adapt-authoring-content 3.2.0 → 3.2.2

package/lib/ContentModule.js

@@ -571,6 +571,8 @@ class ContentModule extends AbstractApiModule {
     if (originalDoc._courseId?.toString() !== payloads[0]._courseId?.toString()) {
       await this.updateEnabledPlugins(payloads[0])
     }
+    // place the clone at its requested _sortOrder and renumber siblings (no-op for course/config)
+    await this.updateSortOrder(payloads[0], payloads[0])
 
     return payloads[0]
   }
@@ -665,8 +667,18 @@ class ContentModule extends AbstractApiModule {
       const course = await this.findOne(
         { _type: 'course', _courseId },
         { validate: false },
-        { projection: { updatedAt: 1 } }
+        { projection: { updatedAt: 1, _type: 1, createdBy: 1, _isShared: 1, _shareWithUsers: 1, userGroups: 1 } }
       )
+      if (!course) {
+        throw this.app.errors.NOT_FOUND.setData({ type: 'content', id: _courseId })
+      }
+      // this custom handler bypasses the standard per-item access check, so apply
+      // it here: the tree is readable only if the user can access the course
+      // (owner / _isShared / _shareWithUsers / shared group). 404 (not 403) so we
+      // don't leak the course's existence. Supers are exempt.
+      if (!req.auth.isSuper && this.accessCheckHook.hasObservers && !(await this.accessCheckHook.invoke(req, course)).every(Boolean)) {
+        throw this.app.errors.NOT_FOUND.setData({ type: 'content', id: _courseId })
+      }
       const lastModified = new Date(course.updatedAt)
       lastModified.setMilliseconds(0) // HTTP dates are second-precision; must match before comparing
       const ifModifiedSince = req.headers['if-modified-since'] && new Date(req.headers['if-modified-since'])

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "adapt-authoring-content",
-  "version": "3.2.0",
+  "version": "3.2.2",
   "description": "Module for managing Adapt content",
   "homepage": "https://github.com/adapt-security/adapt-authoring-content",
   "license": "GPL-3.0",

package/tests/ContentModule.spec.js

@@ -384,6 +384,7 @@ describe('ContentModule', () => {
         }),
         getSchema: mock.fn(async () => ({})),
         updateEnabledPlugins: mock.fn(async () => {}),
+        updateSortOrder: mock.fn(async () => {}),
         preCloneHook: { invoke: mock.fn(async () => {}) },
         preInsertHook: { invoke: mock.fn(async () => {}) },
         postInsertHook: { invoke: mock.fn(async () => {}) },
@@ -460,6 +461,25 @@ describe('ContentModule', () => {
       assert.equal(result._type, 'course')
     })
 
+    it('should renumber siblings for the cloned root so it lands at its _sortOrder', async () => {
+      const { inst } = createCloneInstance()
+
+      const items = [
+        { _id: COURSE_OID, _type: 'course', _courseId: COURSE_OID },
+        { _id: PAGE_OID, _type: 'page', _parentId: COURSE_OID, _courseId: COURSE_OID }
+      ]
+      const tree = new ContentTree(items)
+      const parent = { _id: COURSE_OID, _type: 'course', _courseId: COURSE_OID }
+      const result = await ContentModule.prototype.clone.call(inst, USER_OID, PAGE_OID, COURSE_OID, { _sortOrder: 1 }, { tree, parent })
+
+      assert.equal(inst.updateSortOrder.mock.callCount(), 1)
+      const [item, updateData] = inst.updateSortOrder.mock.calls[0].arguments
+      // called with the root payload (truthy updateData triggers the splice/renumber path)
+      assert.equal(item, result)
+      assert.ok(updateData)
+      assert.equal(item._sortOrder, 1)
+    })
+
     it('should remap parent IDs correctly', async () => {
       const { inst, mongodb } = createCloneInstance()
 
@@ -560,6 +580,7 @@ describe('ContentModule', () => {
       let statusCode
       let ended = false
       const req = {
+        auth: { isSuper: true },
         apiData: { query: { _courseId: COURSE_ID } },
         headers: { 'if-modified-since': new Date('2025-01-02T00:00:00Z').toUTCString() }
       }
@@ -586,6 +607,7 @@ describe('ContentModule', () => {
         find: mock.fn(async () => items)
       })
       const req = {
+        auth: { isSuper: true },
         apiData: { query: { _courseId: COURSE_ID } },
         headers: {}
       }
@@ -617,13 +639,65 @@ describe('ContentModule', () => {
       const inst = createInstance({
         findOne: mock.fn(async () => { throw new Error('db error') })
       })
-      const req = { apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const req = { auth: { isSuper: true }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
       const res = {}
       const next = mock.fn()
       await ContentModule.prototype.handleTree.call(inst, req, res, next)
       assert.equal(next.mock.callCount(), 1)
       assert.equal(next.mock.calls[0].arguments[0].message, 'db error')
     })
+
+    it('should run the per-item access check for non-super users and return the tree when allowed', async () => {
+      const lastModified = new Date('2025-01-15T00:00:00Z')
+      const course = { _id: COURSE_ID, _type: 'course', updatedAt: lastModified }
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [true]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => course),
+        find: mock.fn(async () => [{ _id: COURSE_ID, _type: 'course', _courseId: COURSE_ID }])
+      })
+      const req = { auth: { isSuper: false, user: {} }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const res = { set: mock.fn(), json: mock.fn() }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, res, next)
+
+      assert.equal(accessCheckHook.invoke.mock.callCount(), 1, 'access check invoked')
+      assert.deepEqual(accessCheckHook.invoke.mock.calls[0].arguments, [req, course], 'check receives req + the course')
+      assert.equal(inst.find.mock.callCount(), 1)
+      assert.equal(next.mock.callCount(), 0)
+    })
+
+    it('should 404 (not leak existence) when the access check denies the course', async () => {
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [false]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => ({ _id: COURSE_ID, _type: 'course', updatedAt: new Date() })),
+        app: { errors: { NOT_FOUND: { setData: () => new Error('NOT_FOUND') } } }
+      })
+      const req = { auth: { isSuper: false, user: {} }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, {}, next)
+
+      assert.equal(next.mock.callCount(), 1)
+      assert.equal(next.mock.calls[0].arguments[0].message, 'NOT_FOUND')
+      assert.equal(inst.find.mock.callCount(), 0, 'should not fetch items for an inaccessible course')
+    })
+
+    it('should skip the access check for super users', async () => {
+      const accessCheckHook = { hasObservers: true, invoke: mock.fn(async () => [false]) }
+      const inst = createInstance({
+        accessCheckHook,
+        findOne: mock.fn(async () => ({ _id: COURSE_ID, _type: 'course', updatedAt: new Date('2025-01-15T00:00:00Z') })),
+        find: mock.fn(async () => [])
+      })
+      const req = { auth: { isSuper: true }, apiData: { query: { _courseId: COURSE_ID } }, headers: {} }
+      const res = { set: mock.fn(), json: mock.fn() }
+      const next = mock.fn()
+      await ContentModule.prototype.handleTree.call(inst, req, res, next)
+
+      assert.equal(accessCheckHook.invoke.mock.callCount(), 0, 'super bypasses the access check')
+      assert.equal(next.mock.callCount(), 0)
+    })
   })
 
   describe('enforceAssetNotInUse', () => {