cojson 0.18.28 → 0.18.30

package/src/tests/group.addMember.test.ts

@@ -1,326 +1,452 @@
 import { beforeEach, describe, expect, test } from "vitest";
-import { expectMap } from "../coValue.js";
 import {
   SyncMessagesLog,
   loadCoValueOrFail,
   setupTestAccount,
   setupTestNode,
-  waitFor,
 } from "./testUtils.js";
+import { Role } from "../permissions.js";
 
 beforeEach(async () => {
   SyncMessagesLog.clear();
   setupTestNode({ isSyncServer: true });
 });
 
-describe("Group.addMember", () => {
-  test("an admin should be able to grant read access", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
-
-    const reader = await setupTestAccount({
-      connected: true,
-    });
-
-    const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
-    });
-
-    const personOnReaderNode = await loadCoValueOrFail(reader.node, person.id);
-
-    expect(personOnReaderNode.get("name")).toEqual(undefined);
-
-    const readerOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      reader.accountID,
-    );
-    group.addMember(readerOnAdminNode, "reader");
-
-    expect(group.roleOf(reader.accountID)).toEqual("reader");
-
-    await waitFor(() => {
-      expect(
-        expectMap(personOnReaderNode.core.getCurrentContent()).get("name"),
-      ).toEqual("John Doe");
-    });
-  });
-
-  test("an admin should be able to grant write access", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
-
-    const writer = await setupTestAccount({
-      connected: true,
-    });
-
-    const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
-    });
-
-    const personOnWriterNode = await loadCoValueOrFail(writer.node, person.id);
-
-    expect(personOnWriterNode.get("name")).toEqual(undefined);
-
-    const writerOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      writer.accountID,
-    );
-    group.addMember(writerOnAdminNode, "writer");
-    expect(group.roleOf(writer.accountID)).toEqual("writer");
-
-    await waitFor(() => {
-      expect(
-        expectMap(personOnWriterNode.core.getCurrentContent()).get("name"),
-      ).toEqual("John Doe");
-    });
-
-    personOnWriterNode.set("name", "Jane Doe");
-    expect(personOnWriterNode.get("name")).toEqual("Jane Doe");
-  });
-
-  test("an admin should be able to grant writeOnly access", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
+// [sourceRole, from, to, canGrant]
+const GRANT_MATRIX: [Role, Role | undefined, Role, boolean][] = [
+  // Admin can grant any role to anyone
+  ["admin", undefined, "admin", true],
+  ["admin", undefined, "manager", true],
+  ["admin", undefined, "writer", true],
+  ["admin", undefined, "reader", true],
+  ["admin", undefined, "writeOnly", true],
+
+  ["admin", "manager", "admin", true],
+  ["admin", "manager", "manager", true],
+  ["admin", "manager", "writer", true],
+  ["admin", "manager", "reader", true],
+  ["admin", "manager", "writeOnly", true],
+
+  ["admin", "admin", "admin", true],
+  ["admin", "admin", "manager", false],
+  ["admin", "admin", "writer", false],
+  ["admin", "admin", "reader", false],
+  ["admin", "admin", "writeOnly", false],
+
+  ["admin", "writer", "admin", true],
+  ["admin", "writer", "manager", true],
+  ["admin", "writer", "writer", true],
+  ["admin", "writer", "reader", true],
+  ["admin", "writer", "writeOnly", true],
+
+  ["admin", "reader", "admin", true],
+  ["admin", "reader", "manager", true],
+  ["admin", "reader", "writer", true],
+  ["admin", "reader", "reader", true],
+  ["admin", "reader", "writeOnly", true],
+
+  ["admin", "writeOnly", "admin", true],
+  ["admin", "writeOnly", "manager", true],
+  ["admin", "writeOnly", "writer", true],
+  ["admin", "writeOnly", "reader", true],
+  ["admin", "writeOnly", "writeOnly", true],
+
+  // Manager can grant any role except admin
+  // Manager can downgrade any role except admin
+  ["manager", undefined, "admin", false],
+  ["manager", undefined, "manager", true],
+  ["manager", undefined, "writer", true],
+  ["manager", undefined, "reader", true],
+  ["manager", undefined, "writeOnly", true],
+
+  ["manager", "manager", "admin", false],
+  ["manager", "manager", "manager", true],
+  ["manager", "manager", "writer", true],
+  ["manager", "manager", "reader", true],
+  ["manager", "manager", "writeOnly", true],
+
+  ["manager", "admin", "admin", true],
+  ["manager", "admin", "manager", false],
+  ["manager", "admin", "writer", false],
+  ["manager", "admin", "reader", false],
+  ["manager", "admin", "writeOnly", false],
+
+  ["manager", "writer", "admin", false],
+  ["manager", "writer", "manager", true],
+  ["manager", "writer", "writer", true],
+  ["manager", "writer", "reader", true],
+  ["manager", "writer", "writeOnly", true],
+
+  ["manager", "reader", "admin", false],
+  ["manager", "reader", "manager", true],
+  ["manager", "reader", "writer", true],
+  ["manager", "reader", "reader", true],
+  ["manager", "reader", "writeOnly", true],
+
+  ["manager", "writeOnly", "admin", false],
+  ["manager", "writeOnly", "manager", true],
+  ["manager", "writeOnly", "writer", true],
+  ["manager", "writeOnly", "reader", true],
+  ["manager", "writeOnly", "writeOnly", true],
+
+  // Writer cannot grant any roles to anyone
+  ["writer", undefined, "admin", false],
+  ["writer", undefined, "manager", false],
+  ["writer", undefined, "writer", false],
+  ["writer", undefined, "reader", false],
+  ["writer", undefined, "writeOnly", false],
+
+  ["writer", "manager", "admin", false],
+  ["writer", "manager", "manager", false],
+  ["writer", "manager", "writer", false],
+  ["writer", "manager", "reader", false],
+  ["writer", "manager", "writeOnly", false],
+
+  ["writer", "admin", "admin", false],
+  ["writer", "admin", "manager", false],
+  ["writer", "admin", "writer", false],
+  ["writer", "admin", "reader", false],
+  ["writer", "admin", "writeOnly", false],
+
+  ["writer", "writer", "admin", false],
+  ["writer", "writer", "manager", false],
+  ["writer", "writer", "writer", false],
+  ["writer", "writer", "reader", false],
+  ["writer", "writer", "writeOnly", false],
+
+  ["writer", "reader", "admin", false],
+  ["writer", "reader", "manager", false],
+  ["writer", "reader", "writer", false],
+  ["writer", "reader", "reader", false],
+  ["writer", "reader", "writeOnly", false],
+
+  ["writer", "writeOnly", "manager", false],
+  ["writer", "writeOnly", "admin", false],
+  ["writer", "writeOnly", "writer", false],
+  ["writer", "writeOnly", "reader", false],
+  ["writer", "writeOnly", "writeOnly", false],
+
+  // Reader cannot grant any roles to anyone
+  ["reader", undefined, "admin", false],
+  ["reader", undefined, "manager", false],
+  ["reader", undefined, "writer", false],
+  ["reader", undefined, "reader", false],
+  ["reader", undefined, "writeOnly", false],
+
+  ["reader", "manager", "admin", false],
+  ["reader", "manager", "manager", false],
+  ["reader", "manager", "writer", false],
+  ["reader", "manager", "reader", false],
+  ["reader", "manager", "writeOnly", false],
+
+  ["reader", "admin", "admin", false],
+  ["reader", "admin", "manager", false],
+  ["reader", "admin", "writer", false],
+  ["reader", "admin", "reader", false],
+  ["reader", "admin", "writeOnly", false],
+
+  ["reader", "writer", "admin", false],
+  ["reader", "writer", "manager", false],
+  ["reader", "writer", "writer", false],
+  ["reader", "writer", "reader", false],
+  ["reader", "writer", "writeOnly", false],
+
+  ["reader", "reader", "admin", false],
+  ["reader", "reader", "manager", false],
+  ["reader", "reader", "writer", false],
+  ["reader", "reader", "reader", false],
+  ["reader", "reader", "writeOnly", false],
+
+  ["reader", "writeOnly", "admin", false],
+  ["reader", "writeOnly", "manager", false],
+  ["reader", "writeOnly", "writer", false],
+  ["reader", "writeOnly", "reader", false],
+  ["reader", "writeOnly", "writeOnly", false],
+
+  // WriteOnly cannot grant any roles to anyone, so spell all writeOnly combinations out:
+  ["writeOnly", undefined, "admin", false],
+  ["writeOnly", undefined, "manager", false],
+  ["writeOnly", undefined, "writer", false],
+  ["writeOnly", undefined, "reader", false],
+  ["writeOnly", undefined, "writeOnly", false],
+
+  ["writeOnly", "manager", "admin", false],
+  ["writeOnly", "manager", "manager", false],
+  ["writeOnly", "manager", "writer", false],
+  ["writeOnly", "manager", "reader", false],
+  ["writeOnly", "manager", "writeOnly", false],
+
+  ["writeOnly", "admin", "admin", false],
+  ["writeOnly", "admin", "manager", false],
+  ["writeOnly", "admin", "writer", false],
+  ["writeOnly", "admin", "reader", false],
+  ["writeOnly", "admin", "writeOnly", false],
+
+  ["writeOnly", "writer", "admin", false],
+  ["writeOnly", "writer", "manager", false],
+  ["writeOnly", "writer", "writer", false],
+  ["writeOnly", "writer", "reader", false],
+  ["writeOnly", "writer", "writeOnly", false],
+
+  ["writeOnly", "reader", "admin", false],
+  ["writeOnly", "reader", "manager", false],
+  ["writeOnly", "reader", "writer", false],
+  ["writeOnly", "reader", "reader", false],
+  ["writeOnly", "reader", "writeOnly", false],
+
+  ["writeOnly", "writeOnly", "admin", false],
+  ["writeOnly", "writeOnly", "manager", false],
+  ["writeOnly", "writeOnly", "writer", false],
+  ["writeOnly", "writeOnly", "reader", false],
+  ["writeOnly", "writeOnly", "writeOnly", false],
+];
 
-    const writeOnlyUser = await setupTestAccount({
-      connected: true,
-    });
+describe("Group.addMember", () => {
+  for (const [sourceRole, from, to, canGrant] of GRANT_MATRIX) {
+    test(`${sourceRole} should ${canGrant ? "be able" : "not be able"} to grant ${from !== undefined ? `${from} -> ` : ""}${to} role`, async () => {
+      const source = await setupTestAccount({
+        connected: true,
+      });
 
-    const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
-    });
+      const member = await setupTestAccount({
+        connected: true,
+      });
 
-    const writeOnlyUserOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      writeOnlyUser.accountID,
-    );
-    group.addMember(writeOnlyUserOnAdminNode, "writeOnly");
-    expect(group.roleOf(writeOnlyUser.accountID)).toEqual("writeOnly");
-    const personOnWriteOnlyNode = await loadCoValueOrFail(
-      writeOnlyUser.node,
-      person.id,
-    );
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        member.accountID,
+      );
 
-    // Should not be able to read
-    expect(personOnWriteOnlyNode.get("name")).toEqual(undefined);
+      const group = source.node.createGroup();
 
-    // Should be able to write
-    personOnWriteOnlyNode.set("name", "Jane Doe");
+      // setup initial role for member
+      if (from !== undefined) {
+        group.addMember(memberOnSourceNode, from);
+      }
 
-    expect(personOnWriteOnlyNode.get("name")).toEqual("Jane Doe");
-  });
+      group.addMember(
+        await loadCoValueOrFail(source.node, source.accountID),
+        sourceRole as Role,
+      );
 
-  test("an admin should be able to grant admin access", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
+      expect(group.roleOf(source.accountID)).toEqual(sourceRole);
 
-    const otherAdmin = await setupTestAccount({
-      connected: true,
-    });
+      if (canGrant || from === to) {
+        group.addMember(memberOnSourceNode, to);
 
-    const reader = await setupTestAccount({
-      connected: true,
-    });
+        expect(group.roleOf(member.accountID)).toEqual(to);
+      } else {
+        expect(() => {
+          group.addMember(memberOnSourceNode, to);
+        }).toThrow(
+          `Failed to set role ${to} to ${member.accountID} (role of current account is ${sourceRole})`,
+        );
 
-    const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
+        expect(group.roleOf(member.accountID)).toEqual(from);
+      }
     });
+  }
 
-    const otherAdminOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      otherAdmin.accountID,
-    );
-    group.addMember(otherAdminOnAdminNode, "admin");
-
-    const personOnReaderNode = await loadCoValueOrFail(reader.node, person.id);
-
-    expect(personOnReaderNode.get("name")).toEqual(undefined);
-
-    const readerOnOtherAdminNode = await loadCoValueOrFail(
-      otherAdmin.node,
-      reader.accountID,
-    );
-    group.addMember(readerOnOtherAdminNode, "reader");
+  test.each(["admin", "manager", "writer", "reader", "writeOnly"] as Role[])(
+    "admin should be able to self downgrade to %s role",
+    async (role) => {
+      const source = await setupTestAccount({
+        connected: true,
+      });
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
+      );
 
-    await waitFor(() => {
-      expect(
-        expectMap(personOnReaderNode.core.getCurrentContent()).get("name"),
-      ).toEqual("John Doe");
-    });
-  });
+      const group = source.node.createGroup();
 
-  test("an admin should be able downgrade a writer to reader", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
+      group.addMember(memberOnSourceNode, role);
 
-    const writer = await setupTestAccount({
-      connected: true,
-    });
+      expect(group.roleOf(source.accountID)).toEqual(role);
+    },
+  );
 
-    const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
-    });
+  test.each(["admin", "manager", "reader", "writeOnly"] as Role[])(
+    "writer should not be able to self upgrade to %s role",
+    async (role) => {
+      const source = await setupTestAccount({
+        connected: true,
+      });
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
+      );
 
-    const writerOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      writer.accountID,
-    );
-    group.addMember(writerOnAdminNode, "writer");
-    group.addMember(writerOnAdminNode, "reader");
+      const group = source.node.createGroup();
 
-    expect(group.roleOf(writer.accountID)).toEqual("reader");
+      group.addMember(memberOnSourceNode, "writer");
 
-    // Verify writer can read and write
-    const personOnWriterNode = await loadCoValueOrFail(writer.node, person.id);
+      expect(group.roleOf(source.accountID)).toEqual("writer");
 
-    // Should not be able to write
-    personOnWriterNode.set("name", "Jane Doe");
+      expect(() => {
+        group.addMember(memberOnSourceNode, role);
+      }).toThrow(
+        `Failed to set role ${role} to ${source.accountID} (role of current account is writer)`,
+      );
+    },
+  );
 
-    expect(personOnWriterNode.get("name")).toEqual("John Doe");
-  });
+  test.each(["admin", "manager", "writer", "writeOnly"] as Role[])(
+    "reader should not be able to self upgrade to %s role",
+    async (role) => {
+      const source = await setupTestAccount({
+        connected: true,
+      });
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
+      );
 
-  test("an admin should be able downgrade a reader to writeOnly", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
+      const group = source.node.createGroup();
 
-    const reader = await setupTestAccount({
-      connected: true,
-    });
+      group.addMember(memberOnSourceNode, "reader");
 
-    const group = admin.node.createGroup();
+      expect(group.roleOf(source.accountID)).toEqual("reader");
 
-    const readerOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      reader.accountID,
-    );
-    group.addMember(readerOnAdminNode, "reader");
-    group.addMember(readerOnAdminNode, "writeOnly");
+      expect(() => {
+        group.addMember(memberOnSourceNode, role);
+      }).toThrow(
+        `Failed to set role ${role} to ${source.accountID} (role of current account is reader)`,
+      );
+    },
+  );
 
-    expect(group.roleOf(reader.accountID)).toEqual("writeOnly");
+  test.each(["admin", "superAdmin", "writer", "reader"] as Role[])(
+    "writeOnly should not be able to self upgrade to %s role",
+    async (role) => {
+      const source = await setupTestAccount({
+        connected: true,
+      });
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
+      );
 
-    const person = group.createMap({
-      name: "John Doe",
-    });
+      const group = source.node.createGroup();
 
-    // Verify reader can read
-    const personOnReaderNode = await loadCoValueOrFail(reader.node, person.id);
+      group.addMember(memberOnSourceNode, "writeOnly");
 
-    expect(personOnReaderNode.get("name")).toEqual(undefined);
-  });
+      expect(group.roleOf(source.accountID)).toEqual("writeOnly");
 
-  test.each(["writer", "reader", "writeOnly"] as const)(
-    "an admin should not be able to downgrade an admin to %s",
-    async (targetRole) => {
-      const admin = await setupTestAccount({
-        connected: true,
-      });
+      expect(() => {
+        group.addMember(memberOnSourceNode, role);
+      }).toThrow(
+        `Failed to set role ${role} to ${source.accountID} (role of current account is writeOnly)`,
+      );
+    },
+  );
 
-      const otherAdmin = await setupTestAccount({
+  test.each(["admin"] as Role[])(
+    "%s should be able to set writer role to EVERYONE",
+    async (role) => {
+      const source = await setupTestAccount({
         connected: true,
       });
-
-      const group = admin.node.createGroup();
-      const person = group.createMap({
-        name: "John Doe",
-      });
-
-      const otherAdminOnAdminNode = await loadCoValueOrFail(
-        admin.node,
-        otherAdmin.accountID,
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
       );
-      group.addMember(otherAdminOnAdminNode, "admin");
 
-      // Try to downgrade other admin
-      expect(() => group.addMember(otherAdminOnAdminNode, targetRole)).toThrow(
-        "Administrators cannot demote other administrators in a group",
-      );
+      const group = source.node.createGroup();
+
+      group.addMember(memberOnSourceNode, role);
+      expect(group.roleOf(source.accountID)).toEqual(role);
 
-      expect(group.roleOf(otherAdmin.accountID)).toEqual("admin");
+      group.addMember("everyone", "writer");
+      expect(group.roleOf("everyone")).toEqual("writer");
+    },
+  );
 
-      // Verify other admin still has admin access by adding a new member
-      const reader = await setupTestAccount({
+  test.each(["admin"] as Role[])(
+    "%s should be able to set writeOnly role to EVERYONE",
+    async (role) => {
+      const source = await setupTestAccount({
         connected: true,
       });
-
-      const readerOnOtherAdminNode = await loadCoValueOrFail(
-        otherAdmin.node,
-        reader.accountID,
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
       );
-      group.addMember(readerOnOtherAdminNode, "reader");
 
-      const personOnReaderNode = await loadCoValueOrFail(
-        reader.node,
-        person.id,
-      );
+      const group = source.node.createGroup();
 
-      await waitFor(() => {
-        expect(
-          expectMap(personOnReaderNode.core.getCurrentContent()).get("name"),
-        ).toEqual("John Doe");
-      });
+      group.addMember(memberOnSourceNode, role);
+      expect(group.roleOf(source.accountID)).toEqual(role);
+
+      group.addMember("everyone", "writeOnly");
+      expect(group.roleOf("everyone")).toEqual("writeOnly");
     },
   );
 
-  test.each(["writer", "reader", "writeOnly"] as const)(
-    "an admin should be able downgrade themselves to %s",
-    async (targetRole) => {
-      const admin = await setupTestAccount({
+  test.each(["admin", "manager"] as Role[])(
+    "%s should be able to set reader role to EVERYONE",
+    async (role) => {
+      const source = await setupTestAccount({
         connected: true,
       });
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
+      );
 
-      const group = admin.node.createGroup();
+      const group = source.node.createGroup();
 
-      const account = await loadCoValueOrFail(admin.node, admin.accountID);
+      group.addMember(memberOnSourceNode, role);
+      expect(group.roleOf(source.accountID)).toEqual(role);
 
-      // Downgrade self to target role
-      group.addMember(account, targetRole);
-      expect(group.roleOf(admin.accountID)).toEqual(targetRole);
+      group.addMember("everyone", "reader");
+      expect(group.roleOf("everyone")).toEqual("reader");
     },
   );
 
-  test("an admin should be able downgrade a writeOnly to reader", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
+  test.each(["writer", "reader", "writeOnly"] as Role[])(
+    "%s should not be able to set any role to EVERYONE",
+    async (role) => {
+      const source = await setupTestAccount({
+        connected: true,
+      });
+      const memberOnSourceNode = await loadCoValueOrFail(
+        source.node,
+        source.accountID,
+      );
 
-    const writeOnlyUser = await setupTestAccount({
-      connected: true,
-    });
+      const group = source.node.createGroup();
 
-    const group = admin.node.createGroup();
-    const person = group.createMap({
-      name: "John Doe",
-    });
+      group.addMember(memberOnSourceNode, role);
+      expect(group.roleOf(source.accountID)).toEqual(role);
 
-    const writeOnlyUserOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      writeOnlyUser.accountID,
-    );
-    group.addMember(writeOnlyUserOnAdminNode, "writeOnly");
-    group.addMember(writeOnlyUserOnAdminNode, "reader");
+      expect(() => {
+        group.addMember("everyone", "writer");
+      }).toThrow(
+        `Failed to set role writer to everyone (role of current account is ${role})`,
+      );
 
-    expect(group.roleOf(writeOnlyUser.accountID)).toEqual("reader");
+      expect(group.roleOf("everyone")).toEqual(undefined);
 
-    const personOnWriteOnlyNode = await loadCoValueOrFail(
-      writeOnlyUser.node,
-      person.id,
-    );
+      expect(() => {
+        group.addMember("everyone", "reader");
+      }).toThrow(
+        `Failed to set role reader to everyone (role of current account is ${role})`,
+      );
 
-    expect(personOnWriteOnlyNode.get("name")).toEqual("John Doe");
-  });
+      expect(group.roleOf("everyone")).toEqual(undefined);
+
+      expect(() => {
+        group.addMember("everyone", "writeOnly");
+      }).toThrow(
+        `Failed to set role writeOnly to everyone (role of current account is ${role})`,
+      );
+
+      expect(group.roleOf("everyone")).toEqual(undefined);
+    },
+  );
 
-  test("a reader should not be able to add a member", async () => {
+  test("an admin should be able downgrade a reader to writeOnly", async () => {
     const admin = await setupTestAccount({
       connected: true,
     });
@@ -329,111 +455,24 @@ describe("Group.addMember", () => {
       connected: true,
     });
 
-    const newUser = await setupTestAccount({
-      connected: true,
-    });
-
     const group = admin.node.createGroup();
+
     const readerOnAdminNode = await loadCoValueOrFail(
       admin.node,
       reader.accountID,
     );
     group.addMember(readerOnAdminNode, "reader");
+    group.addMember(readerOnAdminNode, "writeOnly");
 
-    const newUserOnReaderNode = await loadCoValueOrFail(
-      reader.node,
-      newUser.accountID,
-    );
-
-    const groupOnReaderNode = await loadCoValueOrFail(reader.node, group.id);
-
-    // Try to add member as reader
-    try {
-      groupOnReaderNode.addMember(newUserOnReaderNode, "reader");
-      throw new Error("Should not be able to add member as reader");
-    } catch (e) {
-      expect(e).toBeDefined();
-    }
-
-    expect(groupOnReaderNode.roleOf(newUser.accountID)).toBeUndefined();
-  });
-
-  test("a writer should not be able to add a member", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
-
-    const writer = await setupTestAccount({
-      connected: true,
-    });
-
-    const newUser = await setupTestAccount({
-      connected: true,
-    });
-
-    const group = admin.node.createGroup();
-    const writerOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      writer.accountID,
-    );
-    group.addMember(writerOnAdminNode, "writer");
-
-    const newUserOnWriterNode = await loadCoValueOrFail(
-      writer.node,
-      newUser.accountID,
-    );
-
-    const groupOnWriterNode = await loadCoValueOrFail(writer.node, group.id);
-
-    // Try to add member as writer
-    try {
-      groupOnWriterNode.addMember(newUserOnWriterNode, "reader");
-      throw new Error("Should not be able to add member as writer");
-    } catch (e) {
-      expect(e).toBeDefined();
-    }
-
-    expect(groupOnWriterNode.roleOf(newUser.accountID)).toBeUndefined();
-  });
-
-  test("a writeOnly should not be able to add a member", async () => {
-    const admin = await setupTestAccount({
-      connected: true,
-    });
-
-    const writeOnlyUser = await setupTestAccount({
-      connected: true,
-    });
+    expect(group.roleOf(reader.accountID)).toEqual("writeOnly");
 
-    const newUser = await setupTestAccount({
-      connected: true,
+    const person = group.createMap({
+      name: "John Doe",
     });
 
-    const group = admin.node.createGroup();
-    const writeOnlyUserOnAdminNode = await loadCoValueOrFail(
-      admin.node,
-      writeOnlyUser.accountID,
-    );
-    group.addMember(writeOnlyUserOnAdminNode, "writeOnly");
-
-    const newUserOnWriteOnlyNode = await loadCoValueOrFail(
-      writeOnlyUser.node,
-      newUser.accountID,
-    );
-
-    const groupOnWriteOnlyNode = await loadCoValueOrFail(
-      writeOnlyUser.node,
-      group.id,
-    );
-
-    // Try to add member as writeOnly user
-    try {
-      groupOnWriteOnlyNode.addMember(newUserOnWriteOnlyNode, "reader");
-      throw new Error("Should not be able to add member as writeOnly user");
-    } catch (e) {
-      expect(e).toBeDefined();
-    }
+    // Verify reader can read
+    const personOnReaderNode = await loadCoValueOrFail(reader.node, person.id);
 
-    expect(groupOnWriteOnlyNode.roleOf(newUser.accountID)).toBeUndefined();
+    expect(personOnReaderNode.get("name")).toEqual(undefined);
   });
 });