mirror of
https://github.com/ToolJet/ToolJet
synced 2026-05-16 21:48:37 +00:00
26c9cc655c
* eslint-setup: rules for frontend and server * setup pre-commit:hook * frontend:eslint fixes * frontend eslint errors and warning fixed * eslint:fix for ./server * fix server/test: expectatin string lint/error * pre-commit:updated * removed unwanted install cmd from docker file * recommended settings and extension for vscode * husky prepare script added * updated extension recommendations * added prettier as recommended extension * added pre-commit to package.json * remove .prettierrc file * resolve changes * resolve changes
382 lines
13 KiB
TypeScript
382 lines
13 KiB
TypeScript
import * as request from 'supertest';
|
|
import { INestApplication } from '@nestjs/common';
|
|
import {
|
|
authHeaderForUser,
|
|
clearDB,
|
|
createApplication,
|
|
createUser,
|
|
createNestAppInstance,
|
|
createDataQuery,
|
|
createDataSource,
|
|
} from '../test.helper';
|
|
|
|
describe('data queries controller', () => {
|
|
let app: INestApplication;
|
|
|
|
beforeEach(async () => {
|
|
await clearDB();
|
|
});
|
|
|
|
beforeAll(async () => {
|
|
app = await createNestAppInstance();
|
|
});
|
|
|
|
it('should be able to update queries of an app only if admin/developer of same organization', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const developerUserData = await createUser(app, {
|
|
email: 'developer@tooljet.io',
|
|
role: 'developer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const viewerUserData = await createUser(app, {
|
|
email: 'viewer@tooljet.io',
|
|
role: 'viewer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const anotherOrgAdminUserData = await createUser(app, { email: 'another@tooljet.io', role: 'admin' });
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
|
|
for (const userData of [adminUserData, developerUserData]) {
|
|
const newOptions = { method: userData.user.email };
|
|
const response = await request(app.getHttpServer())
|
|
.patch(`/data_queries/${dataQuery.id}`)
|
|
.set('Authorization', authHeaderForUser(userData.user))
|
|
.send({
|
|
options: newOptions,
|
|
});
|
|
|
|
expect(response.statusCode).toBe(200);
|
|
await dataQuery.reload();
|
|
expect(dataQuery.options.method).toBe(newOptions.method);
|
|
}
|
|
|
|
// Should not update if viewer or if user of another org
|
|
for (const userData of [anotherOrgAdminUserData, viewerUserData]) {
|
|
const oldOptions = dataQuery.options;
|
|
const response = await request(app.getHttpServer())
|
|
.patch(`/data_queries/${dataQuery.id}`)
|
|
.set('Authorization', authHeaderForUser(userData.user))
|
|
.send({
|
|
options: { method: '' },
|
|
});
|
|
|
|
expect(response.statusCode).toBe(403);
|
|
await dataQuery.reload();
|
|
expect(dataQuery.options.method).toBe(oldOptions.method);
|
|
}
|
|
});
|
|
|
|
it('should be able to delete queries of an app only if admin/developer of same organization', async () => {
|
|
const adminUserData = await createUser(app, {
|
|
email: 'admin@tooljet.io',
|
|
role: 'admin',
|
|
});
|
|
const developerUserData = await createUser(app, {
|
|
email: 'developer@tooljet.io',
|
|
role: 'developer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const viewerUserData = await createUser(app, {
|
|
email: 'viewer@tooljet.io',
|
|
role: 'viewer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const anotherOrgAdminUserData = await createUser(app, {
|
|
email: 'another@tooljet.io',
|
|
role: 'admin',
|
|
});
|
|
const application = await createApplication(app, {
|
|
name: 'name',
|
|
user: adminUserData.user,
|
|
});
|
|
|
|
for (const userData of [adminUserData, developerUserData]) {
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
const newOptions = { method: userData.user.email };
|
|
|
|
const response = await request(app.getHttpServer())
|
|
.delete(`/data_queries/${dataQuery.id}`)
|
|
.set('Authorization', authHeaderForUser(userData.user))
|
|
.send({
|
|
options: newOptions,
|
|
});
|
|
|
|
expect(response.statusCode).toBe(200);
|
|
}
|
|
|
|
// Should not update if viewer or if user of another org
|
|
for (const userData of [anotherOrgAdminUserData, viewerUserData]) {
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
const oldOptions = dataQuery.options;
|
|
|
|
const response = await request(app.getHttpServer())
|
|
.delete(`/data_queries/${dataQuery.id}`)
|
|
.set('Authorization', authHeaderForUser(userData.user))
|
|
.send({
|
|
options: { method: '' },
|
|
});
|
|
|
|
expect(response.statusCode).toBe(403);
|
|
await dataQuery.reload();
|
|
expect(dataQuery.options.method).toBe(oldOptions.method);
|
|
}
|
|
});
|
|
|
|
it('should be able to get queries of an app only if the user belongs to the same organization', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const developerUserData = await createUser(app, {
|
|
email: 'developer@tooljet.io',
|
|
role: 'developer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const viewerUserData = await createUser(app, {
|
|
email: 'viewer@tooljet.io',
|
|
role: 'viewer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
const anotherOrgAdminUserData = await createUser(app, { email: 'another@tooljet.io', role: 'admin' });
|
|
|
|
await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: { method: 'get' },
|
|
});
|
|
|
|
for (const userData of [adminUserData, developerUserData, viewerUserData]) {
|
|
const response = await request(app.getHttpServer())
|
|
.get(`/data_queries?app_id=${application.id}`)
|
|
.set('Authorization', authHeaderForUser(userData.user));
|
|
|
|
expect(response.statusCode).toBe(200);
|
|
expect(response.body.data_queries.length).toBe(1);
|
|
}
|
|
|
|
// Forbidden if user of another organization
|
|
const response = await request(app.getHttpServer())
|
|
.get(`/data_queries?app_id=${application.id}`)
|
|
.set('Authorization', authHeaderForUser(anotherOrgAdminUserData.user));
|
|
|
|
expect(response.statusCode).toBe(403);
|
|
});
|
|
|
|
it('should be able to create queries for an app only if the user is admin/developer and belongs to the same organization', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const developerUserData = await createUser(app, {
|
|
email: 'developer@tooljet.io',
|
|
role: 'developer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const viewerUserData = await createUser(app, {
|
|
email: 'viewer@tooljet.io',
|
|
role: 'viewer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
const anotherOrgAdminUserData = await createUser(app, { email: 'another@tooljet.io', role: 'admin' });
|
|
|
|
const queryParams = {
|
|
app_id: application.id,
|
|
kind: 'restapi',
|
|
options: { method: 'get' },
|
|
};
|
|
|
|
for (const userData of [adminUserData, developerUserData]) {
|
|
const response = await request(app.getHttpServer())
|
|
.post(`/data_queries`)
|
|
.set('Authorization', authHeaderForUser(userData.user))
|
|
.send(queryParams);
|
|
|
|
expect(response.statusCode).toBe(201);
|
|
}
|
|
|
|
// Forbidden if a viewer or a user of another organization
|
|
for (const userData of [anotherOrgAdminUserData, viewerUserData]) {
|
|
const response = await request(app.getHttpServer())
|
|
.post(`/data_queries`)
|
|
.set('Authorization', authHeaderForUser(userData.user))
|
|
.send(queryParams);
|
|
|
|
expect(response.statusCode).toBe(403);
|
|
}
|
|
});
|
|
|
|
it('should not be able to create queries if datasource belongs to another app', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
const anotherApplication = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
const dataSource = await createDataSource(app, {
|
|
name: 'name',
|
|
kind: 'postgres',
|
|
application: application,
|
|
user: adminUserData.user,
|
|
});
|
|
|
|
let queryParams = {
|
|
app_id: application.id,
|
|
data_source_id: dataSource.id,
|
|
kind: 'restapi',
|
|
options: { method: 'get' },
|
|
};
|
|
|
|
// Create query if data source belongs to same app
|
|
let response = await request(app.getHttpServer())
|
|
.post(`/data_queries`)
|
|
.set('Authorization', authHeaderForUser(adminUserData.user))
|
|
.send(queryParams);
|
|
|
|
expect(response.statusCode).toBe(201);
|
|
|
|
queryParams = {
|
|
app_id: anotherApplication.id,
|
|
data_source_id: dataSource.id,
|
|
kind: 'restapi',
|
|
options: { method: 'get' },
|
|
};
|
|
|
|
// Fordbidden if data source belongs to another app
|
|
response = await request(app.getHttpServer())
|
|
.post(`/data_queries`)
|
|
.set('Authorization', authHeaderForUser(adminUserData.user))
|
|
.send(queryParams);
|
|
|
|
expect(response.statusCode).toBe(403);
|
|
});
|
|
|
|
it('should be able to run queries of an app if the user belongs to the same organization', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const developerUserData = await createUser(app, {
|
|
email: 'developer@tooljet.io',
|
|
role: 'developer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const viewerUserData = await createUser(app, {
|
|
email: 'viewer@tooljet.io',
|
|
role: 'viewer',
|
|
organization: adminUserData.organization,
|
|
});
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
|
|
for (const userData of [adminUserData, developerUserData, viewerUserData]) {
|
|
const response = await request(app.getHttpServer())
|
|
.post(`/data_queries/${dataQuery.id}/run`)
|
|
.set('Authorization', authHeaderForUser(userData.user));
|
|
|
|
expect(response.statusCode).toBe(201);
|
|
expect(response.body.data.length).toBe(30);
|
|
}
|
|
});
|
|
|
|
it('should not be able to run queries of an app if the user belongs to another organization', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const anotherOrgAdminUserData = await createUser(app, { email: 'another@tooljet.io', role: 'admin' });
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user });
|
|
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
|
|
const response = await request(app.getHttpServer())
|
|
.post(`/data_queries/${dataQuery.id}/run`)
|
|
.set('Authorization', authHeaderForUser(anotherOrgAdminUserData.user));
|
|
|
|
expect(response.statusCode).toBe(403);
|
|
});
|
|
|
|
it('should be able to run queries of an app if a public app ( even if an unauthenticated user )', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user, isPublic: true });
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
|
|
const response = await request(app.getHttpServer()).post(`/data_queries/${dataQuery.id}/run`);
|
|
|
|
expect(response.statusCode).toBe(201);
|
|
expect(response.body.data.length).toBe(30);
|
|
});
|
|
|
|
it('should not be able to run queries if app not not public and user is not authenticated', async () => {
|
|
const adminUserData = await createUser(app, { email: 'admin@tooljet.io', role: 'admin' });
|
|
const application = await createApplication(app, { name: 'name', user: adminUserData.user, isPublic: false });
|
|
const dataQuery = await createDataQuery(app, {
|
|
application,
|
|
kind: 'restapi',
|
|
options: {
|
|
method: 'get',
|
|
url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
|
|
url_params: [],
|
|
headers: [],
|
|
body: [],
|
|
},
|
|
});
|
|
|
|
const response = await request(app.getHttpServer()).post(`/data_queries/${dataQuery.id}/run`);
|
|
|
|
expect(response.statusCode).toBe(401);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await app.close();
|
|
});
|
|
});
|