Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BC-8635 - fix task permission #5417

Merged
merged 5 commits into from
Jan 7, 2025
Merged

BC-8635 - fix task permission #5417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8499fda
BC-8635 - fix task permission
virgilchiriac Jan 7, 2025
21e93de
Merge branch 'main' into BC-8635-fix-task-permission
virgilchiriac Jan 7, 2025
2ebc09e
fix linter
virgilchiriac Jan 7, 2025
4c95bee
Merge branch 'BC-8635-fix-task-permission' of https://github.com/hpi-…
virgilchiriac Jan 7, 2025
192b24d
fix linter
virgilchiriac Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions apps/server/src/modules/authorization-rules/rules/task.rule.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,29 @@ describe('TaskRule', () => {
});
});

describe('when task has no course or lesson', () => {
const setup = () => {
const role = roleFactory.build({ permissions: [permissionA, permissionB], name: RoleName.TEACHER });
const creator = userFactory.build({ roles: [role] });
const otherUser = userFactory.build({ roles: [role] });
const task = taskFactory.build({ creator });

return { role, creator, otherUser, task };
};

it('creator should have access to task', () => {
const { creator, task } = setup();
const res = service.hasPermission(creator, task, { action: Action.read, requiredPermissions: [] });
expect(res).toBe(true);
});

it('otherUser should not have access to task', () => {
const { otherUser, task } = setup();
const res = service.hasPermission(otherUser, task, { action: Action.read, requiredPermissions: [] });
expect(res).toBe(false);
});
});

describe('when user is student and is task creator with Permission A,B', () => {
const setup = () => {
const role = roleFactory.build({ permissions: [permissionA, permissionB], name: RoleName.STUDENT });
Expand Down
2 changes: 1 addition & 1 deletion apps/server/src/modules/authorization-rules/rules/task.rule.ts
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can remove the comment in line 45:
// TODO why parent permission has OR cond?

Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,6 @@ export class TaskRule implements Rule<Task> {

return hasCoursePermission;
}
return true;
return false;
}
}
62 changes: 48 additions & 14 deletions apps/server/src/modules/task/controller/api-test/task-delete.api.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,24 +56,24 @@ describe('Task Controller (API)', () => {
});

describe('[DELETE] :taskId', () => {
const setup = async () => {
const teacher = createTeacher();
const student = createStudent();
const course = courseFactory.build({
teachers: [teacher.user],
students: [student.user],
});
const task = taskFactory.isPublished().build({ course });
describe('when logged in as a teacher', () => {
const setup = async () => {
const teacher = createTeacher();
const student = createStudent();
const course = courseFactory.build({
teachers: [teacher.user],
students: [student.user],
});
const task = taskFactory.isPublished().build({ course });

await em.persistAndFlush([teacher.user, teacher.account, student.user, student.account, task]);
em.clear();
await em.persistAndFlush([teacher.user, teacher.account, student.user, student.account, task]);
em.clear();

const teacherClient = await testApiClient.login(teacher.account);
const teacherClient = await testApiClient.login(teacher.account);

return { teacherClient, teacher, student, course, task };
};
return { teacherClient, teacher, student, course, task };
};

describe('when logged in as a teacher', () => {
it('should return status 200 for valid task', async () => {
const { teacherClient, task } = await setup();

Expand All @@ -82,5 +82,39 @@ describe('Task Controller (API)', () => {
expect(response.status).toEqual(200);
});
});

describe('when logged in as another teacher', () => {
const setup = async () => {
const teacher = createTeacher();
const anotherTeacher = createTeacher();

const task = taskFactory.isPublished().build();

await em.persistAndFlush([teacher.user, teacher.account, anotherTeacher.user, anotherTeacher.account, task]);
em.clear();

const anotherTeacherClient = await testApiClient.login(anotherTeacher.account);

return { anotherTeacherClient, anotherTeacher, task };
};

it('should return status 403 for valid task', async () => {
const { anotherTeacherClient, task } = await setup();

const response = await anotherTeacherClient.delete(`${task.id}`);

expect(response.status).toEqual(403);
});

it('should not actually delete the task', async () => {
const { anotherTeacherClient, task } = await setup();

await anotherTeacherClient.delete(`${task.id}`);

const taskAfterDelete = await em.findOneOrFail('Task', task.id);

expect(taskAfterDelete).toBeDefined();
});
});
});
});
Loading