forest_liana 7.8.0 → 8.0.0.beta.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/forest_liana/actions_controller.rb +5 -3
- data/app/controllers/forest_liana/application_controller.rb +15 -0
- data/app/controllers/forest_liana/resources_controller.rb +31 -57
- data/app/controllers/forest_liana/smart_actions_controller.rb +44 -58
- data/app/controllers/forest_liana/stats_controller.rb +14 -58
- data/app/services/forest_liana/ability/exceptions/access_denied.rb +16 -0
- data/app/services/forest_liana/ability/exceptions/action_condition_error.rb +16 -0
- data/app/services/forest_liana/ability/exceptions/require_approval.rb +18 -0
- data/app/services/forest_liana/ability/exceptions/trigger_forbidden.rb +16 -0
- data/app/services/forest_liana/ability/fetch.rb +23 -0
- data/app/services/forest_liana/ability/permission/request_permission.rb +19 -0
- data/app/services/forest_liana/ability/permission/smart_action_checker.rb +71 -0
- data/app/services/forest_liana/ability/permission.rb +148 -0
- data/app/services/forest_liana/ability.rb +24 -0
- data/app/services/forest_liana/filters_parser.rb +7 -7
- data/app/services/forest_liana/leaderboard_stat_getter.rb +7 -7
- data/app/services/forest_liana/line_stat_getter.rb +8 -8
- data/app/services/forest_liana/pie_stat_getter.rb +17 -17
- data/app/services/forest_liana/stat_getter.rb +1 -2
- data/app/services/forest_liana/value_stat_getter.rb +7 -7
- data/lib/forest_liana/bootstrapper.rb +1 -1
- data/lib/forest_liana/version.rb +1 -1
- data/spec/dummy/lib/forest_liana/collections/island.rb +1 -1
- data/spec/requests/actions_controller_spec.rb +3 -4
- data/spec/requests/count_spec.rb +5 -9
- data/spec/requests/resources_spec.rb +55 -11
- data/spec/requests/stats_spec.rb +103 -42
- data/spec/services/forest_liana/ability/ability_spec.rb +48 -0
- data/spec/services/forest_liana/ability/permission/smart_action_checker_spec.rb +357 -0
- data/spec/services/forest_liana/ability/permission_spec.rb +332 -0
- data/spec/services/forest_liana/filters_parser_spec.rb +0 -12
- data/spec/services/forest_liana/line_stat_getter_spec.rb +9 -9
- data/spec/services/forest_liana/pie_stat_getter_spec.rb +7 -7
- data/spec/services/forest_liana/value_stat_getter_spec.rb +11 -11
- data/spec/spec_helper.rb +1 -0
- metadata +33 -17
- data/app/services/forest_liana/permissions_checker.rb +0 -223
- data/app/services/forest_liana/permissions_formatter.rb +0 -52
- data/app/services/forest_liana/permissions_getter.rb +0 -59
- data/spec/services/forest_liana/permissions_checker_acl_disabled_spec.rb +0 -713
- data/spec/services/forest_liana/permissions_checker_acl_enabled_spec.rb +0 -845
- data/spec/services/forest_liana/permissions_checker_live_queries_spec.rb +0 -175
- data/spec/services/forest_liana/permissions_formatter_spec.rb +0 -222
- data/spec/services/forest_liana/permissions_getter_spec.rb +0 -83
@@ -1,845 +0,0 @@
|
|
1
|
-
module ForestLiana
|
2
|
-
describe PermissionsChecker do
|
3
|
-
before(:each) do
|
4
|
-
described_class.empty_cache
|
5
|
-
end
|
6
|
-
|
7
|
-
let(:user) { { 'id' => '1' } }
|
8
|
-
let(:schema) {
|
9
|
-
[
|
10
|
-
ForestLiana::Model::Collection.new({
|
11
|
-
name: 'all_rights_collection_boolean',
|
12
|
-
fields: [],
|
13
|
-
actions: [
|
14
|
-
ForestLiana::Model::Action.new({
|
15
|
-
name: 'Test',
|
16
|
-
endpoint: 'forest/actions/Test',
|
17
|
-
http_method: 'POST'
|
18
|
-
})
|
19
|
-
]
|
20
|
-
}), ForestLiana::Model::Collection.new({
|
21
|
-
name: 'no_rights_collection_boolean',
|
22
|
-
fields: [],
|
23
|
-
actions: [
|
24
|
-
ForestLiana::Model::Action.new({
|
25
|
-
name: 'Test',
|
26
|
-
endpoint: 'forest/actions/Test',
|
27
|
-
http_method: 'POST'
|
28
|
-
})
|
29
|
-
]
|
30
|
-
}), ForestLiana::Model::Collection.new({
|
31
|
-
name: 'all_rights_collection_user_list',
|
32
|
-
fields: [],
|
33
|
-
actions: [
|
34
|
-
ForestLiana::Model::Action.new({
|
35
|
-
name: 'Test',
|
36
|
-
endpoint: 'forest/actions/Test',
|
37
|
-
http_method: 'POST'
|
38
|
-
})
|
39
|
-
]
|
40
|
-
}), ForestLiana::Model::Collection.new({
|
41
|
-
name: 'no_rights_collection_user_list',
|
42
|
-
fields: [],
|
43
|
-
actions: [
|
44
|
-
ForestLiana::Model::Action.new({
|
45
|
-
name: 'Test',
|
46
|
-
endpoint: 'forest/actions/Test',
|
47
|
-
http_method: 'POST'
|
48
|
-
})
|
49
|
-
]
|
50
|
-
})
|
51
|
-
]
|
52
|
-
}
|
53
|
-
let(:default_rendering_id) { 1 }
|
54
|
-
let(:segments_permissions) { { default_rendering_id => { 'segments' => nil } } }
|
55
|
-
let(:default_api_permissions) {
|
56
|
-
{
|
57
|
-
"data" => {
|
58
|
-
'collections' => {
|
59
|
-
"all_rights_collection_boolean" => {
|
60
|
-
"collection" => {
|
61
|
-
"browseEnabled" => true,
|
62
|
-
"readEnabled" => true,
|
63
|
-
"editEnabled" => true,
|
64
|
-
"addEnabled" => true,
|
65
|
-
"deleteEnabled" => true,
|
66
|
-
"exportEnabled" => true
|
67
|
-
},
|
68
|
-
"actions" => {
|
69
|
-
"Test" => {
|
70
|
-
"triggerEnabled" => true
|
71
|
-
},
|
72
|
-
}
|
73
|
-
},
|
74
|
-
"all_rights_collection_user_list" => {
|
75
|
-
"collection" => {
|
76
|
-
"browseEnabled" => [1],
|
77
|
-
"readEnabled" => [1],
|
78
|
-
"editEnabled" => [1],
|
79
|
-
"addEnabled" => [1],
|
80
|
-
"deleteEnabled" => [1],
|
81
|
-
"exportEnabled" => [1]
|
82
|
-
},
|
83
|
-
"actions" => {
|
84
|
-
"Test" => {
|
85
|
-
"triggerEnabled" => [1]
|
86
|
-
},
|
87
|
-
}
|
88
|
-
},
|
89
|
-
"no_rights_collection_boolean" => {
|
90
|
-
"collection" => {
|
91
|
-
"browseEnabled" => false,
|
92
|
-
"readEnabled" => false,
|
93
|
-
"editEnabled" => false,
|
94
|
-
"addEnabled" => false,
|
95
|
-
"deleteEnabled" => false,
|
96
|
-
"exportEnabled" => false
|
97
|
-
},
|
98
|
-
"actions" => {
|
99
|
-
"Test" => {
|
100
|
-
"triggerEnabled" => false
|
101
|
-
},
|
102
|
-
}
|
103
|
-
},
|
104
|
-
"no_rights_collection_user_list" => {
|
105
|
-
"collection" => {
|
106
|
-
"browseEnabled" => [],
|
107
|
-
"readEnabled" => [],
|
108
|
-
"editEnabled" => [],
|
109
|
-
"addEnabled" => [],
|
110
|
-
"deleteEnabled" => [],
|
111
|
-
"exportEnabled" => []
|
112
|
-
},
|
113
|
-
"actions" => {
|
114
|
-
"Test" => {
|
115
|
-
"triggerEnabled" => []
|
116
|
-
},
|
117
|
-
}
|
118
|
-
},
|
119
|
-
},
|
120
|
-
'renderings' => segments_permissions
|
121
|
-
},
|
122
|
-
"stats" => {
|
123
|
-
"queries"=>[],
|
124
|
-
},
|
125
|
-
"meta" => {
|
126
|
-
"rolesACLActivated" => true
|
127
|
-
}
|
128
|
-
}
|
129
|
-
}
|
130
|
-
|
131
|
-
before do
|
132
|
-
allow(ForestLiana).to receive(:apimap).and_return(schema)
|
133
|
-
allow(ForestLiana).to receive(:name_for).and_return(collection_name)
|
134
|
-
end
|
135
|
-
|
136
|
-
describe 'handling cache' do
|
137
|
-
let(:collection_name) { 'all_rights_collection_boolean' }
|
138
|
-
let(:fake_ressource) { collection_name }
|
139
|
-
let(:default_rendering_id) { 1 }
|
140
|
-
|
141
|
-
context 'collections cache' do
|
142
|
-
context 'when calling twice the same permissions' do
|
143
|
-
before do
|
144
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).and_return(default_api_permissions)
|
145
|
-
end
|
146
|
-
|
147
|
-
context 'after expiration time' do
|
148
|
-
before do
|
149
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
150
|
-
# Needed to enforce ENV stub
|
151
|
-
described_class.empty_cache
|
152
|
-
end
|
153
|
-
|
154
|
-
it 'should call the API twice' do
|
155
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
156
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
157
|
-
|
158
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).twice
|
159
|
-
end
|
160
|
-
end
|
161
|
-
|
162
|
-
context 'before expiration time' do
|
163
|
-
it 'should call the API only once' do
|
164
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
165
|
-
described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user).is_authorized?
|
166
|
-
|
167
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).once
|
168
|
-
end
|
169
|
-
end
|
170
|
-
end
|
171
|
-
|
172
|
-
context 'with permissions coming from 2 different renderings' do
|
173
|
-
before do
|
174
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering)
|
175
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(1).and_return(api_permissions_rendering_1)
|
176
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(2).and_return(api_permissions_rendering_2)
|
177
|
-
end
|
178
|
-
|
179
|
-
let(:collection_name) { 'custom' }
|
180
|
-
let(:segments_permissions) { { default_rendering_id => { 'custom' => nil }, 2 => { 'custom' => nil } } }
|
181
|
-
let(:api_permissions_rendering_1) {
|
182
|
-
{
|
183
|
-
"data" => {
|
184
|
-
'collections' => {
|
185
|
-
"custom" => {
|
186
|
-
"collection" => {
|
187
|
-
"browseEnabled" => false,
|
188
|
-
"readEnabled" => true,
|
189
|
-
"editEnabled" => true,
|
190
|
-
"addEnabled" => true,
|
191
|
-
"deleteEnabled" => true,
|
192
|
-
"exportEnabled" => true
|
193
|
-
},
|
194
|
-
"actions" => { }
|
195
|
-
},
|
196
|
-
},
|
197
|
-
'renderings' => segments_permissions
|
198
|
-
},
|
199
|
-
"meta" => {
|
200
|
-
"rolesACLActivated" => true
|
201
|
-
}
|
202
|
-
}
|
203
|
-
}
|
204
|
-
let(:api_permissions_rendering_2) {
|
205
|
-
api_permissions_rendering_2 = api_permissions_rendering_1.deep_dup
|
206
|
-
api_permissions_rendering_2['data']['collections']['custom']['collection']['exportEnabled'] = false
|
207
|
-
api_permissions_rendering_2['data']['collections']['custom']['collection']['browseEnabled'] = true
|
208
|
-
api_permissions_rendering_2
|
209
|
-
}
|
210
|
-
|
211
|
-
context 'when the first call is authorized' do
|
212
|
-
let(:authorized_to_export_rendering_1) { described_class.new(fake_ressource, 'exportEnabled', 1, user: user).is_authorized? }
|
213
|
-
let(:authorized_to_export_rendering_2) { described_class.new(fake_ressource, 'exportEnabled', 2, user: user).is_authorized? }
|
214
|
-
|
215
|
-
# Even if the value are different, the permissions are cross rendering thus another call
|
216
|
-
# to the api wont be made until the permission expires
|
217
|
-
it 'should return the same value' do
|
218
|
-
expect(authorized_to_export_rendering_1).to eq true
|
219
|
-
expect(authorized_to_export_rendering_2).to eq true
|
220
|
-
end
|
221
|
-
|
222
|
-
it 'should call the API only once' do
|
223
|
-
authorized_to_export_rendering_1
|
224
|
-
authorized_to_export_rendering_2
|
225
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).once
|
226
|
-
end
|
227
|
-
end
|
228
|
-
|
229
|
-
# If not authorized the cached version is not used
|
230
|
-
context 'when the first call is not authorized' do
|
231
|
-
let(:authorized_to_export_rendering_1) { described_class.new(fake_ressource, 'browseEnabled', 1, user: user).is_authorized? }
|
232
|
-
let(:authorized_to_export_rendering_2) { described_class.new(fake_ressource, 'browseEnabled', 2, user: user).is_authorized? }
|
233
|
-
|
234
|
-
it 'should return different value' do
|
235
|
-
expect(authorized_to_export_rendering_1).to eq false
|
236
|
-
expect(authorized_to_export_rendering_2).to eq true
|
237
|
-
end
|
238
|
-
|
239
|
-
it 'should call the API twice' do
|
240
|
-
authorized_to_export_rendering_1
|
241
|
-
authorized_to_export_rendering_2
|
242
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).twice
|
243
|
-
end
|
244
|
-
end
|
245
|
-
end
|
246
|
-
end
|
247
|
-
|
248
|
-
context 'renderings cache' do
|
249
|
-
let(:rendering_id) { 1 }
|
250
|
-
let(:collection_name) { 'custom' }
|
251
|
-
let(:segments_permissions) { { rendering_id => { 'custom' => nil } } }
|
252
|
-
let(:api_permissions) {
|
253
|
-
{
|
254
|
-
"data" => {
|
255
|
-
'collections' => {
|
256
|
-
"custom" => {
|
257
|
-
"collection" => {
|
258
|
-
"browseEnabled" => true,
|
259
|
-
"readEnabled" => true,
|
260
|
-
"editEnabled" => true,
|
261
|
-
"addEnabled" => true,
|
262
|
-
"deleteEnabled" => true,
|
263
|
-
"exportEnabled" => true
|
264
|
-
},
|
265
|
-
"actions" => { }
|
266
|
-
},
|
267
|
-
},
|
268
|
-
'renderings' => segments_permissions
|
269
|
-
},
|
270
|
-
"meta" => {
|
271
|
-
"rolesACLActivated" => true
|
272
|
-
}
|
273
|
-
}
|
274
|
-
}
|
275
|
-
let(:api_permissions_rendering_only) {
|
276
|
-
{
|
277
|
-
"data" => {
|
278
|
-
'collections' => { },
|
279
|
-
'renderings' => segments_permissions
|
280
|
-
},
|
281
|
-
"meta" => {
|
282
|
-
"rolesACLActivated" => true
|
283
|
-
}
|
284
|
-
}
|
285
|
-
}
|
286
|
-
|
287
|
-
before do
|
288
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(rendering_id).and_return(api_permissions)
|
289
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true).and_return(api_permissions_rendering_only)
|
290
|
-
end
|
291
|
-
|
292
|
-
context 'when checking once for authorization' do
|
293
|
-
context 'when checking browseEnabled' do
|
294
|
-
context 'when expiration value is set to its default' do
|
295
|
-
it 'should not call the API to refresh the renderings cache' do
|
296
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
297
|
-
|
298
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
299
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
300
|
-
end
|
301
|
-
end
|
302
|
-
|
303
|
-
context 'when expiration value is set in the past' do
|
304
|
-
before do
|
305
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
306
|
-
# Needed to enforce ENV stub
|
307
|
-
described_class.empty_cache
|
308
|
-
end
|
309
|
-
|
310
|
-
it 'should call the API to refresh the renderings cache' do
|
311
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
312
|
-
|
313
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
314
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true).once
|
315
|
-
end
|
316
|
-
end
|
317
|
-
end
|
318
|
-
|
319
|
-
# Only browse permission requires segments
|
320
|
-
context 'when checking exportEnabled' do
|
321
|
-
context 'when expiration value is set in the past' do
|
322
|
-
before do
|
323
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
324
|
-
# Needed to enforce ENV stub
|
325
|
-
described_class.empty_cache
|
326
|
-
end
|
327
|
-
end
|
328
|
-
|
329
|
-
it 'should NOT call the API to refresh the rendering cache' do
|
330
|
-
described_class.new(fake_ressource, 'exportEnabled', rendering_id, user: user).is_authorized?
|
331
|
-
|
332
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
333
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
334
|
-
end
|
335
|
-
end
|
336
|
-
end
|
337
|
-
|
338
|
-
context 'when checking twice for authorization' do
|
339
|
-
context 'on the same rendering' do
|
340
|
-
context 'when rendering permission has NOT expired' do
|
341
|
-
it 'should NOT call the API to refresh the rendering permissions' do
|
342
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
343
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
344
|
-
|
345
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
346
|
-
expect(ForestLiana::PermissionsGetter).not_to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true)
|
347
|
-
end
|
348
|
-
end
|
349
|
-
|
350
|
-
context 'when renderings permission has expired' do
|
351
|
-
before do
|
352
|
-
allow(ENV).to receive(:[]).with('FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS').and_return('-1')
|
353
|
-
# Needed to enforce ENV stub
|
354
|
-
described_class.empty_cache
|
355
|
-
end
|
356
|
-
|
357
|
-
it 'should call the API to refresh the rendering permissions' do
|
358
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
359
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
360
|
-
|
361
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).twice
|
362
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id, rendering_specific_only: true).twice
|
363
|
-
end
|
364
|
-
end
|
365
|
-
end
|
366
|
-
|
367
|
-
context 'on two different renderings' do
|
368
|
-
let(:other_rendering_id) { 2 }
|
369
|
-
let(:api_permissions_rendering_only) {
|
370
|
-
{
|
371
|
-
"data" => {
|
372
|
-
'collections' => { },
|
373
|
-
'renderings' => {
|
374
|
-
other_rendering_id => { 'custom' => nil }
|
375
|
-
}
|
376
|
-
},
|
377
|
-
"stats" => {
|
378
|
-
"somestats" => [],
|
379
|
-
},
|
380
|
-
"meta" => {
|
381
|
-
"rolesACLActivated" => true
|
382
|
-
}
|
383
|
-
}
|
384
|
-
}
|
385
|
-
|
386
|
-
before do
|
387
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).with(other_rendering_id, rendering_specific_only: true).and_return(api_permissions_rendering_only)
|
388
|
-
end
|
389
|
-
|
390
|
-
it 'should call the API to refresh the rendering permissions' do
|
391
|
-
described_class.new(fake_ressource, 'browseEnabled', rendering_id, user: user).is_authorized?
|
392
|
-
described_class.new(fake_ressource, 'browseEnabled', other_rendering_id, user: user).is_authorized?
|
393
|
-
|
394
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(rendering_id).once
|
395
|
-
expect(ForestLiana::PermissionsGetter).to have_received(:get_permissions_for_rendering).with(other_rendering_id, rendering_specific_only: true).once
|
396
|
-
end
|
397
|
-
end
|
398
|
-
end
|
399
|
-
end
|
400
|
-
end
|
401
|
-
|
402
|
-
describe '#is_authorized?' do
|
403
|
-
# Resource is only used to retrieve the collection name as it's stub it does not
|
404
|
-
# need to be defined
|
405
|
-
let(:fake_ressource) { collection_name }
|
406
|
-
let(:default_rendering_id) { nil }
|
407
|
-
let(:api_permissions) { default_api_permissions }
|
408
|
-
|
409
|
-
before do
|
410
|
-
allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).and_return(api_permissions)
|
411
|
-
end
|
412
|
-
|
413
|
-
context 'when permissions have rolesACLActivated' do
|
414
|
-
context 'with true/false permission values' do
|
415
|
-
let(:collection_name) { 'all_rights_collection_boolean' }
|
416
|
-
|
417
|
-
describe 'exportEnabled permission' do
|
418
|
-
subject { described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user) }
|
419
|
-
|
420
|
-
context 'when user has the required permission' do
|
421
|
-
it 'should be authorized' do
|
422
|
-
expect(subject.is_authorized?).to be true
|
423
|
-
end
|
424
|
-
end
|
425
|
-
|
426
|
-
context 'when user has not the required permission' do
|
427
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
428
|
-
|
429
|
-
it 'should NOT be authorized' do
|
430
|
-
expect(subject.is_authorized?).to be false
|
431
|
-
end
|
432
|
-
end
|
433
|
-
end
|
434
|
-
|
435
|
-
describe 'browseEnbled permission' do
|
436
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :filters => nil } }
|
437
|
-
subject {
|
438
|
-
described_class.new(
|
439
|
-
fake_ressource,
|
440
|
-
'browseEnabled',
|
441
|
-
default_rendering_id,
|
442
|
-
user: user,
|
443
|
-
collection_list_parameters: collection_list_parameters
|
444
|
-
)
|
445
|
-
}
|
446
|
-
|
447
|
-
context 'when user has the required permission' do
|
448
|
-
it 'should be authorized' do
|
449
|
-
expect(subject.is_authorized?).to be true
|
450
|
-
end
|
451
|
-
end
|
452
|
-
|
453
|
-
context 'when user has not the required permission' do
|
454
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
455
|
-
|
456
|
-
it 'should NOT be authorized' do
|
457
|
-
expect(subject.is_authorized?).to be false
|
458
|
-
end
|
459
|
-
end
|
460
|
-
|
461
|
-
context 'when user has no segments queries permissions and param segmentQuery is there' do
|
462
|
-
let(:segmentQuery) { 'SELECT * FROM products;' }
|
463
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :segmentQuery => segmentQuery } }
|
464
|
-
it 'should be authorized' do
|
465
|
-
expect(subject.is_authorized?).to be false
|
466
|
-
end
|
467
|
-
end
|
468
|
-
|
469
|
-
context 'when segments are defined' do
|
470
|
-
let(:default_rendering_id) { 1 }
|
471
|
-
let(:segments_permissions) {
|
472
|
-
{
|
473
|
-
default_rendering_id => {
|
474
|
-
collection_name => {
|
475
|
-
'segments' => ['SELECT * FROM products;', 'SELECT * FROM sellers;']
|
476
|
-
}
|
477
|
-
}
|
478
|
-
}
|
479
|
-
}
|
480
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :segmentQuery => segmentQuery } }
|
481
|
-
|
482
|
-
context 'when segments are passing validation' do
|
483
|
-
let(:segmentQuery) { 'SELECT * FROM products;' }
|
484
|
-
it 'should return true' do
|
485
|
-
expect(subject.is_authorized?).to be true
|
486
|
-
end
|
487
|
-
end
|
488
|
-
|
489
|
-
context 'when segments are NOT passing validation' do
|
490
|
-
let(:segmentQuery) { 'SELECT * FROM rockets WHERE name = "Starship";' }
|
491
|
-
it 'should return false' do
|
492
|
-
expect(subject.is_authorized?).to be false
|
493
|
-
end
|
494
|
-
end
|
495
|
-
|
496
|
-
context 'when received union segments NOT passing validation' do
|
497
|
-
let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
|
498
|
-
it 'should return false' do
|
499
|
-
expect(subject.is_authorized?).to be false
|
500
|
-
end
|
501
|
-
end
|
502
|
-
|
503
|
-
context 'when received union segments passing validation' do
|
504
|
-
let(:segmentQuery) { 'SELECT * FROM sellers/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT * FROM products' }
|
505
|
-
it 'should return true' do
|
506
|
-
expect(subject.is_authorized?).to be true
|
507
|
-
end
|
508
|
-
end
|
509
|
-
|
510
|
-
context 'when received union segments with UNION inside passing validation' do
|
511
|
-
let(:segmentQuery) { 'SELECT COUNT(*) AS value FROM products/*MULTI-SEGMENTS-QUERIES-UNION*/ UNION SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2' }
|
512
|
-
let(:segments_permissions) {
|
513
|
-
{
|
514
|
-
default_rendering_id => {
|
515
|
-
collection_name => {
|
516
|
-
'segments' => ['SELECT COUNT(*) AS value FROM products;', 'SELECT column_name(s) FROM table1 UNION SELECT column_name(s) FROM table2;', 'SELECT * FROM products;', 'SELECT * FROM sellers;']
|
517
|
-
}
|
518
|
-
}
|
519
|
-
}
|
520
|
-
}
|
521
|
-
it 'should return true' do
|
522
|
-
expect(subject.is_authorized?).to be true
|
523
|
-
end
|
524
|
-
end
|
525
|
-
end
|
526
|
-
end
|
527
|
-
|
528
|
-
describe 'readEnabled permission' do
|
529
|
-
subject { described_class.new(fake_ressource, 'readEnabled', default_rendering_id, user: user) }
|
530
|
-
|
531
|
-
context 'when user has the required permission' do
|
532
|
-
it 'should be authorized' do
|
533
|
-
expect(subject.is_authorized?).to be true
|
534
|
-
end
|
535
|
-
end
|
536
|
-
|
537
|
-
context 'when user has not the required permission' do
|
538
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
539
|
-
|
540
|
-
it 'should NOT be authorized' do
|
541
|
-
expect(subject.is_authorized?).to be false
|
542
|
-
end
|
543
|
-
end
|
544
|
-
end
|
545
|
-
|
546
|
-
describe 'addEnabled permission' do
|
547
|
-
subject { described_class.new(fake_ressource, 'addEnabled', default_rendering_id, user: user) }
|
548
|
-
|
549
|
-
context 'when user has the required permission' do
|
550
|
-
it 'should be authorized' do
|
551
|
-
expect(subject.is_authorized?).to be true
|
552
|
-
end
|
553
|
-
end
|
554
|
-
|
555
|
-
context 'when user has not the required permission' do
|
556
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
557
|
-
|
558
|
-
it 'should NOT be authorized' do
|
559
|
-
expect(subject.is_authorized?).to be false
|
560
|
-
end
|
561
|
-
end
|
562
|
-
end
|
563
|
-
|
564
|
-
describe 'editEnabled permission' do
|
565
|
-
subject { described_class.new(fake_ressource, 'editEnabled', default_rendering_id, user: user) }
|
566
|
-
|
567
|
-
context 'when user has the required permission' do
|
568
|
-
it 'should be authorized' do
|
569
|
-
expect(subject.is_authorized?).to be true
|
570
|
-
end
|
571
|
-
end
|
572
|
-
|
573
|
-
context 'when user has not the required permission' do
|
574
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
575
|
-
|
576
|
-
it 'should NOT be authorized' do
|
577
|
-
expect(subject.is_authorized?).to be false
|
578
|
-
end
|
579
|
-
end
|
580
|
-
end
|
581
|
-
|
582
|
-
describe 'deleteEnabled permission' do
|
583
|
-
subject { described_class.new(fake_ressource, 'deleteEnabled', default_rendering_id, user: user) }
|
584
|
-
|
585
|
-
context 'when user has the required permission' do
|
586
|
-
it 'should be authorized' do
|
587
|
-
expect(subject.is_authorized?).to be true
|
588
|
-
end
|
589
|
-
end
|
590
|
-
|
591
|
-
context 'when user has not the required permission' do
|
592
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
593
|
-
|
594
|
-
it 'should NOT be authorized' do
|
595
|
-
expect(subject.is_authorized?).to be false
|
596
|
-
end
|
597
|
-
end
|
598
|
-
end
|
599
|
-
|
600
|
-
describe 'actions permission' do
|
601
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'POST' } }
|
602
|
-
subject {
|
603
|
-
described_class.new(
|
604
|
-
fake_ressource,
|
605
|
-
'actions',
|
606
|
-
default_rendering_id,
|
607
|
-
user: user,
|
608
|
-
smart_action_request_info: smart_action_request_info
|
609
|
-
)
|
610
|
-
}
|
611
|
-
|
612
|
-
context 'when user has the required permission' do
|
613
|
-
it 'should be authorized' do
|
614
|
-
expect(subject.is_authorized?).to be true
|
615
|
-
end
|
616
|
-
end
|
617
|
-
|
618
|
-
context 'when user has not the required permission' do
|
619
|
-
let(:collection_name) { 'no_rights_collection_boolean' }
|
620
|
-
|
621
|
-
it 'should NOT be authorized' do
|
622
|
-
expect(subject.is_authorized?).to be false
|
623
|
-
end
|
624
|
-
end
|
625
|
-
|
626
|
-
context 'when endpoint is missing from smart action parameters' do
|
627
|
-
let(:smart_action_request_info) { { http_method: 'POST' } }
|
628
|
-
|
629
|
-
it 'user should NOT be authorized' do
|
630
|
-
expect(subject.is_authorized?).to be false
|
631
|
-
end
|
632
|
-
end
|
633
|
-
|
634
|
-
context 'when http_method is missing from smart action parameters' do
|
635
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test' } }
|
636
|
-
|
637
|
-
it 'user should NOT be authorized' do
|
638
|
-
expect(subject.is_authorized?).to be false
|
639
|
-
end
|
640
|
-
end
|
641
|
-
|
642
|
-
context 'when the provided endpoint is not part of the schema' do
|
643
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'DELETE' } }
|
644
|
-
|
645
|
-
it 'user should NOT be authorized' do
|
646
|
-
expect(subject.is_authorized?).to be false
|
647
|
-
end
|
648
|
-
end
|
649
|
-
end
|
650
|
-
end
|
651
|
-
|
652
|
-
context 'with userId list permission values' do
|
653
|
-
let(:collection_name) { 'all_rights_collection_user_list' }
|
654
|
-
|
655
|
-
describe 'exportEnabled permission' do
|
656
|
-
subject { described_class.new(fake_ressource, 'exportEnabled', default_rendering_id, user: user) }
|
657
|
-
|
658
|
-
context 'when user has the required permission' do
|
659
|
-
it 'should be authorized' do
|
660
|
-
expect(subject.is_authorized?).to be true
|
661
|
-
end
|
662
|
-
end
|
663
|
-
|
664
|
-
context 'when user has not the required permission' do
|
665
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
666
|
-
|
667
|
-
it 'should NOT be authorized' do
|
668
|
-
expect(subject.is_authorized?).to be false
|
669
|
-
end
|
670
|
-
end
|
671
|
-
end
|
672
|
-
|
673
|
-
describe 'browseEnabled permission' do
|
674
|
-
let(:collection_list_parameters) { { :user => ["id" => "1"], :filters => nil } }
|
675
|
-
subject {
|
676
|
-
described_class.new(
|
677
|
-
fake_ressource,
|
678
|
-
'browseEnabled',
|
679
|
-
default_rendering_id,
|
680
|
-
user: user,
|
681
|
-
collection_list_parameters: collection_list_parameters
|
682
|
-
)
|
683
|
-
}
|
684
|
-
|
685
|
-
context 'when user has the required permission' do
|
686
|
-
it 'should be authorized' do
|
687
|
-
expect(subject.is_authorized?).to be true
|
688
|
-
end
|
689
|
-
end
|
690
|
-
|
691
|
-
context 'when user has not the required permission' do
|
692
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
693
|
-
|
694
|
-
it 'should NOT be authorized' do
|
695
|
-
expect(subject.is_authorized?).to be false
|
696
|
-
end
|
697
|
-
end
|
698
|
-
end
|
699
|
-
|
700
|
-
describe 'readEnabled permission' do
|
701
|
-
subject { described_class.new(fake_ressource, 'readEnabled', default_rendering_id, user: user) }
|
702
|
-
|
703
|
-
context 'when user has the required permission' do
|
704
|
-
it 'should be authorized' do
|
705
|
-
expect(subject.is_authorized?).to be true
|
706
|
-
end
|
707
|
-
end
|
708
|
-
|
709
|
-
context 'when user has not the required permission' do
|
710
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
711
|
-
|
712
|
-
it 'should NOT be authorized' do
|
713
|
-
expect(subject.is_authorized?).to be false
|
714
|
-
end
|
715
|
-
end
|
716
|
-
end
|
717
|
-
|
718
|
-
describe 'addEnabled permission' do
|
719
|
-
subject { described_class.new(fake_ressource, 'addEnabled', default_rendering_id, user: user) }
|
720
|
-
|
721
|
-
context 'when user has the required permission' do
|
722
|
-
it 'should be authorized' do
|
723
|
-
expect(subject.is_authorized?).to be true
|
724
|
-
end
|
725
|
-
end
|
726
|
-
|
727
|
-
context 'when user has not the required permission' do
|
728
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
729
|
-
|
730
|
-
it 'should NOT be authorized' do
|
731
|
-
expect(subject.is_authorized?).to be false
|
732
|
-
end
|
733
|
-
end
|
734
|
-
end
|
735
|
-
|
736
|
-
describe 'editEnabled permission' do
|
737
|
-
subject { described_class.new(fake_ressource, 'editEnabled', default_rendering_id, user: user) }
|
738
|
-
|
739
|
-
context 'when user has the required permission' do
|
740
|
-
it 'should be authorized' do
|
741
|
-
expect(subject.is_authorized?).to be true
|
742
|
-
end
|
743
|
-
end
|
744
|
-
|
745
|
-
context 'when user has not the required permission' do
|
746
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
747
|
-
|
748
|
-
it 'should NOT be authorized' do
|
749
|
-
expect(subject.is_authorized?).to be false
|
750
|
-
end
|
751
|
-
end
|
752
|
-
end
|
753
|
-
|
754
|
-
describe 'deleteEnabled permission' do
|
755
|
-
subject { described_class.new(fake_ressource, 'deleteEnabled', default_rendering_id, user: user) }
|
756
|
-
|
757
|
-
context 'when user has the required permission' do
|
758
|
-
it 'should be authorized' do
|
759
|
-
expect(subject.is_authorized?).to be true
|
760
|
-
end
|
761
|
-
end
|
762
|
-
|
763
|
-
context 'when user has not the required permission' do
|
764
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
765
|
-
|
766
|
-
it 'should NOT be authorized' do
|
767
|
-
expect(subject.is_authorized?).to be false
|
768
|
-
end
|
769
|
-
end
|
770
|
-
end
|
771
|
-
|
772
|
-
describe 'actions permission' do
|
773
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'POST' } }
|
774
|
-
subject {
|
775
|
-
described_class.new(
|
776
|
-
fake_ressource,
|
777
|
-
'actions',
|
778
|
-
default_rendering_id,
|
779
|
-
user: user,
|
780
|
-
smart_action_request_info: smart_action_request_info
|
781
|
-
)
|
782
|
-
}
|
783
|
-
|
784
|
-
context 'when user has the required permission' do
|
785
|
-
it 'should be authorized' do
|
786
|
-
expect(subject.is_authorized?).to be true
|
787
|
-
end
|
788
|
-
end
|
789
|
-
|
790
|
-
context 'when user has not the required permission' do
|
791
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
792
|
-
|
793
|
-
it 'should NOT be authorized' do
|
794
|
-
expect(subject.is_authorized?).to be false
|
795
|
-
end
|
796
|
-
end
|
797
|
-
|
798
|
-
context 'when endpoint is missing from smart action parameters' do
|
799
|
-
let(:smart_action_request_info) { { http_method: 'POST' } }
|
800
|
-
|
801
|
-
it 'user should NOT be authorized' do
|
802
|
-
expect(subject.is_authorized?).to be false
|
803
|
-
end
|
804
|
-
end
|
805
|
-
|
806
|
-
context 'when http_method is missing from smart action parameters' do
|
807
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test' } }
|
808
|
-
|
809
|
-
it 'user should NOT be authorized' do
|
810
|
-
expect(subject.is_authorized?).to be false
|
811
|
-
end
|
812
|
-
end
|
813
|
-
|
814
|
-
context 'when the provided endpoint is not part of the schema' do
|
815
|
-
let(:smart_action_request_info) { { endpoint: 'forest/actions/Test', http_method: 'DELETE' } }
|
816
|
-
|
817
|
-
it 'user should NOT be authorized' do
|
818
|
-
expect(subject.is_authorized?).to be false
|
819
|
-
end
|
820
|
-
end
|
821
|
-
end
|
822
|
-
|
823
|
-
# searchToEdit permission checker should not be called anymore once rolesAcl activated
|
824
|
-
describe 'searchToEdit permission' do
|
825
|
-
subject { described_class.new(fake_ressource, 'searchToEdit', default_rendering_id, user: user) }
|
826
|
-
|
827
|
-
context 'when user has all permissions' do
|
828
|
-
it 'should NOT be authorized' do
|
829
|
-
expect(subject.is_authorized?).to be false
|
830
|
-
end
|
831
|
-
end
|
832
|
-
|
833
|
-
context 'when user has no permissions' do
|
834
|
-
let(:collection_name) { 'no_rights_collection_user_list' }
|
835
|
-
|
836
|
-
it 'should NOT be authorized' do
|
837
|
-
expect(subject.is_authorized?).to be false
|
838
|
-
end
|
839
|
-
end
|
840
|
-
end
|
841
|
-
end
|
842
|
-
end
|
843
|
-
end
|
844
|
-
end
|
845
|
-
end
|