it('should report error if logged user is not an admin', () => { return request(app) .get('/v1/users') .set('Authorization', `Bearer ${userAccessToken}`) .expect(httpStatus.FORBIDDEN) .then((res) => { expect(res.body.code).to.be.equal(httpStatus.FORBIDDEN); expect(res.body.message).to.be.equal('Forbidden'); }); });
it('should report error when logged user is not the same as the requested one', async () => { const id = (await User.findOne({ email: dbUsers.branStark.email }))._id; return request(app) .put(`/v1/users/${id}`) .set('Authorization', `Bearer ${userAccessToken}`) .expect(httpStatus.FORBIDDEN) .then((res) => { expect(res.body.code).to.be.equal(httpStatus.FORBIDDEN); expect(res.body.message).to.be.equal('Forbidden'); }); });
it('should report error when logged user is not an admin', () => { return request(app) .post('/v1/users') .set('Authorization', `Bearer ${userAccessToken}`) .send(user) .expect(httpStatus.FORBIDDEN) .then((res) => { expect(res.body.code).to.be.equal(httpStatus.FORBIDDEN); expect(res.body.message).to.be.equal('Forbidden'); }); });
middleware(role, action, params) { return async (req, res, next) => { if (await this.checkAccess(role, action, params)) { return next(); } return next(new APIError(null, httpStatus.FORBIDDEN, false)); }; }
static forbidden() { return new APIError({ message: 'Request forbidden!', status: httpStatus.FORBIDDEN, errors: [ generateError( 'FORBIDDEN', 'Oops! Something is wrong', 'This name already exist, please choose another name', 'Client with that name is already exist' ) ] }); }
function checkAccessToUser(action) { return async (req, res, next) => { if ( req.authUser && (await ACE.checkAccess(req.authUser.role, action, { businessUser: req.$businessUser, authUser: req.authUser })) ) { return next(); } return next(new APIError(null, httpStatus.FORBIDDEN, false)); }; }
it('should generate forbidden error', () => { const sut = APIError.forbidden(); expect(sut).toHaveProperty('message'); expect(sut).toHaveProperty('errors'); expect(sut).toHaveProperty('route'); expect(sut).toHaveProperty('stack'); expect(sut).toHaveProperty('status'); expect(sut).toHaveProperty('isPublic'); expect(sut.message).toEqual(expect.any(String)); expect(sut.route).toEqual(expect.any(String)); expect(sut.status).toEqual(httpStatus.FORBIDDEN); expect(sut.isPublic).toEqual(expect.any(Boolean)); });
it('should report error when logged user is not the same as the requested one', async () => { const id = (await User.findOne({ email: dbUsers.branStark.email }))._id; return request(app) .patch(`/v1/users/${id}`) .set('Authorization', `Bearer ${userAccessToken}`) .expect(httpStatus.FORBIDDEN) .then((res) => { expect(res.body.code).to.be.equal(httpStatus.FORBIDDEN); expect(res.body.message).to.be.equal('Forbidden'); }); });
function checkAccessToUser(action) { return async (req, res, next) => { if ( req.authUser && (await ACE.checkAccess(req.authUser.role, action, { authUser: req.authUser })) ) { return next(); } return next(new APIError(null, httpStatus.FORBIDDEN, false)); }; }
function checkAccessToUser(action) { return async (req, res, next) => { if ( req.authUser && (await ACE.checkAccess(req.authUser.role, action, { user: req.$user, authUser: req.authUser })) ) { return next(); } return next(new APIError(null, httpStatus.FORBIDDEN, false)); }; }
function checkAccessToUser(action) { return async (req, res, next) => { if ( req.authUser && (await ACE.checkAccess(req.authUser.role, action, { business: req.$business, authUser: req.authUser })) ) { return next(); } return next(new APIError(null, httpStatus.FORBIDDEN, false)); }; }
function checkAccessToUser(action) { return async (req, res, next) => { if ( req.authUser && (await ACE.checkAccess(req.authUser.role, action, { user: req.$user, authUser: req.authUser })) ) { return next(); } return next(new APIError(null, httpStatus.FORBIDDEN, false)); }; }