Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: ccd9034339
Branches Tags
wekan
/
server
/
lib
/
tests
/
cards.methods.tests.js

cards.methods.tests.js 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118 
  1. /* eslint-env mocha */
    2. 

  2. import { expect } from 'chai';
    3. 

  3. import sinon from 'sinon';
    4. 

  4. import { Meteor } from 'meteor/meteor';
    5. 

  5. import '/models/cards';
    6. 

  6. 

  7. // Helpers to access method handlers
    8. 

  8. const voteHandler = () => Meteor.server.method_handlers['cards.vote'];
    9. 

  9. const pokerVoteHandler = () => Meteor.server.method_handlers['cards.pokerVote'];
    10. 

  10. 

  11. // Preserve originals to restore after stubbing
    12. 

  12. const origGetCard = ReactiveCache.getCard;
    13. 

  13. const origGetBoard = ReactiveCache.getBoard;
    14. 

  14. 

  15. describe('cards methods security', function() {
    16. 

  16.   let updateStub;
    17. 

  17. 

  18.   beforeEach(function() {
    19. 

  19.     // Stub collection update to capture modifiers
    20. 

  20.     updateStub = sinon.stub(Cards, 'update').returns(1);
    21. 

  21.   });
    22. 

  22. 

  23.   afterEach(function() {
    24. 

  24.     if (updateStub) updateStub.restore();
    25. 

  25.     ReactiveCache.getCard = origGetCard;
    26. 

  26.     ReactiveCache.getBoard = origGetBoard;
    27. 

  27.   });
    28. 

  28. 

  29.   describe('cards.vote', function() {
    30. 

  30.     it('denies non-member when allowNonBoardMembers=false', function() {
    31. 

  31.       const cardId = 'card1';
    32. 

  32.       const callerId = 'user-nonmember';
    33. 

  33.       const board = { hasMember: id => id === 'someone-else' };
    34. 

  34.       const card = { _id: cardId, boardId: 'board1', vote: { allowNonBoardMembers: false } };
    35. 

  35. 

  36.       ReactiveCache.getCard = () => card;
    37. 

  37.       ReactiveCache.getBoard = () => board;
    38. 

  38. 

  39.       const callMethod = () => voteHandler().call({ userId: callerId }, cardId, true);
    40. 

  40.       expect(callMethod).to.throw();
    41. 

  41.       expect(updateStub.called).to.equal(false);
    42. 

  42.     });
    43. 

  43. 

  44.     it('allows non-member only for own userId when allowNonBoardMembers=true', function() {
    45. 

  45.       const cardId = 'card2';
    46. 

  46.       const callerId = 'user-guest';
    47. 

  47.       const board = { hasMember: id => id === 'someone-else' };
    48. 

  48.       const card = { _id: cardId, boardId: 'board2', vote: { allowNonBoardMembers: true } };
    49. 

  49. 

  50.       ReactiveCache.getCard = () => card;
    51. 

  51.       ReactiveCache.getBoard = () => board;
    52. 

  52. 

  53.       voteHandler().call({ userId: callerId }, cardId, true);
    54. 

  54. 

  55.       expect(updateStub.calledOnce).to.equal(true);
    56. 

  56.       const [, modifier] = updateStub.getCall(0).args;
    57. 

  57.       expect(modifier.$addToSet['vote.positive']).to.equal(callerId);
    58. 

  58.       expect(modifier.$pull['vote.negative']).to.equal(callerId);
    59. 

  59.       expect(modifier.$set.modifiedAt).to.be.instanceOf(Date);
    60. 

  60.       expect(modifier.$set.dateLastActivity).to.be.instanceOf(Date);
    61. 

  61.     });
    62. 

  62. 

  63.     it('ensures member votes only affect caller userId', function() {
    64. 

  64.       const cardId = 'card3';
    65. 

  65.       const callerId = 'member1';
    66. 

  66.       const otherId = 'member2';
    67. 

  67.       const board = { hasMember: id => (id === callerId || id === otherId) };
    68. 

  68.       const card = { _id: cardId, boardId: 'board3', vote: { allowNonBoardMembers: false } };
    69. 

  69. 

  70.       ReactiveCache.getCard = () => card;
    71. 

  71.       ReactiveCache.getBoard = () => board;
    72. 

  72. 

  73.       voteHandler().call({ userId: callerId }, cardId, true);
    74. 

  74. 

  75.       expect(updateStub.calledOnce).to.equal(true);
    76. 

  76.       const [, modifier] = updateStub.getCall(0).args;
    77. 

  77.       // Only callerId present in modifier
    78. 

  78.       expect(modifier.$addToSet['vote.positive']).to.equal(callerId);
    79. 

  79.       expect(modifier.$pull['vote.negative']).to.equal(callerId);
    80. 

  80.     });
    81. 

  81.   });
    82. 

  82. 

  83.   describe('cards.pokerVote', function() {
    84. 

  84.     it('denies non-member when allowNonBoardMembers=false', function() {
    85. 

  85.       const cardId = 'card4';
    86. 

  86.       const callerId = 'nm';
    87. 

  87.       const board = { hasMember: id => id === 'someone-else' };
    88. 

  88.       const card = { _id: cardId, boardId: 'board4', poker: { allowNonBoardMembers: false } };
    89. 

  89. 

  90.       ReactiveCache.getCard = () => card;
    91. 

  91.       ReactiveCache.getBoard = () => board;
    92. 

  92. 

  93.       const callMethod = () => pokerVoteHandler().call({ userId: callerId }, cardId, 'five');
    94. 

  94.       expect(callMethod).to.throw();
    95. 

  95.       expect(updateStub.called).to.equal(false);
    96. 

  96.     });
    97. 

  97. 

  98.     it('allows non-member only for own userId when allowNonBoardMembers=true', function() {
    99. 

  99.       const cardId = 'card5';
    100. 

  100.       const callerId = 'guest';
    101. 

  101.       const board = { hasMember: id => id === 'someone-else' };
    102. 

  102.       const card = { _id: cardId, boardId: 'board5', poker: { allowNonBoardMembers: true } };
    103. 

  103. 

  104.       ReactiveCache.getCard = () => card;
    105. 

  105.       ReactiveCache.getBoard = () => board;
    106. 

  106. 

  107.       pokerVoteHandler().call({ userId: callerId }, cardId, 'eight');
    108. 

  108. 

  109.       expect(updateStub.calledOnce).to.equal(true);
    110. 

  110.       const [, modifier] = updateStub.getCall(0).args;
    111. 

  111.       expect(modifier.$addToSet['poker.eight']).to.equal(callerId);
    112. 

  112.       // Ensure removal from other buckets includes callerId
    113. 

  113.       expect(modifier.$pull['poker.one']).to.equal(callerId);
    114. 

  114.       expect(modifier.$set.modifiedAt).to.be.instanceOf(Date);
    115. 

  115.       expect(modifier.$set.dateLastActivity).to.be.instanceOf(Date);
    116. 

  116.     });
    117. 

  117.   });
    118. 

  118. });
    119.