beforeEach(async () => {
await personaService.clearService();
token = await createOrgToken();
const { persona: tempPersona } = await personaService.createPersona({
organisation: testId,
name: 'Dave'
});
persona = tempPersona;
const { attribute: tempAttribute } = await personaService.overwritePersonaAttribute({
key: 'testkey',
value: 'testvalue',
organisation: testId,
personaId: persona.id
});
attribute = tempAttribute;
const { persona: persona2 } = await personaService.createPersona({
organisation: testId,
name: 'Dave 2'
});
await personaService.overwritePersonaAttribute({
key: 'testkey',
value: 'testvalue',
organisation: testId,
personaId: persona2.id
});
});
it('should reject a token without the deletion scope', async () => {
const orgToken = await createOrgToken();
await apiApp.post(`${STATEMENT_BATCH_DELETE_TERMINATE_ROOT}/${testId}`)
.set('Authorization', `Bearer ${orgToken}`)
.send({
filter: {
foo: 'bar'
}
})
.expect(403);
});
it('should return users inside org when using org token and no scopes', async () => {
const token = await createOrgToken([]);
await createUser({ _id: '561a679c0c5d017e4004714a' });
// we include the user attached to the token!
return assertNodes({ bearerToken: token }, 2).expect((res) => {
const allowedFields = keys(SELECT);
res.body.edges.forEach((edge) => {
const nodeKeys = keys(edge.node);
nodeKeys.forEach((key) => {
const includesField = includes(allowedFields, key);
assert.ok(includesField, `${key} is not in allowed keys`);
});
});
});
});
it('should return users inside org when using org token and no scopes, with limited fields', async () => {
const token = await createOrgToken([]);
await createUser({ _id: '561a679c0c5d017e4004714a' });
const fields = {
_id: 0,
email: 1,
password: 1
};
// we include the user attached to the token!
return assertNodes({ bearerToken: token, queryParams: `?project=${JSON.stringify(fields)}` }, 2).expect((res) => {
const allowedFields = keys(SELECT);
res.body.edges.forEach((edge) => {
const nodeKeys = keys(edge.node);
assert.equal(edge.node._id, undefined);
nodeKeys.forEach((key) => {
const allowedField = includes(allowedFields, key);
assert.ok(allowedField, `${key} is not in allowed keys`);
});
});
});
});
beforeEach(async () => {
await personaService.clearService();
token = await createOrgToken();
});
it('should do delete inside the org when using edit all scope', async () => {
const bearerToken = await createOrgToken([MANAGE_ALL_STORES]);
await assertAuthorised({ bearerToken });
});
it('should not do delete inside the org when using no scopes', async () => {
const bearerToken = await createOrgToken([]);
await assertUnauthorised({ bearerToken });
});
it('should not return users outside the org when using org token', async () => {
const token = await createOrgToken([ALL]);
await createUser({ _id: '561a679c0c5d017e4004714a', organisations: ['561a679c0c5d017e4004714a'] });
return assertNodes({ bearerToken: token }, 1); // we include the user attached to the token!
});
it('should allow action when SITE_ADMIN site scope is used', async () => {
const token = await createOrgToken([], [SITE_ADMIN]);
await assertAuthorised(token);
});
it('should not allow action when MANAGE_ALL_ORGANISATIONS org scope is used', async () => {
const token = await createOrgToken([MANAGE_ALL_ORGANISATIONS]);
await assertUnauthorised(token);
});
it('should allow action when ALL org scope is used', async () => {
const token = await createOrgToken([ALL]);
await assertAuthorised(token);
});
it('should not allow action when no scopes are used', async () => {
const token = await createOrgToken([]);
await assertUnauthorised(token);
});
it('should create inside the org when using edit public scope', async () => {
const bearerToken = await createOrgToken([EDIT_PUBLIC_VISUALISATIONS]);
await assertCreate({ bearerToken, expectedStatus: 201 });
});
it('should create inside the org when using no scopes', async () => {
const bearerToken = await createOrgToken([]);
await assertCreate({ bearerToken, expectedStatus: 201 });
});
before(async () => {
token = await createOrgToken();
});