Do not allow normal users to get group listings or details

2016-02-25 13:34:01 +01:00
parent 7165be0513
commit a0d7406b3c
2 changed files with 38 additions and 4 deletions
--- a/src/routes/test/groups-test.js
+++ b/src/routes/test/groups-test.js
@@ -15,13 +15,15 @@ var appdb = require('../../appdb.js'),
    superagent = require('superagent'),
    server = require('../../server.js'),
    settings = require('../../settings.js'),
+    tokendb = require('../../tokendb.js'),
    nock = require('nock'),
    userdb = require('../../userdb.js');

 var SERVER_URL = 'http://localhost:' + config.get('port');

 var USERNAME = 'admin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
-var token = null;
+var USERNAME_1 = 'user', PASSWORD_1 = 'Foobar?1337', EMAIL_1 ='happy@me.com';
+var token, token_1 = null;

 var server;
 function setup(done) {
@@ -48,8 +50,22 @@ function setup(done) {

                callback();
            });
+        },
+        function (callback) {
+            superagent.post(SERVER_URL + '/api/v1/users')
+                   .query({ access_token: token })
+                   .send({ username: USERNAME_1, email: EMAIL_1, invite: false })
+                   .end(function (error, result) {
+                expect(result).to.be.ok();
+                expect(result.statusCode).to.eql(201);
+
+                token_1 = tokendb.generateToken();
+
+                // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
+                tokendb.add(token_1, tokendb.PREFIX_USER + USERNAME_1, 'test-client-id',  Date.now() + 100000, '*', callback);
+            });
        }
-    ], done);
+  ], done);
 }

 function cleanup(done) {
@@ -73,6 +89,15 @@ describe('Groups API', function () {
            });
        });

+        it('cannot get groups as normal user', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/groups')
+                   .query({ access_token: token_1 })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(403);
+                done();
+            });
+        });
+
        it('can get groups', function (done) {
            superagent.get(SERVER_URL + '/api/v1/groups')
                   .query({ access_token: token })
@@ -127,6 +152,15 @@ describe('Groups API', function () {
            });
        });

+        it('cannot get existing group with normal user', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/groups/admin')
+                  .query({ access_token: token_1 })
+                  .end(function (error, result) {
+                expect(result.statusCode).to.equal(403);
+                done();
+            });
+        });
+
        it('can get existing group', function (done) {
            superagent.get(SERVER_URL + '/api/v1/groups/admin')
                  .query({ access_token: token })