import * as request from 'supertest'; import { INestApplication } from '@nestjs/common'; import { clearDB, createUser, createNestAppInstance, createApplication, authenticateUser } from '../test.helper'; import { getManager } from 'typeorm'; import { AppGroupPermission } from 'src/entities/app_group_permission.entity'; import { UserGroupPermission } from 'src/entities/user_group_permission.entity'; import { GroupPermission } from 'src/entities/group_permission.entity'; describe('group permissions controller', () => { let nestApp: INestApplication; beforeEach(async () => { await clearDB(); }); beforeAll(async () => { nestApp = await createNestAppInstance(); }); describe('POST /group_permissions', () => { it('should not allow non admin to create group permission', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(403); }); it('should be able to create group permission for authenticated admin', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); const updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); expect(updatedGroup.group).toBe('avengers'); expect(updatedGroup.organizationId).toBe(organization.id); expect(updatedGroup.createdAt).toBeDefined(); expect(updatedGroup.updatedAt).toBeDefined(); }); it('should not allow to create system defined group names', async () => { const { organization: { adminUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const reservedGroups = ['All Users', 'Admin']; for (let i = 0; i < reservedGroups.length; i += 1) { const response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: reservedGroups[i] }); expect(response.statusCode).toBe(400); expect(response.body.message).toBe('Group name already exist'); } }); it('should validate uniqueness of group permission group name', async () => { const { organization: { adminUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(409); }); it('should allow different organization to have same group name', async () => { const { organization: { adminUser }, anotherOrganization: { anotherAdminUser }, } = await setupOrganizations(nestApp); let loggedUser = await authenticateUser(nestApp); adminUser['tokenCookie'] = loggedUser.tokenCookie; loggedUser = await authenticateUser(nestApp, anotherAdminUser.email); anotherAdminUser['tokenCookie'] = loggedUser.tokenCookie; let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', adminUser['tokenCookie']) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', anotherAdminUser.defaultOrganizationId) .set('Cookie', anotherAdminUser['tokenCookie']) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); }); }); describe('GET /group_permissions/:id', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .get('/api/group_permissions/id') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(403); }); it('should get group permission for authenticated admin within organization', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); const updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); response = await request(nestApp.getHttpServer()) .get(`/api/group_permissions/${updatedGroup.id}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(200); expect(response.body.group).toBe('avengers'); expect(response.body.organization_id).toBe(organization.id); expect(response.body.id).toBeDefined(); expect(response.body.created_at).toBeDefined(); expect(response.body.updated_at).toBeDefined(); }); it('should not get group permission for authenticated admin not within organization', async () => { const { organization: { adminUser }, anotherOrganization: { anotherAdminUser }, } = await setupOrganizations(nestApp); let loggedUser = await authenticateUser(nestApp); adminUser['tokenCookie'] = loggedUser.tokenCookie; loggedUser = await authenticateUser(nestApp, anotherAdminUser.email); anotherAdminUser['tokenCookie'] = loggedUser.tokenCookie; let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', adminUser['tokenCookie']) .send({ group: 'avengers' }); const groupPermissionId = response.body.id; response = await request(nestApp.getHttpServer()) .post(`/api/group_permissions/${groupPermissionId}`) .set('tj-workspace-id', anotherAdminUser.defaultOrganizationId) .set('Cookie', anotherAdminUser['tokenCookie']) .send({ group: 'avengers' }); expect(response.statusCode).toBe(404); }); }); describe('PUT /group_permissions/:id', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .put('/api/group_permissions/id') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(403); }); it('should allow admin to update a group name', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const createResponse = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(createResponse.statusCode).toBe(201); let updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); //update a group name const updateResponse = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${updatedGroup.id}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ name: 'titans' }); expect(updateResponse.statusCode).toBe(200); updatedGroup = await getManager().findOne(GroupPermission, updatedGroup.id); expect(updatedGroup.group).toEqual('titans'); }); it('should not be able to update a group name with existing names', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const createResponse = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(createResponse.statusCode).toBe(201); const updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); //update a group name const updateResponse = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${updatedGroup.id}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ name: 'All users' }); expect(updateResponse.statusCode).toBe(400); }); it('should not be able to update a default group name', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const adminGroup = await getManager().findOne(GroupPermission, { where: { group: 'admin', organizationId: organization.id }, }); //update a group name const updateResponse = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${adminGroup.id}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ name: 'titans' }); expect(updateResponse.statusCode).toBe(400); }); it('should allow admin to add and remove apps to group permission', async () => { const { organization: { adminUser, app, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); const updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); const groupPermissionId = updatedGroup.id; response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ add_apps: [app.id] }); expect(response.statusCode).toBe(200); const manager = getManager(); let appsInGroup = await manager.find(AppGroupPermission, { where: { groupPermissionId }, }); expect(appsInGroup).toHaveLength(1); const addedApp = appsInGroup[0]; expect(addedApp.appId).toBe(app.id); expect(addedApp.read).toBe(true); expect(addedApp.update).toBe(false); expect(addedApp.delete).toBe(false); response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ remove_apps: [app.id] }); expect(response.statusCode).toBe(200); appsInGroup = await manager.find(AppGroupPermission, { where: { groupPermissionId }, }); expect(appsInGroup).toHaveLength(0); }); it('should allow admin to add and remove users to group permission', async () => { const { organization: { adminUser, defaultUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); const updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); const groupPermissionId = updatedGroup.id; response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ add_users: [defaultUser.id] }); expect(response.statusCode).toBe(200); const manager = getManager(); let usersInGroup = await manager.find(UserGroupPermission, { where: { groupPermissionId }, }); expect(usersInGroup).toHaveLength(1); const addedUser = usersInGroup[0]; expect(addedUser.userId).toBe(defaultUser.id); response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ remove_users: [defaultUser.id] }); expect(response.statusCode).toBe(200); usersInGroup = await manager.find(UserGroupPermission, { where: { groupPermissionId }, }); expect(usersInGroup).toHaveLength(0); }); it('should not allow to remove users from admin group permission without any at least one active admin', async () => { const { user, organization } = await createUser(nestApp, { email: 'admin@tooljet.io', }); const manager = getManager(); const adminGroupPermission = await manager.findOneOrFail(GroupPermission, { where: { group: 'admin', organizationId: organization.id, }, }); const loggedUser = await authenticateUser(nestApp); const response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${adminGroupPermission.id}`) .set('tj-workspace-id', user.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ remove_users: [user.id] }); expect(response.statusCode).toBe(400); expect(response.body.message).toBe('Atleast one active admin is required.'); }); it('should not allow to remove any users from all_users group permission', async () => { const { organization: { adminUser, defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); adminUser['tokenCookie'] = loggedUser.tokenCookie; const manager = getManager(); const adminGroupPermission = await manager.findOneOrFail(GroupPermission, { where: { group: 'all_users', organizationId: adminUser.organizationId, }, }); const response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${adminGroupPermission.id}/`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', adminUser['tokenCookie']) .send({ remove_users: [defaultUser.id] }); expect(response.statusCode).toBe(400); expect(response.body.message).toBe('Cannot remove user from default group.'); }); }); describe('GET /group_permissions', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .get('/api/group_permissions') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(403); }); it('should allow admin to list group permission', async () => { const { organization: { adminUser, defaultUser, app, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); // create group permission let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); const updatedGroup: GroupPermission = await getManager().findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); const groupPermissionId = updatedGroup.id; // add apps and users to group permission response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ add_apps: [app.id], add_users: [defaultUser.id] }); expect(response.statusCode).toBe(200); // list group permission response = await request(nestApp.getHttpServer()) .get('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(200); const groupPermissions = response.body.group_permissions; const groups = groupPermissions.map((gp) => gp.group); const organizationId = [...new Set(groupPermissions.map((gp) => gp.organization_id))]; expect(new Set(groups)).toEqual(new Set(['avengers', 'all_users', 'admin'])); expect(organizationId).toEqual([organization.id]); }); }); describe('GET /group_permissions/:id/apps', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .get('/api/group_permissions/id/apps') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(403); }); it('should allow admin to list apps in group permission', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const manager = getManager(); const adminGroupPermission = await manager.findOneOrFail(GroupPermission, { where: { group: 'admin', organizationId: organization.id, }, }); const response = await request(nestApp.getHttpServer()) .get(`/api/group_permissions/${adminGroupPermission.id}/apps`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(200); const apps = response.body.apps; const sampleApp = apps[0]; expect(apps).toHaveLength(1); expect(sampleApp.organization_id).toBe(organization.id); expect(sampleApp.name).toBe('sample app'); expect(sampleApp.group_permissions).toHaveLength(1); expect(sampleApp.group_permissions[0].group).toBe('admin'); expect(sampleApp.app_group_permissions).toHaveLength(1); expect(sampleApp.app_group_permissions[0].group_permission_id).toBe(sampleApp.group_permissions[0].id); expect(sampleApp.app_group_permissions[0].read).toBe(true); expect(sampleApp.app_group_permissions[0].update).toBe(true); expect(sampleApp.app_group_permissions[0].delete).toBe(true); }); }); describe('GET /group_permissions/:id/addable_apps', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .get('/api/group_permissions/id/addable_apps') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(403); }); it('should allow admin to list apps not in group permission', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); // create group permission let response = await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(201); const manager = getManager(); const groupPermission: GroupPermission = await manager.findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); const groupPermissionId = groupPermission.id; response = await request(nestApp.getHttpServer()) .get(`/api/group_permissions/${groupPermissionId}/addable_apps`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(200); const apps = response.body.apps; const sampleApp = apps[0]; expect(apps).toHaveLength(1); expect(sampleApp.organization_id).toBe(organization.id); expect(sampleApp.name).toBe('sample app'); expect(sampleApp.group_permissions).toHaveLength(2); const adminGroupPermission = sampleApp.group_permissions.find((a) => a.group == 'admin'); const adminAppGroupPermission = sampleApp.app_group_permissions.find( (a) => a.group_permission_id == adminGroupPermission.id ); expect(adminAppGroupPermission.read).toBe(true); expect(adminAppGroupPermission.update).toBe(true); expect(adminAppGroupPermission.delete).toBe(true); const userGroupPermission = sampleApp.group_permissions.find((a) => a.group == 'all_users'); const userAppGroupPermission = sampleApp.app_group_permissions.find( (a) => a.group_permission_id == userGroupPermission.id ); expect(userAppGroupPermission.read).toBe(false); expect(userAppGroupPermission.update).toBe(false); expect(userAppGroupPermission.delete).toBe(false); }); }); describe('GET /group_permissions/:id/users', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .get('/api/group_permissions/id/users') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(403); }); it('should allow admin to list users in group permission', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const manager = getManager(); const adminGroupPermission = await manager.findOneOrFail(GroupPermission, { where: { group: 'admin', organizationId: organization.id, }, }); const response = await request(nestApp.getHttpServer()) .get(`/api/group_permissions/${adminGroupPermission.id}/users`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(200); const users = response.body.users; const user = users[0]; expect(users).toHaveLength(1); expect(Object.keys(user).sort()).toEqual(['id', 'email', 'first_name', 'last_name'].sort()); expect(user.email).toBe('admin@tooljet.io'); expect(user.first_name).toBe('test'); expect(user.last_name).toBe('test'); }); }); describe('GET /group_permissions/:id/addable_users', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .get('/api/group_permissions/id/addable_users') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(403); }); it('should allow admin to list users not in group permission', async () => { const adminUser = await createUser(nestApp, { email: 'admin@tooljet.io' }); const userone = await createUser(nestApp, { email: 'userone@tooljet.io', groups: ['all_users'], organization: adminUser.organization, }); const loggedUser = await authenticateUser(nestApp); const manager = getManager(); const adminGroupPermission = await manager.findOneOrFail(GroupPermission, { where: { group: 'admin', organizationId: adminUser.organization.id, }, }); const groupPermissionId = adminGroupPermission.id; const response = await request(nestApp.getHttpServer()) .get(`/api/group_permissions/${groupPermissionId}/addable_users?input=userone@tooljet.io`) .set('tj-workspace-id', adminUser.user.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie); expect(response.statusCode).toBe(200); const users = response.body.users; const user = users[0]; expect(users).toHaveLength(1); expect(user.first_name).toBe('test'); expect(user.last_name).toBe('test'); expect(user.id).toBe(userone.user.id); expect(Object.keys(user).sort()).toEqual(['first_name', 'last_name', 'id', 'email'].sort()); }); }); describe('PUT /group_permissions/:id/app_group_permissions/:appGroupPermisionId', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, 'developer@tooljet.io'); const response = await request(nestApp.getHttpServer()) .put('/api/group_permissions/id/app_group_permissions/id') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ read: true }); expect(response.statusCode).toBe(403); }); it('should allow admin to update app group permission', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); const manager = getManager(); const groupPermission = await manager.findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'all_users', }, }); const groupPermissionId = groupPermission.id; const appGroupPermission = await manager.findOneOrFail(AppGroupPermission, { where: { groupPermissionId, }, }); const appGroupPermissionId = appGroupPermission.id; expect(appGroupPermission.read).toBe(false); expect(appGroupPermission.update).toBe(false); const response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}/app_group_permissions/${appGroupPermissionId}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ actions: { read: false, update: true } }); expect(response.statusCode).toBe(200); await appGroupPermission.reload(); expect(appGroupPermission.read).toBe(false); expect(appGroupPermission.update).toBe(true); }); it('should not allow admin to update app group permission of different organization', async () => { const { organization: { organization }, anotherOrganization: { anotherAdminUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, anotherAdminUser.email); const manager = getManager(); const groupPermission = await manager.findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'all_users', }, }); const groupPermissionId = groupPermission.id; const appGroupPermission = await manager.findOneOrFail(AppGroupPermission, { where: { groupPermissionId, }, }); const appGroupPermissionId = appGroupPermission.id; expect(appGroupPermission.read).toBe(false); expect(appGroupPermission.update).toBe(false); const response = await request(nestApp.getHttpServer()) .put(`/api/group_permissions/${groupPermissionId}/app_group_permissions/${appGroupPermissionId}`) .set('tj-workspace-id', anotherAdminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ actions: { read: false, update: true } }); expect(response.statusCode).toBe(400); }); }); describe('DELETE /group_permissions/:id', () => { it('should not allow unauthenticated admin', async () => { const { organization: { defaultUser }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp, defaultUser.email); const response = await request(nestApp.getHttpServer()) .del('/api/group_permissions/id') .set('tj-workspace-id', defaultUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ read: true }); expect(response.statusCode).toBe(403); }); it('should allow admin to delete group', async () => { const { organization: { adminUser, organization }, } = await setupOrganizations(nestApp); const loggedUser = await authenticateUser(nestApp); await request(nestApp.getHttpServer()) .post('/api/group_permissions') .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); const manager = getManager(); const groupPermission: GroupPermission = await manager.findOneOrFail(GroupPermission, { where: { organizationId: organization.id, group: 'avengers', }, }); const response = await request(nestApp.getHttpServer()) .del(`/api/group_permissions/${groupPermission.id}`) .set('tj-workspace-id', adminUser.defaultOrganizationId) .set('Cookie', loggedUser.tokenCookie) .send({ group: 'avengers' }); expect(response.statusCode).toBe(200); }); }); async function setupOrganizations(nestApp) { const adminUserData = await createUser(nestApp, { email: 'admin@tooljet.io', groups: ['all_users', 'admin'], }); const adminUser = adminUserData.user; const organization = adminUserData.organization; const defaultUserData = await createUser(nestApp, { email: 'developer@tooljet.io', groups: ['all_users'], organization, }); const defaultUser = defaultUserData.user; const app = await createApplication(nestApp, { user: adminUser, name: 'sample app', isPublic: false, }); const anotherAdminUserData = await createUser(nestApp, { email: 'another_admin@tooljet.io', groups: ['all_users', 'admin'], }); const anotherAdminUser = anotherAdminUserData.user; const anotherOrganization = anotherAdminUserData.organization; const anotherDefaultUserData = await createUser(nestApp, { email: 'another_developer@tooljet.io', groups: ['all_users'], organization: anotherOrganization, }); const anotherDefaultUser = anotherDefaultUserData.user; const anotherApp = await createApplication(nestApp, { user: anotherAdminUser, name: 'another app', isPublic: false, }); return { organization: { adminUser, defaultUser, organization, app }, anotherOrganization: { anotherAdminUser, anotherDefaultUser, anotherOrganization, anotherApp, }, }; } afterAll(async () => { await nestApp.close(); }); });