overleaf/services/web/test/acceptance/src/UserMembershipAuthorizationTests.js

const { expect } = require('chai')
const async = require('async')
const { ObjectId } = require('../../../app/src/infrastructure/mongojs')
const User = require('./helpers/User')
const Institution = require('./helpers/Institution')
const Subscription = require('./helpers/Subscription')
const Publisher = require('./helpers/Publisher')
const MockV1Api = require('./helpers/MockV1Api')

describe('UserMembershipAuthorization', function() {
  beforeEach(function(done) {
    this.user = new User()
    async.series([this.user.ensureUserExists.bind(this.user)], done)
  })

  describe('team', function() {
    beforeEach(function(done) {
      this.subscription = new Subscription({
        groupPlan: true,
        overleaf: { id: 123 }
      })
      async.series(
        [
          this.subscription.ensureExists.bind(this.subscription),
          cb => this.user.login(cb)
        ],
        done
      )
    })

    describe('metrics', function() {
      it('should allow managers only', function(done) {
        const url = `/metrics/teams/123`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.subscription.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })
  })

  describe('group', function() {
    beforeEach(function(done) {
      this.subscription = new Subscription({
        groupPlan: true
      })
      async.series(
        [
          this.subscription.ensureExists.bind(this.subscription),
          cb => this.user.login(cb)
        ],
        done
      )
    })

    describe('users management', function() {
      it('should allow managers only', function(done) {
        const url = `/manage/groups/${this.subscription._id}/members`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.subscription.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })

    describe('metrics', function() {
      it('should allow managers only', function(done) {
        const url = `/metrics/groups/${this.subscription._id}`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.subscription.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })

      it('should handle groups not found', function(done) {
        const url = `/metrics/groups/${ObjectId()}`
        async.series([expectAccess(this.user, url, 404)], done)
      })
    })

    describe('managers management', function() {
      it('should allow managers only', function(done) {
        const url = `/manage/groups/${this.subscription._id}/managers`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.subscription.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })
  })

  describe('institution', function() {
    beforeEach(function(done) {
      this.institution = new Institution()
      async.series([this.institution.ensureExists.bind(this.institution)], done)
    })

    describe('metrics', function() {
      it('should allow users with staff access', function(done) {
        const url = `/metrics/institutions/${this.institution.v1Id}`
        async.series(
          [
            cb => this.user.ensureStaffAccess('institutionMetrics', cb),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })

      it('should allow admins', function(done) {
        const url = `/metrics/institutions/${this.institution.v1Id}`
        async.series(
          [
            this.user.ensureAdmin.bind(this.user),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })

      it('should allow managers', function(done) {
        const url = `/metrics/institutions/${this.institution.v1Id}`
        async.series(
          [
            this.user.login.bind(this.user),
            cb => this.institution.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })

      it('should not allow users without access', function(done) {
        const url = `/metrics/institutions/${this.institution.v1Id}`
        async.series(
          [this.user.login.bind(this.user), expectAccess(this.user, url, 403)],
          done
        )
      })
    })

    describe('users management', function() {
      it('should allow managers only', function(done) {
        const url = `/manage/institutions/${this.institution.v1Id}/managers`
        async.series(
          [
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 403),
            cb => this.institution.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })

    describe('hub', function() {
      it('should allow managers only', function(done) {
        const url = `/institutions/${this.institution.v1Id}/hub`
        async.series(
          [
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 403),
            cb => this.institution.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })

    describe('creation', function() {
      it('should allow staff only', function(done) {
        const url = `/entities/institution/create/foo`
        async.series(
          [
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 403),
            cb => this.user.ensureStaffAccess('institutionManagement', cb),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })
  })

  describe('publisher', function() {
    beforeEach(function(done) {
      this.publisher = new Publisher({})
      async.series(
        [
          this.publisher.ensureExists.bind(this.publisher),
          cb => this.user.login(cb)
        ],
        done
      )
    })

    describe('conversion metrics', function() {
      it('should allow managers only', function(done) {
        const url = `/metrics/conversions/${this.publisher.slug}`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.publisher.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })

    describe('managers management', function() {
      it('should allow managers only', function(done) {
        const url = `/manage/publishers/${this.publisher.slug}/managers`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.publisher.setManagerIds([this.user._id], cb),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })

    describe('creation', function() {
      it('should redirect staff only', function(done) {
        const url = `/publishers/foo/hub`
        async.series(
          [
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 404),
            cb => this.user.ensureStaffAccess('publisherManagement', cb),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 302, /\/create/)
          ],
          done
        )
      })

      it('should allow staff only', function(done) {
        const url = `/entities/publisher/create/foo`
        async.series(
          [
            expectAccess(this.user, url, 403),
            cb => this.user.ensureStaffAccess('publisherManagement', cb),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })
  })

  describe('template', function() {
    beforeEach(function(done) {
      this.publisher = new Publisher({})
      async.series(
        [
          this.publisher.ensureExists.bind(this.publisher),
          cb => this.user.login(cb)
        ],
        done
      )
    })

    it('allow publisher managers only', function(done) {
      MockV1Api.setTemplates({
        123: {
          id: 123,
          title: '123 title',
          brand: { slug: this.publisher.slug }
        }
      })
      const url = '/metrics/templates/123'
      async.series(
        [
          expectAccess(this.user, url, 403),
          cb => this.publisher.setManagerIds([this.user._id], cb),
          expectAccess(this.user, url, 200)
        ],
        done
      )
    })

    it('handle templates without publisher', function(done) {
      MockV1Api.setTemplates({
        456: {
          id: 456,
          title: '456 title',
          brand: { slug: null }
        }
      })
      const url = '/metrics/templates/456'
      async.series(
        [
          expectAccess(this.user, url, 403),
          this.user.ensureAdmin.bind(this.user),
          this.user.login.bind(this.user),
          expectAccess(this.user, url, 200)
        ],
        done
      )
    })

    it('handle templates not found', function(done) {
      const url = '/metrics/templates/789'
      async.series(
        [
          this.user.ensureAdmin.bind(this.user),
          this.user.login.bind(this.user),
          expectAccess(this.user, url, 404)
        ],
        done
      )
    })
  })

  describe('graph', function() {
    describe('admin', function() {
      it('allow admins only', function(done) {
        const url = '/graphs/foo?resource_type=admin'
        async.series(
          [
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 403),
            this.user.ensureAdmin.bind(this.user),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })

      it('handle missing resource type', function(done) {
        const url = '/graphs/foo'
        expectAccess(this.user, url, 404)(done)
      })

      it('handle incorrect resource type', function(done) {
        const url = '/graphs/foo?resource_type=evil'
        expectAccess(this.user, url, 404)(done)
      })
    })

    describe('template', function() {
      beforeEach(function(done) {
        this.publisher = new Publisher({})
        async.series(
          [
            this.publisher.ensureExists.bind(this.publisher),
            cb => this.user.login(cb)
          ],
          done
        )
      })

      it('get template graphs', function(done) {
        MockV1Api.setTemplates({
          123: {
            id: 123,
            title: '123 title',
            brand: { slug: this.publisher.slug }
          }
        })
        const url = '/graphs/foo?resource_type=template&resource_id=123'
        async.series(
          [
            this.user.ensureAdmin.bind(this.user),
            this.user.login.bind(this.user),
            expectAccess(this.user, url, 200)
          ],
          done
        )
      })
    })
  })

  describe('admin metrics', function() {
    it('should not allow anonymous users', function(done) {
      expectAccess(this.user, '/metrics/admin', 302, /\/login/)(done)
    })

    it('should not allow all users', function(done) {
      async.series(
        [
          this.user.login.bind(this.user),
          expectAccess(this.user, '/metrics/admin', 403)
        ],
        done
      )
    })

    it('should allow admin users', function(done) {
      async.series(
        [
          this.user.ensureAdmin.bind(this.user),
          this.user.login.bind(this.user),
          expectAccess(this.user, '/metrics/admin', 200)
        ],
        done
      )
    })

    it('should allow users with staff access', function(done) {
      async.series(
        [
          cb => this.user.ensureStaffAccess('adminMetrics', cb),
          this.user.login.bind(this.user),
          expectAccess(this.user, '/metrics/admin', 200)
        ],
        done
      )
    })
  })
})

function expectAccess(user, url, status, pattern) {
  return callback => {
    user.request.get({ url }, (error, response, body) => {
      if (error) {
        return callback(error)
      }
      expect(response.statusCode).to.equal(status)
      if (pattern) {
        expect(body).to.match(pattern)
      }
      callback()
    })
  }
}
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`const { expect } = require('chai')`
			`const async = require('async')`
Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`const { ObjectId } = require('../../../app/src/infrastructure/mongojs')`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`const User = require('./helpers/User')`
			`const Institution = require('./helpers/Institution')`
			`const Subscription = require('./helpers/Subscription')`
			`const Publisher = require('./helpers/Publisher')`
Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`const MockV1Api = require('./helpers/MockV1Api')`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00
			`describe('UserMembershipAuthorization', function() {`
			`beforeEach(function(done) {`
			`this.user = new User()`
			`async.series([this.user.ensureUserExists.bind(this.user)], done)`
			`})`

Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`describe('team', function() {`
			`beforeEach(function(done) {`
			`this.subscription = new Subscription({`
			`groupPlan: true,`
			`overleaf: { id: 123 }`
			`})`
			`async.series(`
			`[`
			`this.subscription.ensureExists.bind(this.subscription),`
			`cb => this.user.login(cb)`
			`],`
			`done`
			`)`
			`})`

			`describe('metrics', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/metrics/teams/123`
			`async.series(`
			`[`
			`expectAccess(this.user, url, 403),`
			`cb => this.subscription.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`
			`})`

Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`describe('group', function() {`
			`beforeEach(function(done) {`
			`this.subscription = new Subscription({`
			`groupPlan: true`
			`})`
			`async.series(`
			`[`
			`this.subscription.ensureExists.bind(this.subscription),`
			`cb => this.user.login(cb)`
			`],`
			`done`
			`)`
			`})`

			`describe('users management', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/manage/groups/${this.subscription._id}/members`
			`async.series(`
			`[`
Merge pull request #2105 from overleaf/ta-user-membership-refactor UserMembershipAuthorization Refactor GitOrigin-RevId: 7711cda4a134823cbacee42731319fbb8aa648d0 2019-09-24 04:44:13 -04:00			`expectAccess(this.user, url, 403),`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`cb => this.subscription.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`

Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`describe('metrics', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/metrics/groups/${this.subscription._id}`
			`async.series(`
			`[`
			`expectAccess(this.user, url, 403),`
			`cb => this.subscription.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('should handle groups not found', function(done) {`
			const url = `/metrics/groups/${ObjectId()}`
			`async.series([expectAccess(this.user, url, 404)], done)`
			`})`
			`})`

Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`describe('managers management', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/manage/groups/${this.subscription._id}/managers`
			`async.series(`
			`[`
Merge pull request #2105 from overleaf/ta-user-membership-refactor UserMembershipAuthorization Refactor GitOrigin-RevId: 7711cda4a134823cbacee42731319fbb8aa648d0 2019-09-24 04:44:13 -04:00			`expectAccess(this.user, url, 403),`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`cb => this.subscription.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`
			`})`

			`describe('institution', function() {`
			`beforeEach(function(done) {`
			`this.institution = new Institution()`
			`async.series([this.institution.ensureExists.bind(this.institution)], done)`
			`})`

Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`describe('metrics', function() {`
			`it('should allow users with staff access', function(done) {`
			const url = `/metrics/institutions/${this.institution.v1Id}`
			`async.series(`
			`[`
			`cb => this.user.ensureStaffAccess('institutionMetrics', cb),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('should allow admins', function(done) {`
			const url = `/metrics/institutions/${this.institution.v1Id}`
			`async.series(`
			`[`
			`this.user.ensureAdmin.bind(this.user),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('should allow managers', function(done) {`
			const url = `/metrics/institutions/${this.institution.v1Id}`
			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
			`cb => this.institution.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('should not allow users without access', function(done) {`
			const url = `/metrics/institutions/${this.institution.v1Id}`
			`async.series(`
			`[this.user.login.bind(this.user), expectAccess(this.user, url, 403)],`
			`done`
			`)`
			`})`
			`})`

Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`describe('users management', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/manage/institutions/${this.institution.v1Id}/managers`
			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
Merge pull request #2105 from overleaf/ta-user-membership-refactor UserMembershipAuthorization Refactor GitOrigin-RevId: 7711cda4a134823cbacee42731319fbb8aa648d0 2019-09-24 04:44:13 -04:00			`expectAccess(this.user, url, 403),`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`cb => this.institution.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`

Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`describe('hub', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/institutions/${this.institution.v1Id}/hub`
			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 403),`
			`cb => this.institution.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`

Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`describe('creation', function() {`
			`it('should allow staff only', function(done) {`
			const url = `/entities/institution/create/foo`
			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
Merge pull request #2105 from overleaf/ta-user-membership-refactor UserMembershipAuthorization Refactor GitOrigin-RevId: 7711cda4a134823cbacee42731319fbb8aa648d0 2019-09-24 04:44:13 -04:00			`expectAccess(this.user, url, 403),`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`cb => this.user.ensureStaffAccess('institutionManagement', cb),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`
			`})`

			`describe('publisher', function() {`
			`beforeEach(function(done) {`
			`this.publisher = new Publisher({})`
			`async.series(`
			`[`
			`this.publisher.ensureExists.bind(this.publisher),`
			`cb => this.user.login(cb)`
			`],`
			`done`
			`)`
			`})`

Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			`describe('conversion metrics', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/metrics/conversions/${this.publisher.slug}`
			`async.series(`
			`[`
			`expectAccess(this.user, url, 403),`
			`cb => this.publisher.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`

Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`describe('managers management', function() {`
			`it('should allow managers only', function(done) {`
			const url = `/manage/publishers/${this.publisher.slug}/managers`
			`async.series(`
			`[`
Merge pull request #2105 from overleaf/ta-user-membership-refactor UserMembershipAuthorization Refactor GitOrigin-RevId: 7711cda4a134823cbacee42731319fbb8aa648d0 2019-09-24 04:44:13 -04:00			`expectAccess(this.user, url, 403),`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`cb => this.publisher.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`

			`describe('creation', function() {`
			`it('should redirect staff only', function(done) {`
Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00			const url = `/publishers/foo/hub`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 404),`
			`cb => this.user.ensureStaffAccess('publisherManagement', cb),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 302, /\/create/)`
			`],`
			`done`
			`)`
			`})`

			`it('should allow staff only', function(done) {`
			const url = `/entities/publisher/create/foo`
			`async.series(`
			`[`
Merge pull request #2105 from overleaf/ta-user-membership-refactor UserMembershipAuthorization Refactor GitOrigin-RevId: 7711cda4a134823cbacee42731319fbb8aa648d0 2019-09-24 04:44:13 -04:00			`expectAccess(this.user, url, 403),`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`cb => this.user.ensureStaffAccess('publisherManagement', cb),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`
			`})`
Merge pull request #2393 from overleaf/em-revert-tests-move Revert "move metrics authorization tests to module" GitOrigin-RevId: 0f209d3deca731c2b1f34b4e9cabd174fa70877a 2019-11-21 09:05:29 -05:00
			`describe('template', function() {`
			`beforeEach(function(done) {`
			`this.publisher = new Publisher({})`
			`async.series(`
			`[`
			`this.publisher.ensureExists.bind(this.publisher),`
			`cb => this.user.login(cb)`
			`],`
			`done`
			`)`
			`})`

			`it('allow publisher managers only', function(done) {`
			`MockV1Api.setTemplates({`
			`123: {`
			`id: 123,`
			`title: '123 title',`
			`brand: { slug: this.publisher.slug }`
			`}`
			`})`
			`const url = '/metrics/templates/123'`
			`async.series(`
			`[`
			`expectAccess(this.user, url, 403),`
			`cb => this.publisher.setManagerIds([this.user._id], cb),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('handle templates without publisher', function(done) {`
			`MockV1Api.setTemplates({`
			`456: {`
			`id: 456,`
			`title: '456 title',`
			`brand: { slug: null }`
			`}`
			`})`
			`const url = '/metrics/templates/456'`
			`async.series(`
			`[`
			`expectAccess(this.user, url, 403),`
			`this.user.ensureAdmin.bind(this.user),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('handle templates not found', function(done) {`
			`const url = '/metrics/templates/789'`
			`async.series(`
			`[`
			`this.user.ensureAdmin.bind(this.user),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 404)`
			`],`
			`done`
			`)`
			`})`
			`})`

			`describe('graph', function() {`
			`describe('admin', function() {`
			`it('allow admins only', function(done) {`
			`const url = '/graphs/foo?resource_type=admin'`
			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 403),`
			`this.user.ensureAdmin.bind(this.user),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`

			`it('handle missing resource type', function(done) {`
			`const url = '/graphs/foo'`
			`expectAccess(this.user, url, 404)(done)`
			`})`

			`it('handle incorrect resource type', function(done) {`
			`const url = '/graphs/foo?resource_type=evil'`
			`expectAccess(this.user, url, 404)(done)`
			`})`
			`})`

			`describe('template', function() {`
			`beforeEach(function(done) {`
			`this.publisher = new Publisher({})`
			`async.series(`
			`[`
			`this.publisher.ensureExists.bind(this.publisher),`
			`cb => this.user.login(cb)`
			`],`
			`done`
			`)`
			`})`

			`it('get template graphs', function(done) {`
			`MockV1Api.setTemplates({`
			`123: {`
			`id: 123,`
			`title: '123 title',`
			`brand: { slug: this.publisher.slug }`
			`}`
			`})`
			`const url = '/graphs/foo?resource_type=template&resource_id=123'`
			`async.series(`
			`[`
			`this.user.ensureAdmin.bind(this.user),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, url, 200)`
			`],`
			`done`
			`)`
			`})`
			`})`
			`})`

			`describe('admin metrics', function() {`
			`it('should not allow anonymous users', function(done) {`
			`expectAccess(this.user, '/metrics/admin', 302, /\/login/)(done)`
			`})`

			`it('should not allow all users', function(done) {`
			`async.series(`
			`[`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, '/metrics/admin', 403)`
			`],`
			`done`
			`)`
			`})`

			`it('should allow admin users', function(done) {`
			`async.series(`
			`[`
			`this.user.ensureAdmin.bind(this.user),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, '/metrics/admin', 200)`
			`],`
			`done`
			`)`
			`})`

			`it('should allow users with staff access', function(done) {`
			`async.series(`
			`[`
			`cb => this.user.ensureStaffAccess('adminMetrics', cb),`
			`this.user.login.bind(this.user),`
			`expectAccess(this.user, '/metrics/admin', 200)`
			`],`
			`done`
			`)`
			`})`
			`})`
Merge pull request #2104 from overleaf/ta-user-membership-acceptance-tests Acceptance Tests for UserMembership Authorization GitOrigin-RevId: caad99727fd2fedc91f2b2063ed83a1e02d9ea1d 2019-08-28 08:58:54 -04:00			`})`

			`function expectAccess(user, url, status, pattern) {`
			`return callback => {`
			`user.request.get({ url }, (error, response, body) => {`
			`if (error) {`
			`return callback(error)`
			`}`
			`expect(response.statusCode).to.equal(status)`
			`if (pattern) {`
			`expect(body).to.match(pattern)`
			`}`
			`callback()`
			`})`
			`}`
			`}`