fix: Macros authorizations (#5779)

Macros policy update. ref: #5730
2022-11-08 07:16:00 +05:30
parent 479d88a480
commit 48373628a1
8 changed files with 177 additions and 38 deletions
--- a/spec/controllers/api/v1/accounts/macros_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/macros_controller_spec.rb
@@ -23,14 +23,15 @@ RSpec.describe 'Api::V1::Accounts::MacrosController', type: :request do
        get "/api/v1/accounts/#{account.id}/macros",
            headers: administrator.create_new_auth_token

-        visible_macros = account.macros
+        visible_macros = account.macros.global.or(account.macros.personal.where(created_by_id: administrator.id)).order(:id)

        expect(response).to have_http_status(:success)
        body = JSON.parse(response.body)

        expect(body['payload'].length).to eq(visible_macros.count)
-        expect(body['payload'].first['id']).to eq(Macro.first.id)
-        expect(body['payload'].last['id']).to eq(Macro.last.id)
+
+        expect(body['payload'].first['id']).to eq(visible_macros.first.id)
+        expect(body['payload'].last['id']).to eq(visible_macros.last.id)
      end
    end

@@ -42,7 +43,7 @@ RSpec.describe 'Api::V1::Accounts::MacrosController', type: :request do
        expect(response).to have_http_status(:success)

        body = JSON.parse(response.body)
-        visible_macros = account.macros.global.or(account.macros.personal.where(created_by_id: agent.id))
+        visible_macros = account.macros.global.or(account.macros.personal.where(created_by_id: agent.id)).order(:id)

        expect(body['payload'].length).to eq(visible_macros.count)
        expect(body['payload'].first['id']).to eq(visible_macros.first.id)
@@ -181,6 +182,19 @@ RSpec.describe 'Api::V1::Accounts::MacrosController', type: :request do
        json_response = JSON.parse(response.body)
        expect(json_response['name']).to eql(params['name'])
      end
+
+      it 'Unauthorize to update the macro' do
+        macro = create(:macro, account: account, created_by: agent, updated_by: agent)
+
+        put "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+            params: params,
+            headers: agent_1.create_new_auth_token
+
+        json_response = JSON.parse(response.body)
+
+        expect(response).to have_http_status(:unauthorized)
+        expect(json_response['error']).to eq('You are not authorized to do this action')
+      end
    end
  end

@@ -214,6 +228,27 @@ RSpec.describe 'Api::V1::Accounts::MacrosController', type: :request do

        expect(response).to have_http_status(:not_found)
      end
+
+      it 'Unauthorize to fetch other agents private macro' do
+        macro = create(:macro, account: account, created_by: agent, updated_by: agent, visibility: :personal)
+
+        get "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+            headers: agent_1.create_new_auth_token
+
+        json_response = JSON.parse(response.body)
+
+        expect(response).to have_http_status(:unauthorized)
+        expect(json_response['error']).to eq('You are not authorized to do this action')
+      end
+
+      it 'authorize to fetch other agents public macro' do
+        macro = create(:macro, account: account, created_by: agent, updated_by: agent, visibility: :global)
+
+        get "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+            headers: agent_1.create_new_auth_token
+
+        expect(response).to have_http_status(:success)
+      end
    end
  end

@@ -314,4 +349,62 @@ RSpec.describe 'Api::V1::Accounts::MacrosController', type: :request do
      end
    end
  end
+
+  describe 'DELETE /api/v1/accounts/{account.id}/macros/{macro.id}' do
+    let!(:macro) { create(:macro, account: account, created_by: administrator, updated_by: administrator) }
+
+    context 'when it is an authenticated user' do
+      it 'Deletes the macro' do
+        delete "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+               headers: administrator.create_new_auth_token
+
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'deletes the orphan public record with admin credentials' do
+        macro = create(:macro, account: account, created_by: agent, updated_by: agent, visibility: :global)
+
+        expect(macro.created_by).to eq(agent)
+
+        agent.destroy!
+
+        expect(macro.reload.created_by).to be_nil
+
+        delete "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+               headers: administrator.create_new_auth_token
+
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'can not delete orphan public record with agent credentials' do
+        macro = create(:macro, account: account, created_by: agent, updated_by: agent, visibility: :global)
+
+        expect(macro.created_by).to eq(agent)
+
+        agent.destroy!
+
+        expect(macro.reload.created_by).to be_nil
+
+        delete "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+               headers: agent_1.create_new_auth_token
+
+        json_response = JSON.parse(response.body)
+
+        expect(response).to have_http_status(:unauthorized)
+        expect(json_response['error']).to eq('You are not authorized to do this action')
+      end
+
+      it 'Unauthorize to delete the macro' do
+        macro = create(:macro, account: account, created_by: agent, updated_by: agent)
+
+        delete "/api/v1/accounts/#{account.id}/macros/#{macro.id}",
+               headers: agent_1.create_new_auth_token
+
+        json_response = JSON.parse(response.body)
+
+        expect(response).to have_http_status(:unauthorized)
+        expect(json_response['error']).to eq('You are not authorized to do this action')
+      end
+    end
+  end
 end
--- a/spec/models/macro_spec.rb
+++ b/spec/models/macro_spec.rb
@@ -6,8 +6,6 @@ RSpec.describe Macro, type: :model do

  describe 'associations' do
    it { is_expected.to belong_to(:account) }
-    it { is_expected.to belong_to(:created_by) }
-    it { is_expected.to belong_to(:updated_by) }
  end

  describe 'validations' do
@@ -71,7 +69,9 @@ RSpec.describe Macro, type: :model do
        Current.user = admin
        Current.account = account

-        expect(described_class.with_visibility(admin, {}).count).to eq(account.macros.count)
+        macros = account.macros.global.or(account.macros.personal.where(created_by_id: admin.id))
+
+        expect(described_class.with_visibility(admin, {}).count).to eq(macros.count)
      end
    end

@@ -90,4 +90,26 @@ RSpec.describe Macro, type: :model do
      end
    end
  end
+
+  describe '#associations' do
+    let(:agent) { create(:user, account: account, role: :agent) }
+    let!(:global_macro) { FactoryBot.create(:macro, account: account, created_by: agent, updated_by: agent, visibility: :global, actions: []) }
+    let!(:personal_macro) { FactoryBot.create(:macro, account: account, created_by: agent, updated_by: agent, visibility: :personal, actions: []) }
+
+    context 'when you delete the author' do
+      it 'nullify the created_by column' do
+        expect(global_macro.created_by).to eq(agent)
+        expect(global_macro.updated_by).to eq(agent)
+        expect(personal_macro.created_by).to eq(agent)
+        expect(personal_macro.updated_by).to eq(agent)
+
+        personal_macro_id = personal_macro.id
+        agent.destroy!
+
+        expect(global_macro.reload.created_by).to be_nil
+        expect(global_macro.reload.updated_by).to be_nil
+        expect(described_class.find_by(id: personal_macro_id)).to be_nil
+      end
+    end
+  end
 end