BVB Source Codes

parse-server Show ParseRole.spec.js Source code

Return Download parse-server: download ParseRole.spec.js Source code - Download parse-server Source code - Type:.js
  1. "use strict";
  2.  
  3. // Roles are not accessible without the master key, so they are not intended
  4. // for use by clients.  We can manually test them using the master key.
  5. var RestQuery = require("../src/RestQuery");
  6. var Auth = require("../src/Auth").Auth;
  7. var Config = require("../src/Config");
  8.  
  9. describe('Parse Role testing', () => {
  10.   it('Do a bunch of basic role testing', done => {
  11.     var user;
  12.     var role;
  13.  
  14.     createTestUser().then((x) => {
  15.       user = x;
  16.       const acl = new Parse.ACL();
  17.       acl.setPublicReadAccess(true);
  18.       acl.setPublicWriteAccess(false);
  19.       role = new Parse.Object('_Role');
  20.       role.set('name', 'Foos');
  21.       role.setACL(acl);
  22.       var users = role.relation('users');
  23.       users.add(user);
  24.       return role.save({}, { useMasterKey: true });
  25.     }).then(() => {
  26.       var query = new Parse.Query('_Role');
  27.       return query.find({ useMasterKey: true });
  28.     }).then((x) => {
  29.       expect(x.length).toEqual(1);
  30.       var relation = x[0].relation('users').query();
  31.       return relation.first({ useMasterKey: true });
  32.     }).then((x) => {
  33.       expect(x.id).toEqual(user.id);
  34.       // Here we've got a valid role and a user assigned.
  35.       // Lets create an object only the role can read/write and test
  36.       // the different scenarios.
  37.       var obj = new Parse.Object('TestObject');
  38.       var acl = new Parse.ACL();
  39.       acl.setPublicReadAccess(false);
  40.       acl.setPublicWriteAccess(false);
  41.       acl.setRoleReadAccess('Foos', true);
  42.       acl.setRoleWriteAccess('Foos', true);
  43.       obj.setACL(acl);
  44.       return obj.save();
  45.     }).then(() => {
  46.       var query = new Parse.Query('TestObject');
  47.       return query.find({ sessionToken: user.getSessionToken() });
  48.     }).then((x) => {
  49.       expect(x.length).toEqual(1);
  50.       var objAgain = x[0];
  51.       objAgain.set('foo', 'bar');
  52.       // This should succeed:
  53.       return objAgain.save({}, {sessionToken: user.getSessionToken()});
  54.     }).then((x) => {
  55.       x.set('foo', 'baz');
  56.       // This should fail:
  57.       return x.save({},{sessionToken: ""});
  58.     }).then(() => {
  59.       fail('Should not have been able to save.');
  60.     }, (e) => {
  61.       expect(e.code).toEqual(Parse.Error.OBJECT_NOT_FOUND);
  62.       done();
  63.     });
  64.  
  65.   });
  66.  
  67.   var createRole = function(name, sibling, user) {
  68.     var role = new Parse.Role(name, new Parse.ACL());
  69.     if (user) {
  70.       var users = role.relation('users');
  71.       users.add(user);
  72.     }
  73.     if (sibling) {
  74.       role.relation('roles').add(sibling);
  75.     }
  76.     return role.save({}, { useMasterKey: true });
  77.   };
  78.  
  79.   it("should not recursively load the same role multiple times", (done) => {
  80.     var rootRole = "RootRole";
  81.     var roleNames = ["FooRole", "BarRole", "BazRole"];
  82.     var allRoles = [rootRole].concat(roleNames);
  83.  
  84.     var roleObjs = {};
  85.     var createAllRoles = function(user) {
  86.       var promises = allRoles.map(function(roleName) {
  87.         return createRole(roleName, null, user)
  88.           .then(function(roleObj) {
  89.             roleObjs[roleName] = roleObj;
  90.             return roleObj;
  91.           });
  92.       });
  93.       return Promise.all(promises);
  94.     };
  95.  
  96.     var restExecute = spyOn(RestQuery.prototype, "execute").and.callThrough();
  97.  
  98.     var user,
  99.       auth,
  100.       getAllRolesSpy;
  101.     createTestUser().then((newUser) => {
  102.       user = newUser;
  103.       return createAllRoles(user);
  104.     }).then ((roles) => {
  105.       var rootRoleObj = roleObjs[rootRole];
  106.       roles.forEach(function(role, i) {
  107.         // Add all roles to the RootRole
  108.         if (role.id !== rootRoleObj.id) {
  109.           role.relation("roles").add(rootRoleObj);
  110.         }
  111.         // Add all "roleNames" roles to the previous role
  112.         if (i > 0) {
  113.           role.relation("roles").add(roles[i - 1]);
  114.         }
  115.       });
  116.  
  117.       return Parse.Object.saveAll(roles, { useMasterKey: true });
  118.     }).then(() => {
  119.       auth = new Auth({config: new Config("test"), isMaster: true, user: user});
  120.       getAllRolesSpy = spyOn(auth, "_getAllRolesNamesForRoleIds").and.callThrough();
  121.  
  122.       return auth._loadRoles();
  123.     }).then ((roles) => {
  124.       expect(roles.length).toEqual(4);
  125.  
  126.       allRoles.forEach(function(name) {
  127.         expect(roles.indexOf("role:" + name)).not.toBe(-1);
  128.       });
  129.  
  130.       // 1 Query for the initial setup
  131.       // 1 query for the parent roles
  132.       expect(restExecute.calls.count()).toEqual(2);
  133.  
  134.       // 1 call for the 1st layer of roles
  135.       // 1 call for the 2nd layer
  136.       expect(getAllRolesSpy.calls.count()).toEqual(2);
  137.       done()
  138.     }).catch(() =>  {
  139.       fail("should succeed");
  140.       done();
  141.     });
  142.  
  143.   });
  144.  
  145.   it("should recursively load roles", (done) => {
  146.     var rolesNames = ["FooRole", "BarRole", "BazRole"];
  147.     var roleIds = {};
  148.     createTestUser().then((user) => {
  149.        // Put the user on the 1st role
  150.       return createRole(rolesNames[0], null, user).then((aRole) => {
  151.         roleIds[aRole.get("name")] = aRole.id;
  152.          // set the 1st role as a sibling of the second
  153.          // user will should have 2 role now
  154.         return createRole(rolesNames[1], aRole, null);
  155.       }).then((anotherRole) => {
  156.         roleIds[anotherRole.get("name")] = anotherRole.id;
  157.          // set this role as a sibling of the last
  158.          // the user should now have 3 roles
  159.         return createRole(rolesNames[2], anotherRole, null);
  160.       }).then((lastRole) => {
  161.         roleIds[lastRole.get("name")] = lastRole.id;
  162.         var auth = new Auth({ config: new Config("test"), isMaster: true, user: user });
  163.         return auth._loadRoles();
  164.       })
  165.     }).then((roles) => {
  166.       expect(roles.length).toEqual(3);
  167.       rolesNames.forEach((name) => {
  168.         expect(roles.indexOf('role:' + name)).not.toBe(-1);
  169.       });
  170.       done();
  171.     }, function(){
  172.       fail("should succeed")
  173.       done();
  174.     });
  175.   });
  176.  
  177.   it("_Role object should not save without name.", (done) => {
  178.     var role = new Parse.Role();
  179.     role.save(null,{useMasterKey:true})
  180.     .then(() => {
  181.       fail("_Role object should not save without name.");
  182.     }, (error) => {
  183.       expect(error.code).toEqual(111);
  184.       role.set('name','testRole');
  185.       role.save(null,{useMasterKey:true})
  186.       .then(()=>{
  187.         fail("_Role object should not save without ACL.");
  188.       }, (error2) =>{
  189.         expect(error2.code).toEqual(111);
  190.         done();
  191.       });
  192.     });
  193.   });
  194.  
  195.   it("Different _Role objects cannot have the same name.", (done) => {
  196.     const roleName = "MyRole";
  197.     let aUser;
  198.     createTestUser().then((user) => {
  199.       aUser = user;
  200.       return createRole(roleName, null, aUser);
  201.     }).then((firstRole) => {
  202.       expect(firstRole.getName()).toEqual(roleName);
  203.       return createRole(roleName, null, aUser);
  204.     }).then(() => {
  205.       fail("_Role cannot have the same name as another role");
  206.       done();
  207.     }, (error) => {
  208.       expect(error.code).toEqual(137);
  209.       done();
  210.     });
  211.   });
  212.  
  213.   it("Should properly resolve roles", (done) => {
  214.     const admin = new Parse.Role("Admin", new Parse.ACL());
  215.     const moderator = new Parse.Role("Moderator", new Parse.ACL());
  216.     const superModerator = new Parse.Role("SuperModerator", new Parse.ACL());
  217.     const contentManager = new Parse.Role('ContentManager', new Parse.ACL());
  218.     const superContentManager = new Parse.Role('SuperContentManager', new Parse.ACL());
  219.     Parse.Object.saveAll([admin, moderator, contentManager, superModerator, superContentManager], {useMasterKey: true}).then(() => {
  220.       contentManager.getRoles().add([moderator, superContentManager]);
  221.       moderator.getRoles().add([admin, superModerator]);
  222.       superContentManager.getRoles().add(superModerator);
  223.       return Parse.Object.saveAll([admin, moderator, contentManager, superModerator, superContentManager], {useMasterKey: true});
  224.     }).then(() => {
  225.       var auth = new Auth({ config: new Config("test"), isMaster: true });
  226.       // For each role, fetch their sibling, what they inherit
  227.       // return with result and roleId for later comparison
  228.       const promises = [admin, moderator, contentManager, superModerator].map((role) => {
  229.         return auth._getAllRolesNamesForRoleIds([role.id]).then((result) => {
  230.           return Parse.Promise.as({
  231.             id: role.id,
  232.             name: role.get('name'),
  233.             roleNames: result
  234.           });
  235.         })
  236.       });
  237.  
  238.       return Parse.Promise.when(promises);
  239.     }).then((results) => {
  240.       results.forEach((result) => {
  241.         const id = result.id;
  242.         const roleNames = result.roleNames;
  243.         if (id == admin.id) {
  244.           expect(roleNames.length).toBe(2);
  245.           expect(roleNames.indexOf("Moderator")).not.toBe(-1);
  246.           expect(roleNames.indexOf("ContentManager")).not.toBe(-1);
  247.         } else if (id == moderator.id) {
  248.           expect(roleNames.length).toBe(1);
  249.           expect(roleNames.indexOf("ContentManager")).toBe(0);
  250.         } else if (id == contentManager.id) {
  251.           expect(roleNames.length).toBe(0);
  252.         } else if (id == superModerator.id) {
  253.           expect(roleNames.length).toBe(3);
  254.           expect(roleNames.indexOf("Moderator")).not.toBe(-1);
  255.           expect(roleNames.indexOf("ContentManager")).not.toBe(-1);
  256.           expect(roleNames.indexOf("SuperContentManager")).not.toBe(-1);
  257.         }
  258.       });
  259.       done();
  260.     }).fail(() => {
  261.       done();
  262.     })
  263.  
  264.   });
  265.  
  266.   it('can create role and query empty users', (done)=> {
  267.     var roleACL = new Parse.ACL();
  268.     roleACL.setPublicReadAccess(true);
  269.     var role = new Parse.Role('subscribers', roleACL);
  270.     role.save({}, {useMasterKey : true})
  271.       .then(()=>{
  272.         var query = role.relation('users').query();
  273.         query.find({useMasterKey : true})
  274.           .then(()=>{
  275.             done();
  276.           }, ()=>{
  277.             fail('should not have errors');
  278.             done();
  279.           });
  280.       }, () => {
  281.         fail('should not have errored');
  282.       });
  283.   });
  284.  
  285.   // Based on various scenarios described in issues #827 and #683,
  286.   it('should properly handle role permissions on objects', (done) => {
  287.     var user, user2, user3;
  288.     var role, role2, role3;
  289.     var obj, obj2;
  290.  
  291.     var prACL = new Parse.ACL();
  292.     prACL.setPublicReadAccess(true);
  293.     var adminACL, superACL, customerACL;
  294.  
  295.     createTestUser().then((x) => {
  296.       user = x;
  297.       user2 = new Parse.User();
  298.       return user2.save({ username: 'user2', password: 'omgbbq' });
  299.     }).then(() => {
  300.       user3 = new Parse.User();
  301.       return user3.save({ username: 'user3', password: 'omgbbq' });
  302.     }).then(() => {
  303.       role = new Parse.Role('Admin', prACL);
  304.       role.getUsers().add(user);
  305.       return role.save({}, { useMasterKey: true });
  306.     }).then(() => {
  307.       adminACL = new Parse.ACL();
  308.       adminACL.setRoleReadAccess("Admin", true);
  309.       adminACL.setRoleWriteAccess("Admin", true);
  310.  
  311.       role2 = new Parse.Role('Super', prACL);
  312.       role2.getUsers().add(user2);
  313.       return role2.save({}, { useMasterKey: true });
  314.     }).then(() => {
  315.       superACL = new Parse.ACL();
  316.       superACL.setRoleReadAccess("Super", true);
  317.       superACL.setRoleWriteAccess("Super", true);
  318.  
  319.       role.getRoles().add(role2);
  320.       return role.save({}, { useMasterKey: true });
  321.     }).then(() => {
  322.       role3 = new Parse.Role('Customer', prACL);
  323.       role3.getUsers().add(user3);
  324.       role3.getRoles().add(role);
  325.       return role3.save({}, { useMasterKey: true });
  326.     }).then(() => {
  327.       customerACL = new Parse.ACL();
  328.       customerACL.setRoleReadAccess("Customer", true);
  329.       customerACL.setRoleWriteAccess("Customer", true);
  330.  
  331.       var query = new Parse.Query('_Role');
  332.       return query.find({ useMasterKey: true });
  333.     }).then((x) => {
  334.       expect(x.length).toEqual(3);
  335.  
  336.       obj = new Parse.Object('TestObjectRoles');
  337.       obj.set('ACL', customerACL);
  338.       return obj.save(null, { useMasterKey: true });
  339.     }).then(() => {
  340.       // Above, the Admin role was added to the Customer role.
  341.       // An object secured by the Customer ACL should be able to be edited by the Admin user.
  342.       obj.set('changedByAdmin', true);
  343.       return obj.save(null, { sessionToken: user.getSessionToken() });
  344.     }).then(() => {
  345.       obj2 = new Parse.Object('TestObjectRoles');
  346.       obj2.set('ACL', adminACL);
  347.       return obj2.save(null, { useMasterKey: true });
  348.     }, () => {
  349.       fail('Admin user should have been able to save.');
  350.       done();
  351.     }).then(() => {
  352.       // An object secured by the Admin ACL should not be able to be edited by a Customer role user.
  353.       obj2.set('changedByCustomer', true);
  354.       return obj2.save(null, { sessionToken: user3.getSessionToken() });
  355.     }).then(() => {
  356.       fail('Customer user should not have been able to save.');
  357.       done();
  358.     }, (e) => {
  359.       if (e) {
  360.         expect(e.code).toEqual(101);
  361.       } else {
  362.         fail('should return an error');
  363.       }
  364.       done();
  365.     })
  366.   });
  367.  
  368.   it('should add multiple users to a role and remove users', (done) => {
  369.     var user, user2, user3;
  370.     var role;
  371.     var obj;
  372.  
  373.     var prACL = new Parse.ACL();
  374.     prACL.setPublicReadAccess(true);
  375.     prACL.setPublicWriteAccess(true);
  376.  
  377.     createTestUser().then((x) => {
  378.       user = x;
  379.       user2 = new Parse.User();
  380.       return user2.save({ username: 'user2', password: 'omgbbq' });
  381.     }).then(() => {
  382.       user3 = new Parse.User();
  383.       return user3.save({ username: 'user3', password: 'omgbbq' });
  384.     }).then(() => {
  385.       role = new Parse.Role('sharedRole', prACL);
  386.       var users = role.relation('users');
  387.       users.add(user);
  388.       users.add(user2);
  389.       users.add(user3);
  390.       return role.save({}, { useMasterKey: true });
  391.     }).then(() => {
  392.       // query for saved role and get 3 users
  393.       var query = new Parse.Query('_Role');
  394.       query.equalTo('name', 'sharedRole');
  395.       return query.find({ useMasterKey: true });
  396.     }).then((role) => {
  397.       expect(role.length).toEqual(1);
  398.       var users = role[0].relation('users').query();
  399.       return users.find({ useMasterKey: true });
  400.     }).then((users) => {
  401.       expect(users.length).toEqual(3);
  402.       obj = new Parse.Object('TestObjectRoles');
  403.       obj.set('ACL', prACL);
  404.       return obj.save(null, { useMasterKey: true });
  405.     }).then(() => {
  406.       // Above, the Admin role was added to the Customer role.
  407.       // An object secured by the Customer ACL should be able to be edited by the Admin user.
  408.       obj.set('changedByUsers', true);
  409.       return obj.save(null, { sessionToken: user.getSessionToken() });
  410.     }).then(() => {
  411.       // query for saved role and get 3 users
  412.       var query = new Parse.Query('_Role');
  413.       query.equalTo('name', 'sharedRole');
  414.       return query.find({ useMasterKey: true });
  415.     }).then((role) => {
  416.       expect(role.length).toEqual(1);
  417.       var users = role[0].relation('users');
  418.       users.remove(user);
  419.       users.remove(user3);
  420.       return role[0].save({}, { useMasterKey: true });
  421.     }).then((role) =>{
  422.       var users = role.relation('users').query();
  423.       return users.find({ useMasterKey: true });
  424.     }).then((users) => {
  425.       expect(users.length).toEqual(1);
  426.       expect(users[0].get('username')).toEqual('user2');
  427.       done();
  428.     });
  429.   });
  430.  
  431.   it('should be secure (#3835)', (done) => {
  432.     const acl = new Parse.ACL();
  433.     acl.getPublicReadAccess(true);
  434.     const role = new Parse.Role('admin', acl);
  435.     role.save().then(() => {
  436.       const user = new Parse.User();
  437.       return user.signUp({username: 'hello', password: 'world'});
  438.     }).then((user) => {
  439.       role.getUsers().add(user)
  440.       return role.save();
  441.     }).then(done.fail, () => {
  442.       const query = role.getUsers().query();
  443.       return query.find({useMasterKey: true});
  444.     }).then((results) => {
  445.       expect(results.length).toBe(0);
  446.       done();
  447.     })
  448.     .catch(done.fail);
  449.   });
  450.  
  451. });
  452.  
downloadParseRole.spec.js Source code - Download parse-server Source code
Related Source Codes/Software:
react-boilerplate - 2017-06-07
webtorrent - Streaming torrent client for the web ... 2017-06-06
machine-learning-for-software-engineers - A complete daily plan for studying to become a mac... 2017-06-06
upterm - A terminal emulator for the 21st century. 2017-06-06
lottie-android - Render After Effects animations natively on Androi... 2017-06-07
AsyncDisplayKit - Smooth asynchronous user interfaces for iOS apps. ... 2017-06-07
ionicons - The premium icon font for Ionic ... 2017-06-07
storybook - 2017-06-07
prettier - Prettier is an opinionated JavaScript formatter. ... 2017-06-08
CRYENGINE - CRYENGINE is a powerful real-time game development... 2017-06-11
postal - 2017-06-11
reactide - Reactide is the first dedicated IDE for React web ... 2017-06-11
rkt - rkt is a pod-native container engine for Linux. It... 2017-06-11
uWebSockets - Tiny WebSockets https://for... 2017-06-11
realworld - TodoMVC for the RealWorld - Exemplary fullstack Me... 2017-06-11
goreplay - GoReplay is an open-source tool for capturing and ... 2017-06-10
pyenv - Simple Python version management 2017-06-10
redux-saga - An alternative side effect model for Redux apps ... 2017-06-10
angular-starter - 2017-06-10

 Back to top