mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-07 20:31:06 -05:00
253 lines
No EOL
8.6 KiB
CoffeeScript
253 lines
No EOL
8.6 KiB
CoffeeScript
request = require("request")
|
|
expect = require("chai").expect
|
|
async = require "async"
|
|
|
|
count = 0
|
|
BASE_URL = "http://localhost:3000"
|
|
|
|
request = request.defaults({
|
|
baseUrl: BASE_URL,
|
|
followRedirect: false
|
|
})
|
|
|
|
class User
|
|
constructor: (options = {}) ->
|
|
@email = "acceptance-test-#{count}@example.com"
|
|
@password = "acceptance-test-#{count}-password"
|
|
count++
|
|
@jar = request.jar()
|
|
@request = request.defaults({
|
|
jar: @jar
|
|
})
|
|
|
|
login: (callback = (error) ->) ->
|
|
@getCsrfToken (error) =>
|
|
return callback(error) if error?
|
|
@request.post {
|
|
url: "/register" # Register will log in, but also ensure user exists
|
|
json:
|
|
email: @email
|
|
password: @password
|
|
}, (error, response, body) =>
|
|
return callback(error) if error?
|
|
callback()
|
|
|
|
createProject: (name, callback = (error, project_id) ->) ->
|
|
@request.post {
|
|
url: "/project/new",
|
|
json:
|
|
projectName: name
|
|
}, (error, response, body) ->
|
|
return callback(error) if error?
|
|
callback(null, body.project_id)
|
|
|
|
addUserToProject: (project_id, email, privileges, callback = (error, user) ->) ->
|
|
@request.post {
|
|
url: "/project/#{project_id}/users",
|
|
json: {email, privileges}
|
|
}, (error, response, body) ->
|
|
return callback(error) if error?
|
|
callback(null, body.user)
|
|
|
|
makePublic: (project_id, level, callback = (error) ->) ->
|
|
@request.post {
|
|
url: "/project/#{project_id}/settings",
|
|
json:
|
|
publicAccessLevel: level
|
|
}, (error, response, body) ->
|
|
return callback(error) if error?
|
|
callback(null)
|
|
|
|
getCsrfToken: (callback = (error) ->) ->
|
|
@request.get {
|
|
url: "/register"
|
|
}, (err, response, body) =>
|
|
return callback(error) if error?
|
|
csrfMatches = body.match("window.csrfToken = \"(.*?)\";")
|
|
if !csrfMatches?
|
|
return callback(new Error("no csrf token found"))
|
|
@request = @request.defaults({
|
|
headers:
|
|
"x-csrf-token": csrfMatches[1]
|
|
})
|
|
callback()
|
|
|
|
try_read_access = (requester, project_id, test, callback) ->
|
|
async.parallel [
|
|
(cb) ->
|
|
requester.get "/project/#{project_id}", (error, response, body) ->
|
|
return cb(error) if error?
|
|
test(response, body)
|
|
cb()
|
|
(cb) ->
|
|
requester.get "/project/#{project_id}/download/zip", (error, response, body) ->
|
|
return cb(error) if error?
|
|
test(response, body)
|
|
cb()
|
|
], callback
|
|
|
|
try_settings_write_access = (requester, project_id, test, callback) ->
|
|
async.parallel [
|
|
(cb) ->
|
|
requester.post {
|
|
uri: "/project/#{project_id}/settings"
|
|
json:
|
|
compiler: "latex"
|
|
}, (error, response, body) ->
|
|
return cb(error) if error?
|
|
test(response, body)
|
|
cb()
|
|
], callback
|
|
|
|
try_admin_access = (requester, project_id, test, callback) ->
|
|
async.parallel [
|
|
(cb) ->
|
|
requester.post {
|
|
uri: "/project/#{project_id}/rename"
|
|
json:
|
|
newProjectName: "new-name"
|
|
}, (error, response, body) ->
|
|
return cb(error) if error?
|
|
test(response, body)
|
|
cb()
|
|
], callback
|
|
|
|
expect_read_access = (requester, project_id, callback) ->
|
|
try_read_access(requester, project_id, (response, body) ->
|
|
if response.statusCode not in [200,204]
|
|
console.log response.statusCode, response.headers
|
|
expect(response.statusCode).to.be.oneOf [200, 204]
|
|
, callback)
|
|
|
|
expect_settings_write_access = (requester, project_id, callback) ->
|
|
try_settings_write_access(requester, project_id, (response, body) ->
|
|
expect(response.statusCode).to.be.oneOf [200, 204]
|
|
, callback)
|
|
|
|
expect_admin_access = (requester, project_id, callback) ->
|
|
try_admin_access(requester, project_id, (response, body) ->
|
|
expect(response.statusCode).to.be.oneOf [200, 204]
|
|
, callback)
|
|
|
|
expect_no_read_access = (requester, project_id, options, callback) ->
|
|
try_read_access(requester, project_id, (response, body) ->
|
|
expect(response.statusCode).to.equal 302
|
|
expect(response.headers.location).to.equal options.redirect_to
|
|
, callback)
|
|
|
|
expect_no_settings_write_access = (requester, project_id, options, callback) ->
|
|
try_settings_write_access(requester, project_id, (response, body) ->
|
|
expect(response.statusCode).to.equal 302
|
|
expect(response.headers.location).to.equal options.redirect_to
|
|
, callback)
|
|
|
|
expect_no_admin_access = (requester, project_id, options, callback) ->
|
|
try_admin_access(requester, project_id, (response, body) ->
|
|
expect(response.statusCode).to.equal 302
|
|
expect(response.headers.location).to.equal options.redirect_to
|
|
, callback)
|
|
|
|
describe "Authorization", ->
|
|
before (done) ->
|
|
@timeout(10000)
|
|
@owner = new User()
|
|
@other1 = new User()
|
|
@other2 = new User()
|
|
@anon = new User()
|
|
async.parallel [
|
|
(cb) => @owner.login cb
|
|
(cb) => @other1.login cb
|
|
(cb) => @other2.login cb
|
|
(cb) => @anon.getCsrfToken cb
|
|
], done
|
|
|
|
describe "private project", ->
|
|
before (done) ->
|
|
@owner.createProject "private-project", (error, project_id) =>
|
|
return done(error) if error?
|
|
@project_id = project_id
|
|
done()
|
|
|
|
it "should allow the owner read access to it", (done) ->
|
|
expect_read_access @owner.request, @project_id, done
|
|
|
|
it "should allow the owner write access to its settings", (done) ->
|
|
expect_settings_write_access @owner.request, @project_id, done
|
|
|
|
it "should allow the owner admin access to it", (done) ->
|
|
expect_admin_access @owner.request, @project_id, done
|
|
|
|
it "should not allow another user read access to it", (done) ->
|
|
expect_no_read_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow another user write access to its settings", (done) ->
|
|
expect_no_settings_write_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow another user admin access to it", (done) ->
|
|
expect_no_admin_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow anonymous user read access to it", (done) ->
|
|
expect_no_read_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow anonymous user write access to its settings", (done) ->
|
|
expect_no_settings_write_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow anonymous user admin access to it", (done) ->
|
|
expect_no_admin_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
describe "shared project", ->
|
|
before (done) ->
|
|
@rw_user = @other1
|
|
@ro_user = @other2
|
|
@owner.createProject "private-project", (error, project_id) =>
|
|
return done(error) if error?
|
|
@project_id = project_id
|
|
@owner.addUserToProject @project_id, @ro_user.email, "readOnly", (error) =>
|
|
return done(error) if error?
|
|
@owner.addUserToProject @project_id, @rw_user.email, "readAndWrite", (error) =>
|
|
return done(error) if error?
|
|
done()
|
|
|
|
it "should allow the read-only user read access to it", (done) ->
|
|
expect_read_access @ro_user.request, @project_id, done
|
|
|
|
it "should not allow the read-only user write access to its settings", (done) ->
|
|
expect_no_settings_write_access @ro_user.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow the read-only user admin access to it", (done) ->
|
|
expect_no_admin_access @ro_user.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should allow the read-write user read access to it", (done) ->
|
|
expect_read_access @rw_user.request, @project_id, done
|
|
|
|
it "should allow the read-write user write access to its settings", (done) ->
|
|
expect_settings_write_access @rw_user.request, @project_id, done
|
|
|
|
it "should not allow the read-write user admin access to it", (done) ->
|
|
expect_no_admin_access @rw_user.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
describe "public read-write project", ->
|
|
before (done) ->
|
|
@owner.createProject "public-rw-project", (error, project_id) =>
|
|
return done(error) if error?
|
|
@project_id = project_id
|
|
@owner.makePublic @project_id, "readAndWrite", done
|
|
|
|
it "should allow a user read access to it", (done) ->
|
|
expect_read_access @other1.request, @project_id, done
|
|
|
|
it "should not allow a user write access to its settings"#, (done) ->
|
|
# expect_no_settings_write_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow a user admin access to it", (done) ->
|
|
expect_no_admin_access @other1.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should allow anonymous user read access to it", (done) ->
|
|
expect_read_access @anon.request, @project_id, done
|
|
|
|
it "should not allow anonymous user write access to its settings", (done) ->
|
|
expect_no_settings_write_access @anon.request, @project_id, redirect_to: "/restricted", done
|
|
|
|
it "should not allow anonymous user admin access to it", (done) ->
|
|
expect_no_admin_access @anon.request, @project_id, redirect_to: "/restricted", done
|
|
|