diff --git a/services/web/test/acceptance/coffee/TokenAccessTests.coffee b/services/web/test/acceptance/coffee/TokenAccessTests.coffee index 74b8c2b7b8..fc88c71512 100644 --- a/services/web/test/acceptance/coffee/TokenAccessTests.coffee +++ b/services/web/test/acceptance/coffee/TokenAccessTests.coffee @@ -30,7 +30,7 @@ try_read_only_token_access = (user, token, test, callback) -> try_read_and_write_token_access = (user, token, test, callback) -> async.series [ (cb) -> - user.request.get "/read/#{token}", (error, response, body) -> + user.request.get "/#{token}", (error, response, body) -> return cb(error) if error? test(response, body) cb() @@ -57,6 +57,29 @@ try_content_access = (user, project_id, test, callback) -> test(response, body) callback() +try_anon_content_access = (user, project_id, token, test, callback) -> + # The real-time service calls this end point to determine the user's + # permissions. + if user.id? + user_id = user.id + else + user_id = "anonymous-user" + request.post { + url: "/project/#{project_id}/join" + qs: {user_id} + auth: + user: settings.apis.web.user + pass: settings.apis.web.pass + sendImmediately: true + headers: + 'x-sl-anon-token': token + json: true + jar: false + }, (error, response, body) -> + return callback(error) if error? + test(response, body) + callback() + expect_content_write_access = (user, project_id, callback) -> try_content_access(user, project_id, (response, body) -> expect(body.privilegeLevel).to.be.oneOf ["readAndWrite"] @@ -92,9 +115,6 @@ expect_read_and_write_access = (user, project_id, token, callback) -> ], callback - - - describe 'TokenAccess', -> before (done) -> @timeout(90000) @@ -119,7 +139,6 @@ describe 'TokenAccess', -> @owner.getProject @project_id, (err, project) => return done(err) if err? @tokens = project.tokens - console.log ">> ", @project_id, @tokens, project.publicAccesLevel done() it 'should deny access before the token is used', (done) -> @@ -158,15 +177,99 @@ describe 'TokenAccess', -> expect(body.privilegeLevel).to.equal false , done) + describe 'anonymous read-only token', -> + before (done) -> + @owner.createProject 'token-anon-ro-test#{Math.random()}', (err, project_id) => + return done(err) if err? + @project_id = project_id + @owner.makeTokenBased @project_id, (err) => + return done(err) if err? + @owner.getProject @project_id, (err, project) => + return done(err) if err? + @tokens = project.tokens + done() - # describe 'anonymous read-only token', -> - # beforeEach -> + it 'should deny access before the token is used', (done) -> + try_read_access(@anon, @project_id, (response, body) => + expect(response.statusCode).to.equal 302 + expect(body).to.match /.*\/restricted.*/ + , done) - # describe 'made private again', -> - # beforeEach -> + it 'should allow the user to access project via read-only token url', (done) -> + try_read_only_token_access(@anon, @tokens.readOnly, (response, body) => + expect(response.statusCode).to.equal 200 + , done) - # describe 'read-and-write token', -> - # beforeEach -> + it 'should allow the user to anonymously join the project with read-only access', (done) -> + try_anon_content_access(@anon, @project_id, @tokens.readOnly, (response, body) => + expect(body.privilegeLevel).to.equal 'readOnly' + , done) + + describe 'made private again', -> + before (done) -> + @owner.makePrivate @project_id, () -> setTimeout(done, 1000) + + it 'should deny access to project', (done) -> + try_read_access(@anon, @project_id, (response, body) => + expect(response.statusCode).to.equal 302 + expect(body).to.match /.*\/restricted.*/ + , done) + + it 'should not allow the user to access read-only token', (done) -> + try_read_only_token_access(@anon, @tokens.readOnly, (response, body) => + expect(response.statusCode).to.equal 404 + , done) + + it 'should not allow the user to join the project', (done) -> + try_anon_content_access(@anon, @project_id, @tokens.readOnly, (response, body) => + expect(body.privilegeLevel).to.equal false + , done) + + describe 'read-and-write token', -> + before (done) -> + @owner.createProject 'token-rw-test#{Math.random()}', (err, project_id) => + return done(err) if err? + @project_id = project_id + @owner.makeTokenBased @project_id, (err) => + return done(err) if err? + @owner.getProject @project_id, (err, project) => + return done(err) if err? + @tokens = project.tokens + done() + + it 'should deny access before the token is used', (done) -> + try_read_access(@other1, @project_id, (response, body) => + expect(response.statusCode).to.equal 302 + expect(body).to.match /.*\/restricted.*/ + , done) + + it 'should allow the user to access project via read-and-write token url', (done) -> + try_read_and_write_token_access(@other1, @tokens.readAndWrite, (response, body) => + expect(response.statusCode).to.equal 200 + , done) + + it 'should allow the user to join the project with read-and-write access', (done) -> + try_content_access(@other1, @project_id, (response, body) => + expect(body.privilegeLevel).to.equal 'readAndWrite' + , done) + + describe 'made private again', -> + before (done) -> + @owner.makePrivate @project_id, () -> setTimeout(done, 1000) + + it 'should deny access to project', (done) -> + try_read_access(@other1, @project_id, (response, body) => + expect(response.statusCode).to.equal 302 + expect(body).to.match /.*\/restricted.*/ + , done) + + it 'should not allow the user to access read-and-write token', (done) -> + try_read_and_write_token_access(@other1, @tokens.readAndWrite, (response, body) => + expect(response.statusCode).to.equal 404 + , done) + + it 'should not allow the user to join the project', (done) -> + try_content_access(@other1, @project_id, (response, body) => + expect(body.privilegeLevel).to.equal false + , done) - # describe 'made private again', -> - # beforeEach ->