forest_liana 7.8.0 → 8.0.0.beta.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/forest_liana/actions_controller.rb +5 -3
- data/app/controllers/forest_liana/application_controller.rb +15 -0
- data/app/controllers/forest_liana/resources_controller.rb +31 -57
- data/app/controllers/forest_liana/smart_actions_controller.rb +44 -58
- data/app/controllers/forest_liana/stats_controller.rb +14 -58
- data/app/services/forest_liana/ability/exceptions/access_denied.rb +16 -0
- data/app/services/forest_liana/ability/exceptions/action_condition_error.rb +16 -0
- data/app/services/forest_liana/ability/exceptions/require_approval.rb +18 -0
- data/app/services/forest_liana/ability/exceptions/trigger_forbidden.rb +16 -0
- data/app/services/forest_liana/ability/fetch.rb +23 -0
- data/app/services/forest_liana/ability/permission/request_permission.rb +19 -0
- data/app/services/forest_liana/ability/permission/smart_action_checker.rb +71 -0
- data/app/services/forest_liana/ability/permission.rb +148 -0
- data/app/services/forest_liana/ability.rb +24 -0
- data/app/services/forest_liana/filters_parser.rb +7 -7
- data/app/services/forest_liana/leaderboard_stat_getter.rb +7 -7
- data/app/services/forest_liana/line_stat_getter.rb +8 -8
- data/app/services/forest_liana/pie_stat_getter.rb +17 -17
- data/app/services/forest_liana/stat_getter.rb +1 -2
- data/app/services/forest_liana/value_stat_getter.rb +7 -7
- data/lib/forest_liana/bootstrapper.rb +1 -1
- data/lib/forest_liana/version.rb +1 -1
- data/spec/dummy/lib/forest_liana/collections/island.rb +1 -1
- data/spec/requests/actions_controller_spec.rb +3 -4
- data/spec/requests/count_spec.rb +5 -9
- data/spec/requests/resources_spec.rb +55 -11
- data/spec/requests/stats_spec.rb +103 -42
- data/spec/services/forest_liana/ability/ability_spec.rb +48 -0
- data/spec/services/forest_liana/ability/permission/smart_action_checker_spec.rb +357 -0
- data/spec/services/forest_liana/ability/permission_spec.rb +332 -0
- data/spec/services/forest_liana/filters_parser_spec.rb +0 -12
- data/spec/services/forest_liana/line_stat_getter_spec.rb +9 -9
- data/spec/services/forest_liana/pie_stat_getter_spec.rb +7 -7
- data/spec/services/forest_liana/value_stat_getter_spec.rb +11 -11
- data/spec/spec_helper.rb +1 -0
- metadata +33 -17
- data/app/services/forest_liana/permissions_checker.rb +0 -223
- data/app/services/forest_liana/permissions_formatter.rb +0 -52
- data/app/services/forest_liana/permissions_getter.rb +0 -59
- data/spec/services/forest_liana/permissions_checker_acl_disabled_spec.rb +0 -713
- data/spec/services/forest_liana/permissions_checker_acl_enabled_spec.rb +0 -845
- data/spec/services/forest_liana/permissions_checker_live_queries_spec.rb +0 -175
- data/spec/services/forest_liana/permissions_formatter_spec.rb +0 -222
- data/spec/services/forest_liana/permissions_getter_spec.rb +0 -83
@@ -1,713 +0,0 @@
|
|
1
|
-
module ForestLiana
|
2
|
-
describe PermissionsChecker do
|
3
|
-
before(:each) do
|
4
|
-
described_class.empty_cache
|
5
|
-
end
|
6
|
-
|
7
|
-
let(:user) { { 'id' => '1' } }
|
8
|
-
let(:schema) {
|
9
|
-
[
|
10
|
-
ForestLiana::Model::Collection.new({
|
11
|
-
name: 'all_rights_collection',
|
12
|
-
fields: [],
|
13
|
-
actions: [
|
14
|
-
ForestLiana::Model::Action.new({
|
15
|
-
name: 'Test',
|
16
|
-
endpoint: 'forest/actions/Test',
|
17
|
-
http_method: 'POST'
|
18
|
-
}), ForestLiana::Model::Action.new({
|
19
|
-
name: 'TestPut',
|
20
|
-
endpoint: 'forest/actions/Test',
|
21
|
-
http_method: 'PUT'
|
22
|
-
}), ForestLiana::Model::Action.new({
|
23
|
-
name: 'TestRestricted',
|
24
|
-
endpoint: 'forest/actions/TestRestricted',
|
25
|
-
http_method: 'POST'
|
26
|
-
}), ForestLiana::Model::Action.new({
|
27
|
-
name: 'Test Default Values',
|
28
|
-
})
|
29
|
-
]
|
30
|
-
}), ForestLiana::Model::Collection.new({
|
31
|
-
name: 'no_rights_collection',
|
32
|
-
fields: [],
|
33
|
-
actions: [
|
34
|
-
ForestLiana::Model::Action.new({
|
35
|
-
name: 'Test',
|
36
|
-
endpoint: 'forest/actions/Test',
|
37
|
-
http_method: 'POST'
|
38
|
-
})
|
39
|
-
]
|
40
|
-
}), ForestLiana::Model::Collection.new({
|
41
|
-
name: 'custom',
|
42
|
-
fields: [],
|
43
|
-
actions: []
|
44
|
-
})
|
45
|
-
]
|
46
|
-
}
|
47
|
-
let(:default_api_permissions) {
|
48
|
-
{
|
49
|
-
"data" => {
|
50
|
-
"all_rights_collection" => {
|
51
|
-
"collection" => {
|
52
|
-
"list" => true,
|
53
|
-
"show" => true,
|
54
|
-
"create" => true,
|
55
|
-
"update" => true,
|
56
|
-
"delete" => true,
|
57
|
-
"export" => true,
|
58
|
-
"searchToEdit" => true
|
59
|
-
},
|
60
|
-
"actions" => {
|
61
|
-
"Test" => {
|
62
|
-
"allowed" => true,
|
63
|
-
"users" => nil
|
64
|
-
},
|
65
|
-
"TestPut" => {
|
66
|
-
"allowed" => false,
|
67
|
-
"users" => nil
|
68
|
-
},
|
69
|
-
"TestRestricted" => {
|
70
|
-
"allowed" => true,
|
71
|
-
"users" => [1]
|
72
|
-
},
|
73
|
-
"Test Default Values" => {
|
74
|
-
"allowed" => true,
|
75
|
-
"users" => nil
|
76
|
-
},
|
77
|
-
},
|
78
|
-
"segments" => nil
|
79
|
-
},
|
80
|
-
"no_rights_collection" => {
|
81
|
-
"collection" => {
|
82
|
-
"list" => false,
|
83
|
-
"show" => false,
|
84
|
-
"create" => false,
|
85
|
-
"update" => false,
|
86
|
-
"delete" => false,
|
87
|
-
"export" => false,
|
88
|
-
"searchToEdit" => false
|
89
|
-
},
|
90
|
-
"actions" => {
|
91
|
-
"Test" => {
|
92
|
-
"allowed" => false,
|
93
|
-
"users" => nil
|
94
|
-
}
|
95
|
-
},
|
96
|
-
"segments" => nil
|
97
|
-
},
|
98
|
-
},
|
99
|
-
"meta" => {
|
100
|
-
"rolesACLActivated" => false
|
101
|
-
}
|
102
|
-
}
|
103
|
-
}
|
104
|
-
|
105
|
-
before do
|
106
|
-
allow(ForestLiana).to receive(:name_for).and_return(collection_name)
|
107
|
-
allow(ForestLiana).to receive(:apimap).and_return(schema)
|
108
|
-
end
|
109
|
-
|
110
|
-
describe 'handling cache' do
|
111
|
-
let(:collection_name) { 'all_rights_collection' }
|
112
|
-
let(:fake_ressource) { collection_name }
|
113
|
-
let(:default_rendering_id) { 1 }
|
114
|
-
|
115
|
-
context 'when calling twice the same permissions' do
|
116
|
-
before do
|
117
|
-
# clones is called to duplicate the returned value and not use to same (which results in an error
|
118
|
-
# as the permissions is edited through the formatter)
|
119
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering) { default_api_permissions.clone }
|
120
|
-
end
|
121
|
-
|
122
|
-
context 'after expiration time' do
|
123
|
-
before do
|
124
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
125
|
-
# Needed to enforce ENV stub
|
126
|
-
described_class.empty_cache
|
127
|
-
end
|
128
|
-
|
129
|
-
it 'should call the API twice' do
|
130
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
131
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
132
|
-
|
133
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).twice
|
134
|
-
end
|
135
|
-
end
|
136
|
-
|
137
|
-
context 'before expiration time' do
|
138
|
-
it 'should call the API only once' do
|
139
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
140
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
141
|
-
|
142
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).once
|
143
|
-
end
|
144
|
-
end
|
145
|
-
end
|
146
|
-
|
147
|
-
context 'with permissions coming from 2 different renderings' do
|
148
|
-
let(:collection_name) { 'custom' }
|
149
|
-
|
150
|
-
let(:segments_permissions) { nil }
|
151
|
-
let(:api_permissions_rendering_1) {
|
152
|
-
{
|
153
|
-
"data" => {
|
154
|
-
"custom" => {
|
155
|
-
"collection" => {
|
156
|
-
"list" => true,
|
157
|
-
"show" => true,
|
158
|
-
"create" => true,
|
159
|
-
"update" => true,
|
160
|
-
"delete" => true,
|
161
|
-
"export" => true,
|
162
|
-
"searchToEdit" => true
|
163
|
-
},
|
164
|
-
"actions" => { },
|
165
|
-
"segments" => segments_permissions
|
166
|
-
},
|
167
|
-
},
|
168
|
-
"meta" => {
|
169
|
-
"rolesACLActivated" => false
|
170
|
-
}
|
171
|
-
}
|
172
|
-
}
|
173
|
-
let(:api_permissions_rendering_2) {
|
174
|
-
api_permissions_rendering_2 = api_permissions_rendering_1.deep_dup
|
175
|
-
api_permissions_rendering_2['data']['custom']['collection']['export'] = false
|
176
|
-
api_permissions_rendering_2
|
177
|
-
}
|
178
|
-
let(:authorized_to_export_rendering_1) { described_class.new(fake_ressource, 'exportEnabled', 1, user: user).is_authorized? }
|
179
|
-
let(:authorized_to_export_rendering_2) { described_class.new(fake_ressource, 'exportEnabled', 2, user: user).is_authorized? }
|
180
|
-
|
181
|
-
before do
|
182
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering)
|
183
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(1).and_return(api_permissions_rendering_1)
|
184
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(2).and_return(api_permissions_rendering_2)
|
185
|
-
end
|
186
|
-
|
187
|
-
it 'should return 2 different values' do
|
188
|
-
expect(authorized_to_export_rendering_1).to eq true
|
189
|
-
expect(authorized_to_export_rendering_2).to eq false
|
190
|
-
end
|
191
|
-
end
|
192
|
-
end
|
193
|
-
|
194
|
-
context 'renderings cache' do
|
195
|
-
let(:fake_ressource) { collection_name }
|
196
|
-
let(:rendering_id) { 1 }
|
197
|
-
let(:collection_name) { 'custom' }
|
198
|
-
let(:segments_permissions) { { rendering_id => { 'custom' => nil } } }
|
199
|
-
let(:api_permissions) {
|
200
|
-
{
|
201
|
-
"data" => {
|
202
|
-
"custom" => {
|
203
|
-
"collection" => {
|
204
|
-
"list" => true,
|
205
|
-
"show" => true,
|
206
|
-
"create" => true,
|
207
|
-
"update" => true,
|
208
|
-
"delete" => true,
|
209
|
-
"export" => true,
|
210
|
-
"searchToEdit" => true
|
211
|
-
},
|
212
|
-
"actions" => { },
|
213
|
-
"segments" => nil
|
214
|
-
},
|
215
|
-
},
|
216
|
-
"meta" => {
|
217
|
-
"rolesACLActivated" => false
|
218
|
-
}
|
219
|
-
}
|
220
|
-
}
|
221
|
-
let(:api_permissions_rendering_only) {
|
222
|
-
{
|
223
|
-
"data" => {
|
224
|
-
'collections' => { },
|
225
|
-
'renderings' => segments_permissions
|
226
|
-
},
|
227
|
-
"meta" => {
|
228
|
-
"rolesACLActivated" => false
|
229
|
-
}
|
230
|
-
}
|
231
|
-
}
|
232
|
-
|
233
|
-
before do
|
234
|
-
# clones is called to duplicate the returned value and not use to same (which results in an error
|
235
|
-
# as the permissions is edited through the formatter)
|
236
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(rendering_id) { api_permissions.clone }
|
237
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true).and_return(api_permissions_rendering_only)
|
238
|
-
end
|
239
|
-
|
240
|
-
context 'when checking once for authorization' do
|
241
|
-
context 'when checking browseEnabled' do
|
242
|
-
context 'when expiration value is set to its default' do
|
243
|
-
it 'should not call the API to refresh the renderings cache' do
|
244
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
245
|
-
|
246
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
247
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
248
|
-
end
|
249
|
-
end
|
250
|
-
|
251
|
-
context 'when expiration value is set in the past' do
|
252
|
-
before do
|
253
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
254
|
-
# Needed to enforce ENV stub
|
255
|
-
described_class.empty_cache
|
256
|
-
end
|
257
|
-
|
258
|
-
it 'should call the API to refresh the renderings cache' do
|
259
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
260
|
-
|
261
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
262
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true).once
|
263
|
-
end
|
264
|
-
end
|
265
|
-
end
|
266
|
-
|
267
|
-
# Only browse permission requires segments
|
268
|
-
context 'when checking exportEnabled' do
|
269
|
-
context 'when expiration value is set in the past' do
|
270
|
-
before do
|
271
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
272
|
-
# Needed to enforce ENV stub
|
273
|
-
described_class.empty_cache
|
274
|
-
end
|
275
|
-
end
|
276
|
-
|
277
|
-
it 'should NOT call the API to refresh the renderings cache' do
|
278
|
-
described_class.new(fake_ressource, 'exportEnabled', rendering_id, user: user).is_authorized?
|
279
|
-
|
280
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
281
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
282
|
-
end
|
283
|
-
end
|
284
|
-
end
|
285
|
-
|
286
|
-
context 'when checking twice for authorization' do
|
287
|
-
context 'on the same rendering' do
|
288
|
-
context 'when renderings permission has NOT expired' do
|
289
|
-
it 'should NOT call the API to refresh the renderings permissions' do
|
290
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
291
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
292
|
-
|
293
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
294
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
295
|
-
end
|
296
|
-
end
|
297
|
-
|
298
|
-
context 'when renderings permission has expired' do
|
299
|
-
before do
|
300
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
301
|
-
# Needed to enforce ENV stub
|
302
|
-
described_class.empty_cache
|
303
|
-
end
|
304
|
-
|
305
|
-
it 'should call the API to refresh the renderings permissions' do
|
306
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
307
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
308
|
-
|
309
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).twice
|
310
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true).twice
|
311
|
-
end
|
312
|
-
end
|
313
|
-
end
|
314
|
-
|
315
|
-
context 'on two different renderings' do
|
316
|
-
let(:other_rendering_id) { 2 }
|
317
|
-
let(:api_permissions_rendering_only) {
|
318
|
-
{
|
319
|
-
"data" => {
|
320
|
-
'collections' => { },
|
321
|
-
'renderings' => {
|
322
|
-
'2' => { 'custom' => nil }
|
323
|
-
}
|
324
|
-
},
|
325
|
-
"meta" => {
|
326
|
-
"rolesACLActivated" => false
|
327
|
-
}
|
328
|
-
}
|
329
|
-
}
|
330
|
-
let(:api_permissions_copy) { api_permissions.clone }
|
331
|
-
|
332
|
-
before do
|
333
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(other_rendering_id).and_return(api_permissions_copy)
|
334
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(other_rendering_id, rendering_specific_only: true).and_return(api_permissions_rendering_only)
|
335
|
-
end
|
336
|
-
|
337
|
-
it 'should not call the API to refresh the rederings permissions' do
|
338
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
339
|
-
described_class.new(fake_ressource, 'browseEnabled', other_rendering_id, user: user).is_authorized?
|
340
|
-
|
341
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
342
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(other_rendering_id).once
|
343
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
344
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(other_rendering_id, rendering_specific_only: true)
|
345
|
-
end
|
346
|
-
end
|
347
|
-
end
|
348
|
-
end
|
349
|
-
|
350
|
-
describe '#is_authorized?' do
|
351
|
-
# Resource is only used to retrieve the collection name as it's stubbed it does not
|
352
|
-
# need to be defined
|
353
|
-
let(:fake_ressource) { collection_name }
|
354
|
-
let(:default_rendering_id) { 1 }
|
355
|
-
let(:api_permissions) { default_api_permissions }
|
356
|
-
let(:collection_name) { 'all_rights_collection' }
|
357
|
-
|
358
|
-
before do
|
359
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).and_return(api_permissions)
|
360
|
-
end
|
361
|
-
|
362
|
-
context 'when permissions does NOT have rolesACLActivated' do
|
363
|
-
describe 'exportEnabled permission' do
|
364
|
-
subject { described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user) }
|
365
|
-
|
366
|
-
context 'when user has the required permission' do
|
367
|
-
it 'should be authorized' do
|
368
|
-
expect(subject.is_authorized?).to be true
|
369
|
-
end
|
370
|
-
end
|
371
|
-
|
372
|
-
context 'when user has not the required permission' do
|
373
|
-
let(:collection_name) { 'no_rights_collection' }
|
374
|
-
|
375
|
-
it 'should NOT be authorized' do
|
376
|
-
expect(subject.is_authorized?).to be false
|
377
|
-
end
|
378
|
-
end
|
379
|
-
end
|
380
|
-
|
381
|
-
describe 'browseEnabled permission' do
|
382
|
-
let(:collection_name) { 'custom' }
|
383
|
-
subject { described_class.new(fake_ressource, 'browseEnabled', default_rendering_id, user: user) }
|
384
|
-
let(:segments_permissions) { nil }
|
385
|
-
let(:default_api_permissions) {
|
386
|
-
{
|
387
|
-
"data" => {
|
388
|
-
"custom" => {
|
389
|
-
"collection" => collection_permissions,
|
390
|
-
"actions" => { },
|
391
|
-
"segments" => segments_permissions
|
392
|
-
},
|
393
|
-
},
|
394
|
-
"meta" => {
|
395
|
-
"rolesACLActivated" => false
|
396
|
-
}
|
397
|
-
}
|
398
|
-
}
|
399
|
-
|
400
|
-
context 'when user has list permission' do
|
401
|
-
let(:collection_permissions) {
|
402
|
-
{
|
403
|
-
"list" => true,
|
404
|
-
"show" => false,
|
405
|
-
"create" => false,
|
406
|
-
"update" => false,
|
407
|
-
"delete" => false,
|
408
|
-
"export" => false,
|
409
|
-
"searchToEdit" => false
|
410
|
-
}
|
411
|
-
}
|
412
|
-
|
413
|
-
it 'should be authorized' do
|
414
|
-
expect(subject.is_authorized?).to be true
|
415
|
-
end
|
416
|
-
end
|
417
|
-
|
418
|
-
context 'when user has searchToEdit permission' do
|
419
|
-
let(:collection_permissions) {
|
420
|
-
{
|
421
|
-
"list" => false,
|
422
|
-
"show" => false,
|
423
|
-
"create" => false,
|
424
|
-
"update" => false,
|
425
|
-
"delete" => false,
|
426
|
-
"export" => false,
|
427
|
-
"searchToEdit" => true
|
428
|
-
}
|
429
|
-
}
|
430
|
-
|
431
|
-
it 'should be authorized' do
|
432
|
-
expect(subject.is_authorized?).to be true
|
433
|
-
end
|
434
|
-
end
|
435
|
-
|
436
|
-
context 'when user has not the list nor the searchToEdit permission' do
|
437
|
-
let(:collection_permissions) {
|
438
|
-
{
|
439
|
-
"list" => false,
|
440
|
-
"show" => false,
|
441
|
-
"create" => false,
|
442
|
-
"update" => false,
|
443
|
-
"delete" => false,
|
444
|
-
"export" => false,
|
445
|
-
"searchToEdit" => false
|
446
|
-
}
|
447
|
-
}
|
448
|
-
|
449
|
-
it 'should be NOT authorized' do
|
450
|
-
expect(subject.is_authorized?).to be false
|
451
|
-
end
|
452
|
-
end
|
453
|
-
|
454
|
-
context 'when providing collection_list_parameters' do
|
455
|
-
let(:collection_permissions) {
|
456
|
-
{
|
457
|
-
"list" => true,
|
458
|
-
"show" => false,
|
459
|
-
"create" => false,
|
460
|
-
"update" => false,
|
461
|
-
"delete" => false,
|
462
|
-
"export" => false,
|
463
|
-
"searchToEdit" => false
|
464
|
-
}
|
465
|
-
}
|
466
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :filters => nil } }
|
467
|
-
|
468
|
-
subject {
|
469
|
-
described_class.new(
|
470
|
-
fake_ressource,
|
471
|
-
'browseEnabled',
|
472
|
-
default_rendering_id,
|
473
|
-
user: user,
|
474
|
-
collection_list_parameters: collection_list_parameters
|
475
|
-
)
|
476
|
-
}
|
477
|
-
|
478
|
-
context 'when user has the required permission' do
|
479
|
-
it 'should be authorized' do
|
480
|
-
expect(subject.is_authorized?).to be true
|
481
|
-
end
|
482
|
-
end
|
483
|
-
|
484
|
-
context 'when user has no segments and param segmentQuery is there' do
|
485
|
-
let(:segmentQuery) { 'SELECT * FROM products;' }
|
486
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :segmentQuery => segmentQuery } }
|
487
|
-
it 'should be authorized' do
|
488
|
-
expect(subject.is_authorized?).to be false
|
489
|
-
end
|
490
|
-
end
|
491
|
-
|
492
|
-
context 'when segments are defined' do
|
493
|
-
let(:segments_permissions) { ['SELECT * FROM products;', 'SELECT * FROM sellers;'] }
|
494
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :segmentQuery => segmentQuery } }
|
495
|
-
|
496
|
-
context 'when segments are passing validation' do
|
497
|
-
let(:segmentQuery) { 'SELECT * FROM products;' }
|
498
|
-
it 'should return true' do
|
499
|
-
expect(subject.is_authorized?).to be true
|
500
|
-
end
|
501
|
-
end
|
502
|
-
|
503
|
-
context 'when segments are NOT passing validation' do
|
504
|
-
let(:segmentQuery) { 'SELECT * FROM rockets WHERE name = "Starship";' }
|
505
|
-
it 'should return false' do
|
506
|
-
expect(subject.is_authorized?).to be false
|
507
|
-
end
|
508
|
-
end
|
509
|
-
|
510
|
-
context 'when received union segments NOT passing validation' do
|
511
|
-
let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
|
512
|
-
it 'should return false' do
|
513
|
-
expect(subject.is_authorized?).to be false
|
514
|
-
end
|
515
|
-
end
|
516
|
-
|
517
|
-
context 'when received union segments passing validation' do
|
518
|
-
let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT * FROM products' }
|
519
|
-
it 'should return true' do
|
520
|
-
expect(subject.is_authorized?).to be true
|
521
|
-
end
|
522
|
-
end
|
523
|
-
context 'when received union segments with UNION inside passing validation' do
|
524
|
-
let(:segmentQuery) { 'SELECT COUNT(*) AS value FROM products/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
|
525
|
-
let(:segments_permissions) { ['SELECT COUNT(*) AS value FROM products;', 'SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2;', 'SELECT * FROM products;', 'SELECT * FROM sellers;'] }
|
526
|
-
it 'should return true' do
|
527
|
-
expect(subject.is_authorized?).to be true
|
528
|
-
end
|
529
|
-
end
|
530
|
-
end
|
531
|
-
|
532
|
-
context 'when user has not the required permission' do
|
533
|
-
let(:collection_permissions) {
|
534
|
-
{
|
535
|
-
"list" => false,
|
536
|
-
"show" => false,
|
537
|
-
"create" => false,
|
538
|
-
"update" => false,
|
539
|
-
"delete" => false,
|
540
|
-
"export" => false,
|
541
|
-
"searchToEdit" => false
|
542
|
-
}
|
543
|
-
}
|
544
|
-
|
545
|
-
it 'should NOT be authorized' do
|
546
|
-
expect(subject.is_authorized?).to be false
|
547
|
-
end
|
548
|
-
end
|
549
|
-
end
|
550
|
-
end
|
551
|
-
|
552
|
-
describe 'readEnabled permission' do
|
553
|
-
subject { described_class.new(fake_ressource, 'readEnabled', default_rendering_id, user: user) }
|
554
|
-
|
555
|
-
context 'when user has the required permission' do
|
556
|
-
it 'should be authorized' do
|
557
|
-
expect(subject.is_authorized?).to be true
|
558
|
-
end
|
559
|
-
end
|
560
|
-
|
561
|
-
context 'when user has not the required permission' do
|
562
|
-
let(:collection_name) { 'no_rights_collection' }
|
563
|
-
|
564
|
-
it 'should NOT be authorized' do
|
565
|
-
expect(subject.is_authorized?).to be false
|
566
|
-
end
|
567
|
-
end
|
568
|
-
end
|
569
|
-
|
570
|
-
describe 'addEnabled permission' do
|
571
|
-
subject { described_class.new(fake_ressource, 'addEnabled', default_rendering_id, user: user) }
|
572
|
-
|
573
|
-
context 'when user has the required permission' do
|
574
|
-
it 'should be authorized' do
|
575
|
-
expect(subject.is_authorized?).to be true
|
576
|
-
end
|
577
|
-
end
|
578
|
-
|
579
|
-
context 'when user has not the required permission' do
|
580
|
-
let(:collection_name) { 'no_rights_collection' }
|
581
|
-
|
582
|
-
it 'should NOT be authorized' do
|
583
|
-
expect(subject.is_authorized?).to be false
|
584
|
-
end
|
585
|
-
end
|
586
|
-
end
|
587
|
-
|
588
|
-
describe 'editEnabled permission' do
|
589
|
-
subject { described_class.new(fake_ressource, 'editEnabled', default_rendering_id, user: user) }
|
590
|
-
|
591
|
-
context 'when user has the required permission' do
|
592
|
-
it 'should be authorized' do
|
593
|
-
expect(subject.is_authorized?).to be true
|
594
|
-
end
|
595
|
-
end
|
596
|
-
|
597
|
-
context 'when user has not the required permission' do
|
598
|
-
let(:collection_name) { 'no_rights_collection' }
|
599
|
-
|
600
|
-
it 'should NOT be authorized' do
|
601
|
-
expect(subject.is_authorized?).to be false
|
602
|
-
end
|
603
|
-
end
|
604
|
-
end
|
605
|
-
|
606
|
-
describe 'deleteEnabled permission' do
|
607
|
-
subject { described_class.new(fake_ressource, 'deleteEnabled', default_rendering_id, user: user) }
|
608
|
-
|
609
|
-
context 'when user has the required permission' do
|
610
|
-
it 'should be authorized' do
|
611
|
-
expect(subject.is_authorized?).to be true
|
612
|
-
end
|
613
|
-
end
|
614
|
-
|
615
|
-
context 'when user has not the required permission' do
|
616
|
-
let(:collection_name) { 'no_rights_collection' }
|
617
|
-
|
618
|
-
it 'should NOT be authorized' do
|
619
|
-
expect(subject.is_authorized?).to be false
|
620
|
-
end
|
621
|
-
end
|
622
|
-
end
|
623
|
-
|
624
|
-
describe 'actions permission' do
|
625
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'POST' } }
|
626
|
-
subject {
|
627
|
-
described_class.new(
|
628
|
-
fake_ressource,
|
629
|
-
'actions',
|
630
|
-
default_rendering_id,
|
631
|
-
user: user,
|
632
|
-
smart_action_request_info: smart_action_request_info
|
633
|
-
)
|
634
|
-
}
|
635
|
-
|
636
|
-
context 'when user has the required permission' do
|
637
|
-
|
638
|
-
it 'should be authorized' do
|
639
|
-
expect(subject.is_authorized?).to be true
|
640
|
-
end
|
641
|
-
end
|
642
|
-
|
643
|
-
context 'when user has not the required permission' do
|
644
|
-
let(:collection_name) { 'no_rights_collection' }
|
645
|
-
|
646
|
-
it 'should NOT be authorized' do
|
647
|
-
expect(subject.is_authorized?).to be false
|
648
|
-
end
|
649
|
-
end
|
650
|
-
|
651
|
-
context 'when endpoint is missing from smart action parameters' do
|
652
|
-
let(:smart_action_request_info) { { http_method: 'POST' } }
|
653
|
-
|
654
|
-
it 'user should NOT be authorized' do
|
655
|
-
expect(subject.is_authorized?).to be false
|
656
|
-
end
|
657
|
-
end
|
658
|
-
|
659
|
-
context 'when http_method is missing from smart action parameters' do
|
660
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test' } }
|
661
|
-
|
662
|
-
it 'user should NOT be authorized' do
|
663
|
-
expect(subject.is_authorized?).to be false
|
664
|
-
end
|
665
|
-
end
|
666
|
-
|
667
|
-
context 'when the provided endpoint is not part of the schema' do
|
668
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'DELETE' } }
|
669
|
-
|
670
|
-
it 'user should NOT be authorized' do
|
671
|
-
expect(subject.is_authorized?).to be false
|
672
|
-
end
|
673
|
-
end
|
674
|
-
|
675
|
-
context 'when the action permissions contains a list of user ids' do
|
676
|
-
context 'when user id is NOT part of the authorized users' do
|
677
|
-
let(:user) { { 'id' => '2' } }
|
678
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/TestRestricted', http_method: 'POST' } }
|
679
|
-
|
680
|
-
it 'user should NOT be authorized' do
|
681
|
-
expect(subject.is_authorized?).to be false
|
682
|
-
end
|
683
|
-
end
|
684
|
-
|
685
|
-
context 'when user id is part of the authorized users' do
|
686
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/TestRestricted', http_method: 'POST' } }
|
687
|
-
|
688
|
-
it 'user should be authorized' do
|
689
|
-
expect(subject.is_authorized?).to be true
|
690
|
-
end
|
691
|
-
end
|
692
|
-
end
|
693
|
-
|
694
|
-
context 'when the action has been created with default http endpoint and method in the schema' do
|
695
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/test-default-values', http_method: 'POST' } }
|
696
|
-
|
697
|
-
it 'user should be authorized' do
|
698
|
-
expect(subject.is_authorized?).to be true
|
699
|
-
end
|
700
|
-
end
|
701
|
-
|
702
|
-
context 'when the action has the same enpoint as an other' do
|
703
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'PUT' } }
|
704
|
-
|
705
|
-
it 'user should NOT be authorized' do
|
706
|
-
expect(subject.is_authorized?).to be false
|
707
|
-
end
|
708
|
-
end
|
709
|
-
end
|
710
|
-
end
|
711
|
-
end
|
712
|
-
end
|
713
|
-
end
|