From e52cf4b4ae8b74efe8fe638955a96a2372b0830e Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 26 Jun 2022 21:22:19 +0200 Subject: [PATCH] test(e2e/private/media): check upload can't be deleted by wrong user Signed-off-by: David Mehren --- backend/test/private-api/media.e2e-spec.ts | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/backend/test/private-api/media.e2e-spec.ts b/backend/test/private-api/media.e2e-spec.ts index 44e00099f..bf56798e2 100644 --- a/backend/test/private-api/media.e2e-spec.ts +++ b/backend/test/private-api/media.e2e-spec.ts @@ -20,9 +20,7 @@ describe('Media', () => { let user: User; beforeAll(async () => { - const username = 'hardcoded'; - const password = 'AHardcodedStrongP@ssword123'; - testSetup = await TestSetupBuilder.create().build(); + testSetup = await TestSetupBuilder.create().withUsers().build(); uploadPath = testSetup.configService.get('mediaConfig').backend.filesystem.uploadPath; @@ -41,13 +39,12 @@ describe('Media', () => { null, 'test_upload_media', ); - user = await testSetup.userService.createUser(username, 'Testy'); - await testSetup.identityService.createLocalIdentity(user, password); + user = testSetup.users[0]; agent = request.agent(testSetup.app.getHttpServer()); await agent .post('/api/private/auth/local/login') - .send({ username: username, password: password }) + .send({ username: 'testuser1', password: 'testuser1' }) .expect(201); }); @@ -120,6 +117,7 @@ describe('Media', () => { }); it('DELETE /media/{filename}', async () => { + // upload a file with the default test user const testNote = await testSetup.notesService.createNote( 'test content', null, @@ -132,6 +130,18 @@ describe('Media', () => { testNote, ); const filename = upload.fileUrl.split('/').pop() || ''; + + // login with a different user; + const agent2 = request.agent(testSetup.app.getHttpServer()); + await agent2 + .post('/api/private/auth/local/login') + .send({ username: 'testuser2', password: 'testuser2' }) + .expect(201); + + // try to delete upload with second user + await agent2.delete('/api/private/media/' + filename).expect(401); + + // delete upload for real await agent.delete('/api/private/media/' + filename).expect(204); }); });