import {Organization} from 'app/gen-server/entity/Organization'; import {HomeDBManager} from 'app/gen-server/lib/homedb/HomeDBManager'; import axios from 'axios'; import {AxiosRequestConfig} from 'axios'; import {assert} from 'chai'; import {TestServer} from 'test/gen-server/apiUtils'; import {configForUser} from 'test/gen-server/testUtils'; import * as testUtils from 'test/server/testUtils'; const previewer = configForUser('thumbnail'); function permit(permitKey: string): AxiosRequestConfig { return { responseType: 'json', validateStatus: (status: number) => true, headers: { Permit: permitKey } }; } describe('previewer', function() { let home: TestServer; let dbManager: HomeDBManager; let homeUrl: string; testUtils.setTmpLogLevel('error'); before(async function() { home = new TestServer(this); await home.start(['home', 'docs']); dbManager = home.dbManager; homeUrl = home.serverUrl; // for these tests, give the previewer an api key. await dbManager.connection.query(`update users set api_key = 'api_key_for_thumbnail' where name = 'Preview'`); }); after(async function() { await home.stop(); }); it('has view access to all orgs', async function() { const resp = await axios.get(`${homeUrl}/api/orgs`, previewer); assert.equal(resp.status, 200); const orgs: any[] = resp.data; assert.lengthOf(orgs, await Organization.count()); orgs.forEach((org: any) => assert.equal(org.access, 'viewers')); }); it('has view access to workspaces and docs', async function() { const oid = await dbManager.testGetId('NASA'); const resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer); assert.equal(resp.status, 200); const workspaces: any[] = resp.data; assert.lengthOf(workspaces, 2); workspaces.forEach((ws: any) => { assert.equal(ws.access, 'viewers'); const docs: any[] = ws.docs; docs.forEach((doc: any) => assert.equal(doc.access, 'viewers')); }); }); it('cannot delete or update docs and workspaces', async function() { const oid = await dbManager.testGetId('NASA'); let resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer); assert.equal(resp.status, 200); const wsId = resp.data[0].id; const docId = resp.data[0].docs[0].id; resp = await axios.get(`${homeUrl}/api/docs/${docId}`, previewer); assert.equal(resp.status, 200); resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, previewer); assert.equal(resp.status, 403); resp = await axios.patch(`${homeUrl}/api/docs/${docId}`, {name: 'diff'}, previewer); assert.equal(resp.status, 403); resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, previewer); assert.equal(resp.status, 200); resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, previewer); assert.equal(resp.status, 403); resp = await axios.patch(`${homeUrl}/api/workspaces/${wsId}`, {name: 'diff'}, previewer); assert.equal(resp.status, 403); }); it('can delete workspaces and docs using permits', async function() { const oid = await dbManager.testGetId('NASA'); let resp = await axios.get(`${homeUrl}/api/orgs/${oid}/workspaces`, previewer); assert.equal(resp.status, 200); const wsId = resp.data[0].id; const docId = resp.data[0].docs[0].id; const store = home.getWorkStore().getPermitStore('internal'); const goodDocPermit = await store.setPermit({docId}); const badDocPermit = await store.setPermit({docId: 'dud'}); const goodWsPermit = await store.setPermit({workspaceId: wsId}); const badWsPermit = await store.setPermit({workspaceId: wsId + 1}); // Check that external store is no good for internal use. const externalStore = home.getWorkStore().getPermitStore('external'); const externalDocPermit = await externalStore.setPermit({docId}); resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(externalDocPermit)); //assert.equal(resp.status, 401); resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(badDocPermit)); assert.equal(resp.status, 403); resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(badDocPermit)); assert.equal(resp.status, 403); resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(goodWsPermit)); assert.equal(resp.status, 403); resp = await axios.get(`${homeUrl}/api/docs/${docId}`, permit(goodDocPermit)); assert.equal(resp.status, 403); resp = await axios.patch(`${homeUrl}/api/docs/${docId}`, {name: 'diff'}, permit(goodDocPermit)); assert.equal(resp.status, 403); resp = await axios.delete(`${homeUrl}/api/docs/${docId}`, permit(goodDocPermit)); assert.equal(resp.status, 200); resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, permit(badWsPermit)); assert.equal(resp.status, 403); resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(badWsPermit)); assert.equal(resp.status, 403); resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(goodDocPermit)); assert.equal(resp.status, 403); resp = await axios.get(`${homeUrl}/api/workspaces/${wsId}`, permit(goodWsPermit)); assert.equal(resp.status, 403); resp = await axios.patch(`${homeUrl}/api/workspaces/${wsId}`, {name: 'diff'}, permit(goodWsPermit)); assert.equal(resp.status, 403); resp = await axios.delete(`${homeUrl}/api/workspaces/${wsId}`, permit(goodWsPermit)); assert.equal(resp.status, 200); }); });