Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: ccd9034339
Branches Tags
wekan
/
server
/
lib
/
tests
/
cards.security.tests.js

cards.security.tests.js 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. /* eslint-env mocha */
    2. 

  2. import { expect } from 'chai';
    3. 

  3. import '../utils';
    4. 

  4. import '/models/cards';
    5. 

  5. 

  6. // Unit tests for canUpdateCard policy (deny direct vote updates)
    7. 

  7. describe('cards security', function() {
    8. 

  8.   describe(canUpdateCard.name, function() {
    9. 

  9.     const userId = 'user1';
    10. 

  10.     const board = {
    11. 

  11.       hasMember: (id) => id === userId,
    12. 

  12.     };
    13. 

  13.     const doc = { boardId: 'board1' };
    14. 

  14. 

  15.     // Patch ReactiveCache.getBoard for this unit test scope if not defined
    16. 

  16.     const origGetBoard = ReactiveCache && ReactiveCache.getBoard;
    17. 

  17.     before(function() {
    18. 

  18.       if (typeof ReactiveCache === 'object') {
    19. 

  19.         ReactiveCache.getBoard = () => board;
    20. 

  20.       }
    21. 

  21.     });
    22. 

  22.     after(function() {
    23. 

  23.       if (typeof ReactiveCache === 'object') {
    24. 

  24.         ReactiveCache.getBoard = origGetBoard;
    25. 

  25.       }
    26. 

  26.     });
    27. 

  27. 

  28.     it('denies anonymous users', function() {
    29. 

  29.       expect(canUpdateCard(null, doc, ['title'])).to.equal(false);
    30. 

  30.     });
    31. 

  31. 

  32.     it('denies direct vote updates', function() {
    33. 

  33.       expect(canUpdateCard(userId, doc, ['vote'])).to.equal(false);
    34. 

  34.       expect(canUpdateCard(userId, doc, ['vote', 'modifiedAt', 'dateLastActivity'])).to.equal(false);
    35. 

  35.       expect(canUpdateCard(userId, doc, ['vote.positive'])).to.equal(false);
    36. 

  36.       expect(canUpdateCard(userId, doc, ['vote.negative'])).to.equal(false);
    37. 

  37.     });
    38. 

  38. 

  39.     it('denies direct poker updates', function() {
    40. 

  40.       expect(canUpdateCard(userId, doc, ['poker'])).to.equal(false);
    41. 

  41.       expect(canUpdateCard(userId, doc, ['poker.one'])).to.equal(false);
    42. 

  42.       expect(canUpdateCard(userId, doc, ['poker.allowNonBoardMembers'])).to.equal(false);
    43. 

  43.       expect(canUpdateCard(userId, doc, ['poker.end'])).to.equal(false);
    44. 

  44.     });
    45. 

  45. 

  46.     it('allows member updates when not touching vote', function() {
    47. 

  47.       expect(canUpdateCard(userId, doc, ['title'])).to.equal(true);
    48. 

  48.       expect(canUpdateCard(userId, doc, ['description', 'modifiedAt'])).to.equal(true);
    49. 

  49.     });
    50. 

  50. 

  51.     it('denies non-members even when not touching vote', function() {
    52. 

  52.       const nonMemberId = 'user2';
    53. 

  53.       expect(canUpdateCard(nonMemberId, doc, ['title'])).to.equal(false);
    54. 

  54.     });
    55. 

  55.   });
    56. 

  56. });
    57.