Merge pull request #33 from epochtalk/role-controller-acls

akinsey · web-flow · commit f45b5d9df2eb · 2023-03-16T12:19:54.000-10:00
Role controller acls
diff --git a/lib/epochtalk_server_web/controllers/role_controller.ex b/lib/epochtalk_server_web/controllers/role_controller.ex
@@ -9,16 +9,18 @@ defmodule EpochtalkServerWeb.RoleController do
   alias EpochtalkServerWeb.Helpers.Validate
   alias EpochtalkServer.Models.Role
   alias EpochtalkServer.Models.RolePermission
+  alias EpochtalkServerWeb.Helpers.ACL
 
   @doc """
   Used to update a specific `Role`
   """
   def update(conn, attrs) do
-    with id <- Validate.cast(attrs, "id", :integer, min: 1),
+    with {:auth, _user} <- {:auth, Guardian.Plug.current_resource(conn)},
+         :ok <- ACL.allow!(conn, "roles.update"),
+         id <- Validate.cast(attrs, "id", :integer, min: 1),
          # TODO(boka): implement validators
          priority_restrictions <- Validate.sanitize_list(attrs, "priority_restrictions"),
          permissions <- attrs["permissions"],
-         {:auth, _user} <- {:auth, Guardian.Plug.current_resource(conn)},
          {:ok, data} <-
            RolePermission.modify_by_role(%Role{
              id: id,
diff --git a/mix.exs b/mix.exs
@@ -80,14 +80,14 @@ defmodule EpochtalkServer.MixProject do
       "seed.roles": ["run priv/repo/seed_roles.exs"],
       "seed.rp": ["run priv/repo/seed_roles_permissions.exs"],
       "seed.user": ["run priv/repo/seed_user.exs"],
+      "seed.test_users": ["run priv/repo/seed_test_users.exs"],
       test: [
         "ecto.drop",
         "ecto.create --quiet",
         "ecto.migrate --quiet",
         "seed.test_banned_address",
         "seed.all",
-        "seed.user test test@test.com password",
-        "seed.user admin admin@test.com password admin",
+        "seed.test_users",
         "test"
       ]
     ]
diff --git a/priv/repo/seed_test_users.exs b/priv/repo/seed_test_users.exs
@@ -0,0 +1,26 @@
+alias EpochtalkServer.Models.User
+
+test_user_username = "test"
+test_user_email = "test@test.com"
+test_user_password = "password"
+
+test_admin_user_username = "admin"
+test_admin_user_email = "admin@test.com"
+test_admin_user_password = "password"
+test_admin_user_admin = true
+
+User.create(%{username: test_user_username, email: test_user_email, password: test_user_password})
+|> case do
+  {:ok, _} -> IO.puts("Successfully seeded test user")
+  {:error, error} ->
+    IO.puts("Error seeding test user")
+    IO.inspect(error)
+end
+
+User.create(%{username: test_admin_user_username, email: test_admin_user_email, password: test_admin_user_password}, test_admin_user_admin)
+|> case do
+  {:ok, _} -> IO.puts("Successfully seeded test admin user")
+  {:error, error} ->
+    IO.puts("Error seeding test admin user")
+    IO.inspect(error)
+end
diff --git a/test/epochtalk_server_web/controllers/role_controller_test.exs b/test/epochtalk_server_web/controllers/role_controller_test.exs
@@ -1,5 +1,6 @@
 defmodule EpochtalkServerWeb.RoleControllerTest do
   use EpochtalkServerWeb.ConnCase, async: false
+  alias EpochtalkServerWeb.CustomErrors.InvalidPermission
 
   describe "all/2" do
     @tag :authenticated
@@ -43,7 +44,51 @@ defmodule EpochtalkServerWeb.RoleControllerTest do
   end
 
   describe "update/2" do
+    test "errors with unauthorized when not logged", %{conn: conn} do
+      modified_newbie_priority_restrictions = [1, 2, 3]
+
+      new_newbie_permissions_attrs = %{
+        id: 7,
+        permissions: %{
+          adminAccess: %{
+            management: %{
+              bannedAddresses: true
+            }
+          }
+        },
+        priority_restrictions: modified_newbie_priority_restrictions
+      }
+
+      update_conn = put(conn, Routes.role_path(conn, :update), new_newbie_permissions_attrs)
+
+      assert %{"error" => "Unauthorized", "message" => "No resource found", "status" => 401} ==
+               json_response(update_conn, 401)
+    end
+
     @tag :authenticated
+    test "errors with unauthorized when logged in but without correct ACL", %{conn: conn} do
+      modified_newbie_priority_restrictions = [1, 2, 3]
+
+      new_newbie_permissions_attrs = %{
+        id: 7,
+        permissions: %{
+          adminAccess: %{
+            management: %{
+              bannedAddresses: true
+            }
+          }
+        },
+        priority_restrictions: modified_newbie_priority_restrictions
+      }
+
+      assert_raise InvalidPermission,
+                   ~r/^Forbidden, invalid permissions to perform this action/,
+                   fn ->
+                     put(conn, Routes.role_path(conn, :update), new_newbie_permissions_attrs)
+                   end
+    end
+
+    @tag authenticated: :admin
     test "modifies a role's priority_restrictions when authenticated", %{conn: conn} do
       initial_newbie_priority_restrictions = nil
 
@@ -102,7 +147,7 @@ defmodule EpochtalkServerWeb.RoleControllerTest do
       assert nil == modified_newbie["priority_restrictions"]
     end
 
-    @tag :authenticated
+    @tag authenticated: :admin
     test "modifies a role's permissions when authenticated", %{conn: conn} do
       initial_newbie_permissions = %{
         "ads" => %{
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
@@ -25,6 +25,16 @@ defmodule EpochtalkServerWeb.ConnCase do
     password: @test_password
   }
 
+  # admin username/email/password from user seed in `mix test` (see mix.exs)
+  @test_admin_username "admin"
+  @test_admin_email "admin@test.com"
+  @test_admin_password "password"
+  @test_admin_user_attrs %{
+    username: @test_admin_username,
+    email: @test_admin_email,
+    password: @test_admin_password
+  }
+
   use ExUnit.CaseTemplate
 
   using do
@@ -53,6 +63,7 @@ defmodule EpochtalkServerWeb.ConnCase do
     end
 
     {:ok, user} = User.by_username(@test_username)
+    {:ok, admin_user} = User.by_username(@test_admin_username)
     conn = Phoenix.ConnTest.build_conn()
 
     # log user in if necessary
@@ -65,6 +76,16 @@ defmodule EpochtalkServerWeb.ConnCase do
           {:ok,
            conn: authed_conn, authed_user: user, token: token, authed_user_attrs: @test_user_attrs}
 
+        :admin ->
+          remember_me = false
+          {:ok, admin_user, token, authed_conn} = Session.create(admin_user, remember_me, conn)
+
+          {:ok,
+           conn: authed_conn,
+           authed_user: admin_user,
+           token: token,
+           authed_user_attrs: @test_admin_user_attrs}
+
         # :authenticated not set, return default conn
         _ ->
           {:ok, conn: conn, user: user, user_attrs: @test_user_attrs}
