', | ||
| }); | ||
| const projectAuditUser = extractAuditInfoFromUser(projectUser); | ||
| const secondUser = await stores.userStore.insert({ | ||
| name: 'Some other user', | ||
| email: '[email protected]', | ||
| }); | ||
| const customRole = await stores.roleStore.create({ | ||
| name: 'role_that_noone_has', | ||
| roleType: 'custom', | ||
| description: | ||
| 'Used to prove that you can not assign a role you do not have via setRolesForUser', | ||
| }); | ||
|
|
||
| const customRoleUserAccess = await accessService.createRole( | ||
| { | ||
| name: 'Project-permissions-lead', | ||
| description: 'Role', | ||
| permissions: [ | ||
| { | ||
| name: 'PROJECT_USER_ACCESS_WRITE', | ||
| }, | ||
| ], | ||
| createdByUserId: SYSTEM_USER_ID, | ||
| }, | ||
| SYSTEM_USER_AUDIT, | ||
| ); | ||
|
|
||
| const customRoleUpdateEnvironments = await accessService.createRole( | ||
| { | ||
| name: 'Project Lead', | ||
| description: 'Role', | ||
| permissions: [ | ||
| { | ||
| name: 'UPDATE_FEATURE_ENVIRONMENT', | ||
| environment: 'production', | ||
| }, | ||
| { | ||
| name: 'CREATE_FEATURE_STRATEGY', | ||
| environment: 'production', | ||
| }, | ||
| ], | ||
| createdByUserId: SYSTEM_USER_ID, | ||
| }, | ||
| SYSTEM_USER_AUDIT, | ||
| ); | ||
|
|
||
| await projectService.setRolesForUser( | ||
| project.id, | ||
| projectUser.id, | ||
| [customRoleUserAccess.id], | ||
| auditUser, | ||
| ); | ||
|
|
||
| const auditProjectUser = extractAuditInfoFromUser(projectUser); | ||
|
|
||
| await expect( | ||
| projectService.setRolesForUser( | ||
| project.id, | ||
| secondUser.id, | ||
| [customRole.id], | ||
| projectAuditUser, | ||
| [customRoleUpdateEnvironments.id], | ||
| auditProjectUser, | ||
| ), | ||
| ).rejects.toThrow( | ||
| new InvalidOperationError( | ||
| 'User tried to assign a role they did not have access to', | ||
| ), | ||
| ); | ||
| }); | ||
| test('Users can not assign roles they do not have to a group through explicit roles endpoint', async () => { | ||
| const project = { | ||
| id: 'user_fail_assign_to_group', | ||
| name: 'user_fail_assign_to_group', | ||
| description: '', | ||
| mode: 'open' as const, | ||
| defaultStickiness: 'clientId', | ||
| }; | ||
| await projectService.createProject(project, user, auditUser); | ||
| const projectUser = await stores.userStore.insert({ | ||
| name: 'Some project user', | ||
| email: '[email protected]', | ||
| }); | ||
| const projectAuditUser = extractAuditInfoFromUser(projectUser); | ||
|
|
||
| const group = await stores.groupStore.create({ | ||
| name: 'Some group_awaiting_role', | ||
| }); | ||
| const customRole = await stores.roleStore.create({ | ||
| name: 'role_that_noone_has_fail_assign_group', | ||
| roleType: 'custom', | ||
| description: | ||
| 'Used to prove that you can not assign a role you do not have via setRolesForGroup', | ||
| }); | ||
| return expect( | ||
|
|
||
| await expect( | ||
| projectService.setRolesForGroup( | ||
| project.id, | ||
| group.id, | ||
| [customRole.id], | ||
| projectAuditUser, | ||
| [customRoleUpdateEnvironments.id], | ||
| auditProjectUser, | ||
| ), | ||
| ).rejects.toThrow( | ||
| new InvalidOperationError( | ||
| 'User tried to assign a role they did not have access to', | ||
| ), | ||
| ); | ||
| }); | ||
| }); | ||
|
|
||
|
|
||
| test('should add admin users to the project', async () => { | ||
| const project = { | ||
| id: 'add-admin-users', | ||
|
|
||