add test that only owner can open tickets

2022-11-23 17:48:05 +01:00
parent 30fb1aa351
commit f728971479
3 changed files with 42 additions and 6 deletions
@@ -31,6 +31,14 @@ exports = module.exports = {
        token: null
    },

+    admin: {
+        id: null,
+        username: 'administrator',
+        password: 'Foobar?1339',
+        email: 'admin@cloudron.local',
+        token: null
+    },
+
    user: {
        id: null,
        username: 'user',
@@ -54,7 +62,7 @@ async function setupServer() {
 }

 async function setup() {
-    const owner = exports.owner, serverUrl = exports.serverUrl, user = exports.user;
+    const owner = exports.owner, serverUrl = exports.serverUrl, user = exports.user, admin = exports.admin;

    await setupServer();
    await safe(fs.promises.unlink(support._sshInfo().filePath));
@@ -74,6 +82,16 @@ async function setup() {
    owner.token = response.body.token;
    owner.id = response.body.userId;

+    // create an admin
+    response = await superagent.post(`${serverUrl}/api/v1/users`)
+        .query({ access_token: owner.token })
+        .send({ username: admin.username, email: admin.email, password: admin.password });
+    expect(response.status).to.equal(201);
+    admin.id = response.body.id;
+    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
+    const token1 = await tokens.add({ identifier: admin.id, clientId: 'test-client-id', expires: Date.now() + (60 * 60 * 1000), name: 'fromtest' });
+    admin.token = token1.accessToken;
+
    // create user
    response = await superagent.post(`${serverUrl}/api/v1/users`)
        .query({ access_token: owner.token })
@@ -81,8 +99,8 @@ async function setup() {
    expect(response.status).to.equal(201);
    user.id = response.body.id;
    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-    const token = await tokens.add({ identifier: user.id, clientId: 'test-client-id', expires: Date.now() + (60 * 60 * 1000), name: 'fromtest' });
-    user.token = token.accessToken;
+    const token2 = await tokens.add({ identifier: user.id, clientId: 'test-client-id', expires: Date.now() + (60 * 60 * 1000), name: 'fromtest' });
+    user.token = token2.accessToken;

    await settings._set(settings.APPSTORE_API_TOKEN_KEY, exports.appstoreToken); // appstore token
 }
@@ -101,7 +101,7 @@ describe('Eventlog API', function () {
                .query({ access_token: owner.token, page: 1, per_page: 10, actions: 'cloudron.activate, user.add' });

            expect(response.statusCode).to.equal(200);
-            expect(response.body.eventlogs.length).to.equal(3);
+            expect(response.body.eventlogs.length).to.equal(4);
        });

        it('succeeds with search', async function () {
@@ -13,7 +13,7 @@ const common = require('./common.js'),
    superagent = require('superagent');

 describe('Support API', function () {
-    const { setup, cleanup, serverUrl, owner, mockApiServerOrigin, appstoreToken } = common;
+    const { setup, cleanup, serverUrl, owner, mockApiServerOrigin, appstoreToken, user, admin } = common;

    before(setup);
    after(cleanup);
@@ -169,7 +169,25 @@ describe('Support API', function () {
            expect(scope2.isDone()).to.be.ok();
        });

-        it('succeeds with app type', async function () {
+        it('normal user cannot open tickets', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/support/ticket`)
+                .send({ type: 'app_missing', subject: 'some subject', description: 'some description' })
+                .query({ access_token: user.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(403);
+        });
+
+        it('admin also cannot open tickets', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/support/ticket`)
+                .send({ type: 'app_missing', subject: 'some subject', description: 'some description' })
+                .query({ access_token: admin.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(403);
+        });
+
+        it('owner can open tickets', async function () {
            const scope2 = nock(mockApiServerOrigin)
                .filteringRequestBody(function (/* unusedBody */) { return ''; }) // strip out body
                .post(`/api/v1/ticket?accessToken=${appstoreToken}`)