Updating tests

andrewwippler · Jul 28, 2024 · 56755ed · 56755ed
1 parent ee1a44f
commit 56755ed
Show file tree

Hide file tree

Showing 10 changed files with 118 additions and 19 deletions.
diff --git a/api/app/controllers/http/PlacesController.ts b/api/app/controllers/http/PlacesController.ts
@@ -43,9 +43,6 @@ export default class PlacesController {
     } catch (error) {
       return response.status(404).send({ message: 'Illustration does not exist' })
     }
-    if (!illustration) {
-      return response.status(403).send({ message: 'Illustration does not exist' })
-    }
 
     if (!illustration.toJSON()[0] && illustration.user_id != auth.user?.id) {
       return response.status(403).send({ message: 'You do not have permission to access this resource' })

diff --git a/api/app/controllers/http/UploadsController.ts b/api/app/controllers/http/UploadsController.ts
@@ -65,7 +65,7 @@ export default class UploadsController {
     await upload[0].delete()
 
     const uploadsPath = app.makePath('uploads', env.get("NODE_ENV"), upload[0].name ) // delete just the attachment
-    console.log('deleting:', uploadsPath)
+    // console.log('deleting:', uploadsPath)
     await fs.rm(uploadsPath, { recursive: false, force: true })
     return response.send({ message: `Deleted Upload id: ${upload[0].id}` })
   }

diff --git a/api/app/controllers/http/UsersController.ts b/api/app/controllers/http/UsersController.ts
@@ -49,9 +49,9 @@ export default class UsersController {
 
   }
 
-  public show({ auth, params }: HttpContext) {
+  public show({ auth, params, response }: HttpContext) {
     if (auth.user?.uid !== params.uid) {
-      return "You cannot see someone else's profile"
+      return response.status(401).send({ message: "You cannot see someone else's profile" })
     }
     return auth.user
   }

diff --git a/api/app/middleware/initialize_bouncer_middleware.ts b/api/app/middleware/initialize_bouncer_middleware.ts
@@ -24,9 +24,9 @@ export default class InitializeBouncerMiddleware {
     /**
      * Share bouncer helpers with Edge templates.
      */
-    if ('view' in ctx) {
-      ctx.view.share(ctx.bouncer.edgeHelpers)
-    }
+    // if ('view' in ctx) {
+    //   ctx.view.share(ctx.bouncer.edgeHelpers)
+    // }
 
     return next()
   }

diff --git a/api/tests/functional/contact.spec.ts b/api/tests/functional/contact.spec.ts
@@ -20,4 +20,9 @@ test.group('Contact', (group) => {
 
   })
 
+  test('Errors submit a contact form request', async ({ client }) => {
+    const response = await client.post('/contact').json({})
+    response.assertStatus(400)
+  })
+
 })
diff --git a/api/tests/functional/health.spec.ts b/api/tests/functional/health.spec.ts
@@ -0,0 +1,9 @@
+import { test } from '@japa/runner'
+
+test.group('Health', () => {
+  test('Health check succeeds', async ({ client, assert }) => {
+
+    const response = await client.get('/healthz')
+    assert.isOk(response)
+  })
+})
diff --git a/api/tests/functional/illustration.spec.ts b/api/tests/functional/illustration.spec.ts
@@ -108,11 +108,14 @@ test.group('Illustrations', (group) => {
 
   test('Cannot access unowned illustration', async ({ client, assert }) => {
     const loggedInUser = await client.post('/login').json({ email: badUser.email, password: 'oasssadfasdf' })
-    const illustration = await IllustrationFactory.merge({ title: 'Illustrations Test2', user_id: goodUser.id }).create()
-// console.log("test",illustration.id,goodUser.id)
+    const illustration = await IllustrationFactory.merge({ title: 'Illustrations Test2', legacy_id: 899, user_id: goodUser.id }).create()
     const response = await client.get(`/illustration/${illustration.id}`).bearerToken(loggedInUser.body().token)
     response.assertStatus(403)
-    assert.equal(response.body().message,'You do not have permission to access this resource')
+    assert.equal(response.body().message, 'You do not have permission to access this resource')
+
+    const legacy = await client.get(`/illustrations/${illustration.legacy_id}`).bearerToken(loggedInUser.body().token)
+    legacy.assertStatus(403)
+    assert.equal(legacy.body().message,'You do not have permission to access this resource')
   })
 
   test('Create illustrations with tags and places', async ({ client, assert }) => {
@@ -288,6 +291,7 @@ test.group('Illustrations', (group) => {
 
   test('Author routes', async ({ client, assert }) => {
     const loggedInUser = await client.post('/login').json({ email: goodUser.email, password: 'oasssadfasdf' })
+    const secondLoggedInUser = await client.post('/login').json({ email: badUser.email, password: 'oasssadfasdf' })
 
     const illustration =  {
       author: 'testy mctest',
@@ -304,15 +308,23 @@ test.group('Illustrations', (group) => {
       content: 'this shall pass as new',
     }
     await client.post('/illustration').bearerToken(loggedInUser.body().token).json(second)
+    await client.post('/illustration').bearerToken(secondLoggedInUser.body().token).json(second)
 
     const both = await client.get('/illustration/authors').bearerToken(loggedInUser.body().token)
+    const none = await client.get('/illustration/authors').bearerToken(secondLoggedInUser.body().token)
 
     both.assertStatus(200)
-    assert.equal(both.body().length,2)
+    assert.equal(both.body().length, 2)
+
+    none.assertStatus(204)
+    assert.isObject(none.body())
+
 
     const response = await client.get('/author/'+illustration.author).bearerToken(loggedInUser.body().token)
     response.assertStatus(200)
-    assert.equal(response.body().length,1)
+    assert.equal(response.body().length, 1)
+    const last = await client.get('/author/boogers').bearerToken(loggedInUser.body().token)
+    last.assertStatus(204)
 
   })
 

diff --git a/api/tests/functional/place.spec.ts b/api/tests/functional/place.spec.ts
@@ -68,15 +68,19 @@ test.group('Place', (group) => {
 
   })
 
-  test('Cannot add new place to your illustration', async ({ client, assert }) => {
+  test('Cannot add new place to your illustration or unknown', async ({ client, assert }) => {
 
     const loggedInUser = await client.post('/login').json({ email: badUser.email, password: 'oasssadfasdf' })
     const illustration = await Illustration.findByOrFail('title', 'Places Test')
     const place = await PlaceFactory.make()
 
     const response = await client.post(`/places/${illustration.id}`).bearerToken(loggedInUser.body().token).json(place.toJSON())
     response.assertStatus(403)
-    assert.equal(response.body().message,'You do not have permission to access this resource')
+    assert.equal(response.body().message, 'You do not have permission to access this resource')
+
+    const unknown = await client.post(`/places/9999999999`).bearerToken(loggedInUser.body().token).json(place.toJSON())
+    unknown.assertStatus(404)
+    assert.equal(unknown.body().message,'Illustration does not exist')
 
   })
 

diff --git a/api/tests/functional/uploads.spec.ts b/api/tests/functional/uploads.spec.ts
@@ -9,7 +9,8 @@ import db from '@adonisjs/lucid/services/db'
 import User from '#models/user';
 import IllustrationFactory from '#database/factories/IllustrationFactory';
 import Illustration from '#models/illustration';
-let goodUser: User, illustration: Illustration
+import Upload from '#models/upload';
+let goodUser: User, illustration: Illustration, badUser: User
 
 const __filename = fileURLToPath(import.meta.url); // get the resolved path to the file
 const __dirname = path.dirname(__filename); // get the name of the directory
@@ -29,11 +30,13 @@ test.group('UploadsController', (group) => {
 
   group.setup(async () => {
     goodUser = await UserFactory.merge({ password: 'oasssadfasdf' }).create()
+    badUser = await UserFactory.merge({ password: 'oasssadfasdf' }).create()
     illustration = await IllustrationFactory.merge({ title: 'Illustrations Test', user_id: goodUser.id }).create()
   })
 
   group.teardown(async () => {
     await goodUser.delete()
+    await badUser.delete()
   })
 
   test('should upload a file successfully', async ({ client, assert }) => {
@@ -42,8 +45,7 @@ test.group('UploadsController', (group) => {
     const response = await client.post('/upload').file('illustration_image', filePath)
     .fields({
       illustration_id: illustration.id
-    })
-  .bearerToken(loggedInUser.body().token).send()
+    }).bearerToken(loggedInUser.body().token).send()
 
     response.assertStatus(200)
     response.assertBodyContains({ message: 'File uploaded successfully' })
@@ -78,4 +80,48 @@ test.group('UploadsController', (group) => {
     response.assertStatus(400)
     response.assertBodyContains([{ message: 'Invalid file extension txt. Only jpg, png, gif, pdf are allowed' }])
   })
+
+  test('should not allow badUser to upload to goodUers illustration', async ({ client, assert }) => {
+
+    const loggedInUser = await client.post('/login').json({ email: badUser.email, password: 'oasssadfasdf' })
+    const filePath = join(__dirname, '..', 'assets', '1kb.png')
+    const response = await client.post('/upload').file('illustration_image', filePath)
+    .fields({
+      illustration_id: illustration.id
+    }).bearerToken(loggedInUser.body().token).send()
+
+    assert.equal(response.body().message, "E_AUTHORIZATION_FAILURE: Not authorized to perform this action")
+  })
+
+  test('should not allow badUser delete attachment from goodUser', async ({ client, assert }) => {
+    const goodLoggedInUser = await client.post('/login').json({ email: goodUser.email, password: 'oasssadfasdf' })
+    const badLoggedInUser = await client.post('/login').json({ email: badUser.email, password: 'oasssadfasdf' })
+    const filePath = join(__dirname, '..', 'assets', '1kb.png')
+    await client.post('/upload').file('illustration_image', filePath)
+    .fields({
+      illustration_id: illustration.id
+    }).bearerToken(goodLoggedInUser.body().token).send()
+
+    const uploadId = await Upload.findBy('illustration_id', illustration.id)
+
+    const response = await client.delete(`/upload/${uploadId.id}`).bearerToken(badLoggedInUser.body().token).send()
+    response.assertStatus(403)
+    assert.equal(response.body().message, "You do not have permission to access this resource")
+
+  })
+
+  test('should be able to delete own attachment', async ({ client, assert }) => {
+    const goodLoggedInUser = await client.post('/login').json({ email: goodUser.email, password: 'oasssadfasdf' })
+    const filePath = join(__dirname, '..', 'assets', '1kb.png')
+    await client.post('/upload').file('illustration_image', filePath)
+    .fields({
+      illustration_id: illustration.id
+    }).bearerToken(goodLoggedInUser.body().token).send()
+
+    const uploadId = await Upload.findBy('illustration_id', illustration.id)
+
+    const response = await client.delete(`/upload/${uploadId.id}`).bearerToken(goodLoggedInUser.body().token).send()
+    response.assertStatus(200)
+    assert.equal(response.body().message, `Deleted Upload id: ${uploadId.id}`)
+  })
 })
diff --git a/api/tests/functional/user.spec.ts b/api/tests/functional/user.spec.ts
@@ -32,6 +32,32 @@ test.group('Users', (group) => {
 
   })
 
+  test('Cannot see your profile', async ({ client, assert }) => {
+
+    const user = await UserFactory.make()
+    const userTwo = await UserFactory.make()
+    let fixedUser = {
+      email: user.email,
+      password: user.password+"1A!a",
+      password_confirmation: user.password+"1A!a"
+    }
+    let fixedUser2 = {
+      email: userTwo.email,
+      password: userTwo.password+"1A!a",
+      password_confirmation: userTwo.password+"1A!a"
+    }
+
+    const userOne = await client.post('/register').json(fixedUser)
+    const registeredTwo = await client.post('/register').json(fixedUser2)
+
+    const loggedInUser = await client.post('/login').json({email: user.email, password: user.password+"1A!a"})
+
+    const verify = await client.get(`/users/${registeredTwo.body().uid}`).bearerToken(loggedInUser.body().token)
+    verify.assertStatus(401)
+    assert.equal(verify.body().message, "You cannot see someone else's profile")
+
+  })
+
   test('Bad passwords', async ({ client, assert }) => {
     // no password
     const user = await UserFactory.make()