overleaf/services/real-time/test/unit/coffee/AuthorizationManagerTests.js

chai = require "chai"
chai.should()
expect = chai.expect
sinon = require("sinon")
SandboxedModule = require('sandboxed-module')
path = require "path"
modulePath = '../../../app/js/AuthorizationManager'

describe 'AuthorizationManager', ->
	beforeEach ->
		@client =
			ol_context: {}

		@AuthorizationManager = SandboxedModule.require modulePath, requires: {}

	describe "assertClientCanViewProject", ->
		it "should allow the readOnly privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "readOnly"
			@AuthorizationManager.assertClientCanViewProject @client, (error) ->
				expect(error).to.be.null
				done()

		it "should allow the readAndWrite privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "readAndWrite"
			@AuthorizationManager.assertClientCanViewProject @client, (error) ->
				expect(error).to.be.null
				done()

		it "should allow the owner privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "owner"
			@AuthorizationManager.assertClientCanViewProject @client, (error) ->
				expect(error).to.be.null
				done()

		it "should return an error with any other privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "unknown"
			@AuthorizationManager.assertClientCanViewProject @client, (error) ->
				error.message.should.equal "not authorized"
				done()

	describe "assertClientCanEditProject", ->
		it "should not allow the readOnly privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "readOnly"
			@AuthorizationManager.assertClientCanEditProject @client, (error) ->
				error.message.should.equal "not authorized"
				done()

		it "should allow the readAndWrite privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "readAndWrite"
			@AuthorizationManager.assertClientCanEditProject @client, (error) ->
				expect(error).to.be.null
				done()

		it "should allow the owner privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "owner"
			@AuthorizationManager.assertClientCanEditProject @client, (error) ->
				expect(error).to.be.null
				done()

		it "should return an error with any other privilegeLevel", (done) ->
			@client.ol_context.privilege_level = "unknown"
			@AuthorizationManager.assertClientCanEditProject @client, (error) ->
				error.message.should.equal "not authorized"
				done()

	# check doc access for project

	describe "assertClientCanViewProjectAndDoc", ->
		beforeEach () ->
			@doc_id = "12345"
			@callback = sinon.stub()
			@client.ol_context = {}

		describe "when not authorised at the project level", ->
			beforeEach () ->
				@client.ol_context.privilege_level = "unknown"

			it "should not allow access", () ->
				@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->
					err.message.should.equal "not authorized"

			describe "even when authorised at the doc level", ->
				beforeEach (done) ->
					@AuthorizationManager.addAccessToDoc @client, @doc_id, done

				it "should not allow access", () ->
					@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->
						err.message.should.equal "not authorized"

		describe "when authorised at the project level", ->
			beforeEach () ->
				@client.ol_context.privilege_level = "readOnly"

			describe "and not authorised at the document level", ->
				it "should not allow access", () ->
					@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->
						err.message.should.equal "not authorized"

			describe "and authorised at the document level", ->
				beforeEach (done) ->
					@AuthorizationManager.addAccessToDoc @client, @doc_id, done

				it "should allow access", () ->
					@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, @callback
					@callback
						.calledWith(null)
						.should.equal true

			describe "when document authorisation is added and then removed", ->
				beforeEach (done) ->
					@AuthorizationManager.addAccessToDoc @client, @doc_id, () =>
						@AuthorizationManager.removeAccessToDoc @client, @doc_id, done

				it "should deny access", () ->
					@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->
						err.message.should.equal "not authorized"

	describe "assertClientCanEditProjectAndDoc", ->
		beforeEach () ->
			@doc_id = "12345"
			@callback = sinon.stub()
			@client.ol_context = {}

		describe "when not authorised at the project level", ->
			beforeEach () ->
				@client.ol_context.privilege_level = "readOnly"

			it "should not allow access", () ->
				@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->
					err.message.should.equal "not authorized"

			describe "even when authorised at the doc level", ->
				beforeEach (done) ->
					@AuthorizationManager.addAccessToDoc @client, @doc_id, done

				it "should not allow access", () ->
					@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->
						err.message.should.equal "not authorized"

		describe "when authorised at the project level", ->
			beforeEach () ->
				@client.ol_context.privilege_level = "readAndWrite"

			describe "and not authorised at the document level", ->
				it "should not allow access", () ->
					@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->
						err.message.should.equal "not authorized"

			describe "and authorised at the document level", ->
				beforeEach (done) ->
					@AuthorizationManager.addAccessToDoc @client, @doc_id, done

				it "should allow access", () ->
					@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, @callback
					@callback
						.calledWith(null)
						.should.equal true

			describe "when document authorisation is added and then removed", ->
				beforeEach (done) ->
					@AuthorizationManager.addAccessToDoc @client, @doc_id, () =>
						@AuthorizationManager.removeAccessToDoc @client, @doc_id, done

				it "should deny access", () ->
					@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->
						err.message.should.equal "not authorized"
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`chai = require "chai"`
			`chai.should()`
			`expect = chai.expect`
			`sinon = require("sinon")`
			`SandboxedModule = require('sandboxed-module')`
			`path = require "path"`
			`modulePath = '../../../app/js/AuthorizationManager'`

			`describe 'AuthorizationManager', ->`
			`beforeEach ->`
			`@client =`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`ol_context: {}`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`@AuthorizationManager = SandboxedModule.require modulePath, requires: {}`

			`describe "assertClientCanViewProject", ->`
			`it "should allow the readOnly privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readOnly"`
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`@AuthorizationManager.assertClientCanViewProject @client, (error) ->`
			`expect(error).to.be.null`
			`done()`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`it "should allow the readAndWrite privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readAndWrite"`
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`@AuthorizationManager.assertClientCanViewProject @client, (error) ->`
			`expect(error).to.be.null`
			`done()`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`it "should allow the owner privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "owner"`
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`@AuthorizationManager.assertClientCanViewProject @client, (error) ->`
			`expect(error).to.be.null`
			`done()`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`it "should return an error with any other privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "unknown"`
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`@AuthorizationManager.assertClientCanViewProject @client, (error) ->`
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`error.message.should.equal "not authorized"`
			`done()`

			`describe "assertClientCanEditProject", ->`
			`it "should not allow the readOnly privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readOnly"`
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`@AuthorizationManager.assertClientCanEditProject @client, (error) ->`
			`error.message.should.equal "not authorized"`
			`done()`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`it "should allow the readAndWrite privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readAndWrite"`
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`@AuthorizationManager.assertClientCanEditProject @client, (error) ->`
			`expect(error).to.be.null`
			`done()`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`it "should allow the owner privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "owner"`
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`@AuthorizationManager.assertClientCanEditProject @client, (error) ->`
			`expect(error).to.be.null`
			`done()`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`it "should return an error with any other privilegeLevel", (done) ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "unknown"`
Add appltOtUpdate end point (sans acceptance tests for now) 2014-11-13 12:07:05 -05:00			`@AuthorizationManager.assertClientCanEditProject @client, (error) ->`
Create joinDoc socket.io end point 2014-11-12 10:54:55 -05:00			`error.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00			`done()`

			`# check doc access for project`

			`describe "assertClientCanViewProjectAndDoc", ->`
			`beforeEach () ->`
			`@doc_id = "12345"`
			`@callback = sinon.stub()`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context = {}`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "when not authorised at the project level", ->`
			`beforeEach () ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "unknown"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`it "should not allow access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "even when authorised at the doc level", ->`
			`beforeEach (done) ->`
			`@AuthorizationManager.addAccessToDoc @client, @doc_id, done`

			`it "should not allow access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "when authorised at the project level", ->`
			`beforeEach () ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readOnly"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "and not authorised at the document level", ->`
			`it "should not allow access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "and authorised at the document level", ->`
			`beforeEach (done) ->`
			`@AuthorizationManager.addAccessToDoc @client, @doc_id, done`

			`it "should allow access", () ->`
			`@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, @callback`
			`@callback`
			`.calledWith(null)`
			`.should.equal true`

			`describe "when document authorisation is added and then removed", ->`
			`beforeEach (done) ->`
			`@AuthorizationManager.addAccessToDoc @client, @doc_id, () =>`
			`@AuthorizationManager.removeAccessToDoc @client, @doc_id, done`

			`it "should deny access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanViewProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "assertClientCanEditProjectAndDoc", ->`
			`beforeEach () ->`
			`@doc_id = "12345"`
			`@callback = sinon.stub()`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context = {}`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "when not authorised at the project level", ->`
			`beforeEach () ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readOnly"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`it "should not allow access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "even when authorised at the doc level", ->`
			`beforeEach (done) ->`
			`@AuthorizationManager.addAccessToDoc @client, @doc_id, done`

			`it "should not allow access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "when authorised at the project level", ->`
			`beforeEach () ->`
[misc] synchronous client store using an Object at .ol_context 2020-02-24 08:32:20 -05:00			`@client.ol_context.privilege_level = "readAndWrite"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "and not authorised at the document level", ->`
			`it "should not allow access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`
track permissions when clients join and leave docs 2016-09-02 11:35:00 -04:00
			`describe "and authorised at the document level", ->`
			`beforeEach (done) ->`
			`@AuthorizationManager.addAccessToDoc @client, @doc_id, done`

			`it "should allow access", () ->`
			`@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, @callback`
			`@callback`
			`.calledWith(null)`
			`.should.equal true`

			`describe "when document authorisation is added and then removed", ->`
			`beforeEach (done) ->`
			`@AuthorizationManager.addAccessToDoc @client, @doc_id, () =>`
			`@AuthorizationManager.removeAccessToDoc @client, @doc_id, done`

			`it "should deny access", () ->`
[misc] test/unit: fix typos and assertion of error messages Sinon does not check the contents of the passed error when checked via sinon.stub().calledWith. ``` callback = sinon.stub() callback(new Error("some message")) .calledWith(new Error("completely different message")) === true ``` Cherry-pick plus an additional patch for the joinProject bail-out. (cherry picked from commit d9570fee70701a5f431c39fdbec5f8bc5a7843fe) 2020-05-01 06:43:18 -04:00			`@AuthorizationManager.assertClientCanEditProjectAndDoc @client, @doc_id, (err) ->`
			`err.message.should.equal "not authorized"`