diff --git a/apps/server/src/modules/authorization-rules/rules/task.rule.spec.ts b/apps/server/src/modules/authorization-rules/rules/task.rule.spec.ts index 844c11ceeec..37bf29fb2a3 100644 --- a/apps/server/src/modules/authorization-rules/rules/task.rule.spec.ts +++ b/apps/server/src/modules/authorization-rules/rules/task.rule.spec.ts @@ -146,6 +146,29 @@ describe('TaskRule', () => { }); }); + describe('when task has no course or lesson', () => { + const setup = () => { + const role = roleFactory.build({ permissions: [permissionA, permissionB], name: RoleName.TEACHER }); + const creator = userFactory.build({ roles: [role] }); + const otherUser = userFactory.build({ roles: [role] }); + const task = taskFactory.build({ creator }); + + return { role, creator, otherUser, task }; + }; + + it('creator should have access to task', () => { + const { creator, task } = setup(); + const res = service.hasPermission(creator, task, { action: Action.read, requiredPermissions: [] }); + expect(res).toBe(true); + }); + + it('otherUser should not have access to task', () => { + const { otherUser, task } = setup(); + const res = service.hasPermission(otherUser, task, { action: Action.read, requiredPermissions: [] }); + expect(res).toBe(false); + }); + }); + describe('when user is student and is task creator with Permission A,B', () => { const setup = () => { const role = roleFactory.build({ permissions: [permissionA, permissionB], name: RoleName.STUDENT }); diff --git a/apps/server/src/modules/authorization-rules/rules/task.rule.ts b/apps/server/src/modules/authorization-rules/rules/task.rule.ts index dbe7650d8b8..704d71e2b1a 100644 --- a/apps/server/src/modules/authorization-rules/rules/task.rule.ts +++ b/apps/server/src/modules/authorization-rules/rules/task.rule.ts @@ -64,6 +64,6 @@ export class TaskRule implements Rule { return hasCoursePermission; } - return true; + return false; } } diff --git a/apps/server/src/modules/task/controller/api-test/task-delete.api.spec.ts b/apps/server/src/modules/task/controller/api-test/task-delete.api.spec.ts index f4b12cf9616..538ca3a5230 100644 --- a/apps/server/src/modules/task/controller/api-test/task-delete.api.spec.ts +++ b/apps/server/src/modules/task/controller/api-test/task-delete.api.spec.ts @@ -56,24 +56,24 @@ describe('Task Controller (API)', () => { }); describe('[DELETE] :taskId', () => { - const setup = async () => { - const teacher = createTeacher(); - const student = createStudent(); - const course = courseFactory.build({ - teachers: [teacher.user], - students: [student.user], - }); - const task = taskFactory.isPublished().build({ course }); + describe('when logged in as a teacher', () => { + const setup = async () => { + const teacher = createTeacher(); + const student = createStudent(); + const course = courseFactory.build({ + teachers: [teacher.user], + students: [student.user], + }); + const task = taskFactory.isPublished().build({ course }); - await em.persistAndFlush([teacher.user, teacher.account, student.user, student.account, task]); - em.clear(); + await em.persistAndFlush([teacher.user, teacher.account, student.user, student.account, task]); + em.clear(); - const teacherClient = await testApiClient.login(teacher.account); + const teacherClient = await testApiClient.login(teacher.account); - return { teacherClient, teacher, student, course, task }; - }; + return { teacherClient, teacher, student, course, task }; + }; - describe('when logged in as a teacher', () => { it('should return status 200 for valid task', async () => { const { teacherClient, task } = await setup(); @@ -82,5 +82,39 @@ describe('Task Controller (API)', () => { expect(response.status).toEqual(200); }); }); + + describe('when logged in as another teacher', () => { + const setup = async () => { + const teacher = createTeacher(); + const anotherTeacher = createTeacher(); + + const task = taskFactory.isPublished().build(); + + await em.persistAndFlush([teacher.user, teacher.account, anotherTeacher.user, anotherTeacher.account, task]); + em.clear(); + + const anotherTeacherClient = await testApiClient.login(anotherTeacher.account); + + return { anotherTeacherClient, anotherTeacher, task }; + }; + + it('should return status 403 for valid task', async () => { + const { anotherTeacherClient, task } = await setup(); + + const response = await anotherTeacherClient.delete(`${task.id}`); + + expect(response.status).toEqual(403); + }); + + it('should not actually delete the task', async () => { + const { anotherTeacherClient, task } = await setup(); + + await anotherTeacherClient.delete(`${task.id}`); + + const taskAfterDelete = await em.findOneOrFail('Task', task.id); + + expect(taskAfterDelete).toBeDefined(); + }); + }); }); });