npm - adapt-authoring-content - Versions diffs - 3.1.0 → 3.2.1 - Mend

adapt-authoring-content 3.1.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/errors/errors.json +7 -0
package/lib/ContentModule.js +37 -1
package/lib/ContentTree.js +14 -0
package/package.json +1 -1
package/tests/ContentModule.spec.js +55 -1
package/tests/ContentTree.spec.js +49 -0

package/errors/errors.json CHANGED Viewed

@@ -21,5 +21,12 @@
     },
     "description": "Resource is currently being used in courses",
     "statusCode": 400
+  },
+  "EMPTY_CONTAINERS": {
+    "data": {
+      "items": "The childless content items blocking the build"
+    },
+    "description": "Course cannot be built: one or more pages, articles or blocks have no content",
+    "statusCode": 400
   }
 }

package/lib/ContentModule.js CHANGED Viewed

@@ -59,6 +59,12 @@ class ContentModule extends AbstractApiModule {
     assets.preDeleteHook.tap(this.enforceAssetNotInUse.bind(this))
+    // block builds when the course structure has empty containers. adaptframework depends on
+    // content (not vice-versa), so tap its hook once available rather than awaiting it here.
+    this.app.waitForModule('adaptframework').then(framework => {
+      framework.preBuildHook.tap(this.enforceNoEmptyContainers.bind(this))
+    })
     await mongodb.setIndex(this.collectionName, { _courseId: 1, _parentId: 1, _type: 1 })
     await mongodb.setIndex(this.collectionName, { _parentId: 1 })
     await mongodb.setIndex(this.collectionName, { _type: 1, _courseId: 1 })
@@ -104,6 +110,26 @@ class ContentModule extends AbstractApiModule {
     throw this.app.errors.RESOURCE_IN_USE.setData({ type: 'asset', courses })
   }
+  /**
+   * preBuildHook observer: refuses a build when any non-component content item has no children
+   * (an empty page, article or block). Components are leaf nodes and config is exempt.
+   * @param {AdaptFrameworkBuild} build The build being run
+   * @return {Promise}
+   */
+  async enforceNoEmptyContainers (build) {
+    const _courseId = parseObjectId(build.courseId)
+    const items = await this.find(
+      { $or: [{ _id: _courseId }, { _courseId }] },
+      { validate: false },
+      { projection: { _type: 1, _parentId: 1, title: 1, displayTitle: 1 } }
+    )
+    const empty = new ContentTree(items).getEmptyContainers()
+    if (!empty.length) return
+    throw this.app.errors.EMPTY_CONTAINERS.setData({
+      items: empty.map(i => ({ _id: i._id.toString(), _type: i._type, title: i.displayTitle || i.title }))
+    })
+  }
   /**
    * Returns a map of asset _id to the number of distinct courses each asset is referenced by.
    * Reads the indexed `_assetIds` field. Accepts an optional `assetIds` array in the request body to
@@ -639,8 +665,18 @@ class ContentModule extends AbstractApiModule {
       const course = await this.findOne(
         { _type: 'course', _courseId },
         { validate: false },
-        { projection: { updatedAt: 1 } }
+        { projection: { updatedAt: 1, _type: 1, createdBy: 1, _isShared: 1, _shareWithUsers: 1, userGroups: 1 } }
       )
+      if (!course) {
+        throw this.app.errors.NOT_FOUND.setData({ type: 'content', id: _courseId })
+      }
+      // this custom handler bypasses the standard per-item access check, so apply
+      // it here: the tree is readable only if the user can access the course
+      // (owner / _isShared / _shareWithUsers / shared group). 404 (not 403) so we
+      // don't leak the course's existence. Supers are exempt.
+      if (!req.auth.isSuper && this.accessCheckHook.hasObservers && !(await this.accessCheckHook.invoke(req, course)).every(Boolean)) {
+        throw this.app.errors.NOT_FOUND.setData({ type: 'content', id: _courseId })
+      }
       const lastModified = new Date(course.updatedAt)
       lastModified.setMilliseconds(0) // HTTP dates are second-precision; must match before comparing
       const ifModifiedSince = req.headers['if-modified-since'] && new Date(req.headers['if-modified-since'])

package/lib/ContentTree.js CHANGED Viewed

@@ -114,6 +114,20 @@ class ContentTree {
     return this.getChildren(item._parentId).filter(c => c._id.toString() !== id)
   }
+  /**
+   * Finds container items that have no children. Components are leaf nodes and
+   * config is a childless root — both are exempt; every other type (course, menu,
+   * page, article, block) is expected to contain at least one child.
+   * @returns {Array<Object>} Childless container items
+   */
+  getEmptyContainers () {
+    return this.items.filter(i =>
+      i._type !== 'component' &&
+      i._type !== 'config' &&
+      this.getChildren(i._id).length === 0
+    )
+  }
   /**
    * O(1) — unique component names across the course
    * @returns {Array<string>}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "adapt-authoring-content",
-  "version": "3.1.0",
+  "version": "3.2.1",
   "description": "Module for managing Adapt content",
   "homepage": "https://github.com/adapt-security/adapt-authoring-content",
   "license": "GPL-3.0",

package/tests/ContentModule.spec.js CHANGED Viewed

@@ -560,6 +560,7 @@ describe('ContentModule', () => {
       let statusCode
       let ended = false
       const req = {
+        auth: { isSuper: true },
         apiData: { query: { _courseId: COURSE_ID } },
         headers: { 'if-modified-since': new Date('2025-01-02T00:00:00Z').toUTCString() }
       }
@@ -586,6 +587,7 @@ describe('ContentModule', () => {
         find: mock.fn(async () => items)
       })
       const req = {
+        auth: { isSuper: true },
         apiData: { query: { _courseId: COURSE_ID } },
         headers: {}
       }
@@ -617,13 +619,65 @@ describe('ContentModule', () => {
       const inst = createInstance({
         findOne: mock.fn(async () => { throw new Error('db error') })
       })
-      const req = { apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const req = { auth: { isSuper: true }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
       const res = {}
       const next = mock.fn()
       await ContentModule.prototype.handleTree.call(inst, req, res, next)
       assert.equal(next.mock.callCount(), 1)
       assert.equal(next.mock.calls[0].arguments[0].message, 'db error')
     })
+    it('should run the per-item access check for non-super users and return the tree when allowed', async () => {
+      const lastModified = new Date('2025-01-15T00:00:00Z')
+      const course = { _id: COURSE_ID, _type: 'course', updatedAt: lastModified }
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [true]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => course),
+        find: mock.fn(async () => [{ _id: COURSE_ID, _type: 'course', _courseId: COURSE_ID }])
+      })
+      const req = { auth: { isSuper: false, user: {} }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const res = { set: mock.fn(), json: mock.fn() }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, res, next)
+      assert.equal(accessCheckHook.invoke.mock.callCount(), 1, 'access check invoked')
+      assert.deepEqual(accessCheckHook.invoke.mock.calls[0].arguments, [req, course], 'check receives req + the course')
+      assert.equal(inst.find.mock.callCount(), 1)
+      assert.equal(next.mock.callCount(), 0)
+    })
+    it('should 404 (not leak existence) when the access check denies the course', async () => {
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [false]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => ({ _id: COURSE_ID, _type: 'course', updatedAt: new Date() })),
+        app: { errors: { NOT_FOUND: { setData: () => new Error('NOT_FOUND') } } }
+      })
+      const req = { auth: { isSuper: false, user: {} }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, {}, next)
+      assert.equal(next.mock.callCount(), 1)
+      assert.equal(next.mock.calls[0].arguments[0].message, 'NOT_FOUND')
+      assert.equal(inst.find.mock.callCount(), 0, 'should not fetch items for an inaccessible course')
+    })
+    it('should skip the access check for super users', async () => {
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [false]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => ({ _id: COURSE_ID, _type: 'course', updatedAt: new Date('2025-01-15T00:00:00Z') })),
+        find: mock.fn(async () => [])
+      })
+      const req = { auth: { isSuper: true }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const res = { set: mock.fn(), json: mock.fn() }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, res, next)
+      assert.equal(accessCheckHook.invoke.mock.callCount(), 0, 'super bypasses the access check')
+      assert.equal(next.mock.callCount(), 0)
+    })
   })
   describe('enforceAssetNotInUse', () => {

package/tests/ContentTree.spec.js CHANGED Viewed

@@ -227,4 +227,53 @@ describe('ContentTree', () => {
       assert.deepEqual(tree.getComponentNames(), [])
     })
   })
+  describe('getEmptyContainers', () => {
+    it('should return container items that have no children', () => {
+      // in the shared fixture the menu (id4) and second article (id6) are childless
+      const empty = new ContentTree(items).getEmptyContainers()
+      assert.deepEqual(empty.map(i => i._id.toString()).sort(), ['id4', 'id6'])
+    })
+    it('should never flag components (leaf nodes)', () => {
+      const tree = new ContentTree([
+        { _id: makeId(1), _type: 'block', _parentId: makeId(99) },
+        { _id: makeId(2), _type: 'component', _parentId: makeId(1), _component: 'adapt-contrib-text' }
+      ])
+      assert.equal(tree.getEmptyContainers().length, 0)
+    })
+    it('should never flag config (childless root)', () => {
+      const tree = new ContentTree([
+        { _id: makeId(1), _type: 'course' },
+        { _id: makeId(2), _type: 'config', _courseId: 'c1' },
+        { _id: makeId(3), _type: 'page', _parentId: makeId(1) },
+        { _id: makeId(4), _type: 'article', _parentId: makeId(3) },
+        { _id: makeId(5), _type: 'block', _parentId: makeId(4) },
+        { _id: makeId(6), _type: 'component', _parentId: makeId(5), _component: 'adapt-contrib-text' }
+      ])
+      assert.deepEqual(tree.getEmptyContainers(), [])
+    })
+    it('should flag a block with no components', () => {
+      const tree = new ContentTree([
+        { _id: makeId(1), _type: 'article', _parentId: makeId(99) },
+        { _id: makeId(2), _type: 'block', _parentId: makeId(1) }
+      ])
+      const empty = tree.getEmptyContainers()
+      assert.equal(empty.length, 1)
+      assert.equal(empty[0]._id.toString(), 'id2')
+    })
+    it('should flag a course with no children', () => {
+      const tree = new ContentTree([
+        { _id: makeId(1), _type: 'course' }
+      ])
+      assert.deepEqual(tree.getEmptyContainers().map(i => i._type), ['course'])
+    })
+    it('should return empty array for an empty tree', () => {
+      assert.deepEqual(new ContentTree([]).getEmptyContainers(), [])
+    })
+  })
 })