From a0027768f82f328c5a212910352c545b305f014d Mon Sep 17 00:00:00 2001 From: flifloo Date: Tue, 18 Aug 2020 15:45:49 +0200 Subject: [PATCH] Add user permissions check on pages --- middlewares/sessionCheck.js | 5 +- test/database.js | 8 +-- test/pages.js | 132 ++++++++++++++++++++++++++++++++++-- test/utils/wipeDatabase.js | 8 +++ 4 files changed, 137 insertions(+), 16 deletions(-) create mode 100644 test/utils/wipeDatabase.js diff --git a/middlewares/sessionCheck.js b/middlewares/sessionCheck.js index 146f9f6..d579232 100644 --- a/middlewares/sessionCheck.js +++ b/middlewares/sessionCheck.js @@ -3,9 +3,10 @@ function sessionCheck(permission) { if (!req.session.user) { req.session.lastUrl = req.originalUrl; req.session.save(() => res.redirect("/login")); - } else if (req.session.user.permissions < permission) + } else if (req.session.user.permissions < permission) { + res.status(403); res.render("error", {message: "Permission denied !", "error": {}}); - else + } else next(); } } diff --git a/test/database.js b/test/database.js index 47257d2..23267cb 100644 --- a/test/database.js +++ b/test/database.js @@ -1,13 +1,7 @@ let expect = require("chai").expect; +let wipeDatabase = require("./utils/wipeDatabase"); -async function wipeDatabase(models) { - for (let model in models) { - if (["sequelize", "Sequelize"].indexOf(model) < 0) - await models[model].destroy({where: {}}); - } -} - async function databaseEnter() { let models = require("../models"); await models.sequelize.sync(); diff --git a/test/pages.js b/test/pages.js index 8da6b15..a62f924 100644 --- a/test/pages.js +++ b/test/pages.js @@ -1,4 +1,42 @@ let request = require("supertest"); +let wipeDatabase = require("./utils/wipeDatabase"); +let expect = require("chai").expect; + + +async function setup() { + let app = require("../app"); + let models = require("../models"); + await models.sequelize.sync(); + await wipeDatabase(models); + return [app, models]; +} + +async function createTestUser(models, p) { + await models.User.create({ + username: "test", + email: "test@test.fr", + firstName: "Test", + lastName: "Test", + passwordHash: "test", + permissions: p ? p : 0 + }); +} + +async function clean() { + await wipeDatabase(models); + await models.sequelize.close(); + for (let e of ["../app", "../models"]) + delete require.cache[require.resolve(e)]; +} + +async function getLoginAgent(app) { + let agent = request.agent(app, {}); + await agent + .post("/login") + .send({username: "test", password: "test"}) + .expect(302); + return agent; +} describe("Public pages test", () => { @@ -6,14 +44,10 @@ describe("Public pages test", () => { let models; before(async () => { - app = require("../app"); - models = require("../models"); - await models.sequelize.sync(); + [app, models] = await setup(); }); - after( async () => { - await models.sequelize.close(); - for (let e of ["../app", "../models"]) - delete require.cache[require.resolve(e)]; + after(() => { + return clean; }); it("Responds to /", (done) => { @@ -67,3 +101,87 @@ describe("Public pages test", () => { .expect(404, done); }); }); + +describe("Global logged user pages", () => { + let app; + let models; + + before(async () => { + [app, models] = await setup(); + await createTestUser(models); + }); + after( () => { + return clean; + }); + + it("Login user", async () => { + let res = await request(app) + .post("/login") + .send({username: "test", password: "test"}) + .expect(302); + expect(res.headers.location).to.be.equal("/"); + }); + it("Login error", async () => { + let res = await request(app) + .post("/login") + .send({username: "wrong", password: "wrong"}) + .expect(302); + expect(res.headers.location).to.be.equal("/login?err=true"); + }); + it("Register page", async () => { + await (await getLoginAgent(app)) + .get("/register") + .expect(302); + }); + it("Logout page", async () => { + let agent = await getLoginAgent(app); + await agent + .get("/logout") + .expect(302); + + //Check if user is correctly logout + await agent + .get("/login") + .expect(200); + }); + it("Profile page", async () => { + await (await getLoginAgent(app)) + .get("/profile") + .expect(200); + }); +}); + +for (let [p, a] of Object.entries({0: [403, 403, 403, 403], 1: [200, 403, 403, 403], 2: [200, 200, 403, 403], 3: [200, 200, 200, 200]})) + describe(`Permission ${p} pages`, () => { + let app; + let models; + + before(async () => { + [app, models] = await setup(); + await createTestUser(models, p); + }); + after( () => { + return clean; + }); + + it("Sandwiches page", async () => { + await (await getLoginAgent(app)) + .get("/sandwiches") + .expect(a[0]); + }); + it("Commands page", async () => { + await (await getLoginAgent(app)) + .get("/commands") + .expect(a[1]); + }); + it("Admin page", async () => { + await (await getLoginAgent(app)) + .get("/admin") + .expect(a[2]); + }); + it("Commands administration page", async () => { + await (await getLoginAgent(app)) + .get("/admin/commands") + .expect(a[3]); + }); + }); diff --git a/test/utils/wipeDatabase.js b/test/utils/wipeDatabase.js new file mode 100644 index 0000000..8b56323 --- /dev/null +++ b/test/utils/wipeDatabase.js @@ -0,0 +1,8 @@ +async function wipeDatabase(models) { + for (let model in models) { + if (["sequelize", "Sequelize"].indexOf(model) < 0) + await models[model].destroy({where: {}}); + } +} + +module.exports = wipeDatabase;