diff --git a/test/private-api/alias.e2e-spec.ts b/test/private-api/alias.e2e-spec.ts index c7f2fc46c..fae3293e3 100644 --- a/test/private-api/alias.e2e-spec.ts +++ b/test/private-api/alias.e2e-spec.ts @@ -3,6 +3,7 @@ * * SPDX-License-Identifier: AGPL-3.0-only */ +import { response } from 'express'; import request from 'supertest'; import { AliasCreateDto } from '../../src/notes/alias-create.dto'; @@ -13,28 +14,32 @@ import { TestSetup } from '../test-setup'; describe('Alias', () => { let testSetup: TestSetup; - let user: User; - let content: string; + let users: User[]; + const content = 'This is a test note.'; let forbiddenNoteId: string; - let agent: request.SuperAgentTest; + let agent1: request.SuperAgentTest; + let agent2: request.SuperAgentTest; beforeAll(async () => { testSetup = await (await TestSetup.create()).withUsers(); + await testSetup.app.init(); forbiddenNoteId = testSetup.configService.get('appConfig').forbiddenNoteIds[0]; + users = testSetup.users; - await testSetup.app.init(); - - user = testSetup.users[0]; - - content = 'This is a test note.'; - agent = request.agent(testSetup.app.getHttpServer()); - await agent + agent1 = request.agent(testSetup.app.getHttpServer()); + await agent1 .post('/api/private/auth/local/login') .send({ username: 'testuser1', password: 'testuser1' }) .expect(201); + + agent2 = request.agent(testSetup.app.getHttpServer()); + await agent2 + .post('/api/private/auth/local/login') + .send({ username: 'testuser2', password: 'testuser2' }) + .expect(201); }); describe('POST /alias', () => { @@ -47,7 +52,7 @@ describe('Alias', () => { beforeAll(async () => { const note = await testSetup.notesService.createNote( content, - user, + users[0], testAlias, ); publicId = note.publicId; @@ -56,7 +61,7 @@ describe('Alias', () => { it('create with normal alias', async () => { const newAlias = 'normalAlias'; newAliasDto.newAlias = newAlias; - const metadata = await agent + const metadata = await agent1 .post(`/api/private/alias`) .set('Content-Type', 'application/json') .send(newAliasDto) @@ -64,7 +69,7 @@ describe('Alias', () => { expect(metadata.body.name).toEqual(newAlias); expect(metadata.body.primaryAlias).toBeFalsy(); expect(metadata.body.noteId).toEqual(publicId); - const note = await agent + const note = await agent1 .get(`/api/private/notes/${newAlias}`) .expect(200); expect(note.body.metadata.aliases).toContain(newAlias); @@ -75,19 +80,32 @@ describe('Alias', () => { describe('does not create an alias', () => { it('because of a forbidden alias', async () => { newAliasDto.newAlias = forbiddenNoteId; - await agent + await agent1 + .post(`/api/private/alias`) + .set('Content-Type', 'application/json') + .send(newAliasDto) + .expect(400) + .then((response) => { + expect(response.body.message).toContain( + 'is forbidden by the administrator', + ); + }); + }); + it('because of a alias that is a public id', async () => { + newAliasDto.newAlias = publicId; + await agent1 .post(`/api/private/alias`) .set('Content-Type', 'application/json') .send(newAliasDto) .expect(400); }); - it('because of a alias that is a public id', async () => { + it('because the user is not an owner', async () => { newAliasDto.newAlias = publicId; - await agent + await agent2 .post(`/api/private/alias`) .set('Content-Type', 'application/json') .send(newAliasDto) - .expect(400); + .expect(401); }); }); }); @@ -102,7 +120,7 @@ describe('Alias', () => { beforeAll(async () => { const note = await testSetup.notesService.createNote( content, - user, + users[0], testAlias, ); publicId = note.publicId; @@ -110,7 +128,7 @@ describe('Alias', () => { }); it('updates a note with a normal alias', async () => { - const metadata = await agent + const metadata = await agent1 .put(`/api/private/alias/${newAlias}`) .set('Content-Type', 'application/json') .send(changeAliasDto) @@ -118,7 +136,7 @@ describe('Alias', () => { expect(metadata.body.name).toEqual(newAlias); expect(metadata.body.primaryAlias).toBeTruthy(); expect(metadata.body.noteId).toEqual(publicId); - const note = await agent + const note = await agent1 .get(`/api/private/notes/${newAlias}`) .expect(200); expect(note.body.metadata.aliases).toContain(newAlias); @@ -128,54 +146,98 @@ describe('Alias', () => { describe('does not update', () => { it('a note with unknown alias', async () => { - await agent + await agent1 .put(`/api/private/alias/i_dont_exist`) .set('Content-Type', 'application/json') .send(changeAliasDto) .expect(404); }); + it('a note with a forbidden ID', async () => { + await agent1 + .put(`/api/private/alias/${forbiddenNoteId}`) + .set('Content-Type', 'application/json') + .send(changeAliasDto) + .expect(400) + .then((response) => { + expect(response.body.message).toContain( + 'is forbidden by the administrator', + ); + }); + }); it('if the property primaryAlias is false', async () => { changeAliasDto.primaryAlias = false; - await agent + await agent1 .put(`/api/private/alias/${newAlias}`) .set('Content-Type', 'application/json') .send(changeAliasDto) .expect(400); }); + it('if the user is not an owner', async () => { + changeAliasDto.primaryAlias = true; + await agent2 + .put(`/api/private/alias/${newAlias}`) + .set('Content-Type', 'application/json') + .send(changeAliasDto) + .expect(401); + }); }); }); describe('DELETE /alias/{alias}', () => { const testAlias = 'aliasTest3'; const newAlias = 'normalAlias3'; - beforeAll(async () => { - const note = await testSetup.notesService.createNote( + let note; + + beforeEach(async () => { + note = await testSetup.notesService.createNote( content, - user, + users[0], testAlias, ); await testSetup.aliasService.addAlias(note, newAlias); }); + afterEach(async () => { + try { + await testSetup.aliasService.removeAlias(note, newAlias); + // Ignore errors on removing alias + // eslint-disable-next-line no-empty + } catch (e) {} + await testSetup.notesService.deleteNote(note); + }); + it('deletes a normal alias', async () => { - await agent.delete(`/api/private/alias/${newAlias}`).expect(204); - await agent.get(`/api/private/notes/${newAlias}`).expect(404); + await agent1.delete(`/api/private/alias/${newAlias}`).expect(204); + await agent1.get(`/api/private/notes/${newAlias}`).expect(404); }); it('does not delete an unknown alias', async () => { - await agent.delete(`/api/private/alias/i_dont_exist`).expect(404); + await agent1.delete(`/api/private/alias/i_dont_exist`).expect(404); + }); + + it('does not delete an alias of a forbidden note', async () => { + await agent1 + .delete(`/api/private/alias/${forbiddenNoteId}`) + .expect(400) + .then((response) => { + expect(response.body.message).toContain( + 'is forbidden by the administrator', + ); + }); + }); + + it('fails if the user does not own the note', async () => { + await agent2.delete(`/api/private/alias/${newAlias}`).expect(401); }); it('does not delete an primary alias (if it is not the only one)', async () => { - const note = await testSetup.notesService.getNoteByIdOrAlias(testAlias); - await testSetup.aliasService.addAlias(note, newAlias); - await agent.delete(`/api/private/alias/${testAlias}`).expect(400); - await agent.get(`/api/private/notes/${newAlias}`).expect(200); + await agent1.delete(`/api/private/alias/${testAlias}`).expect(400); + await agent1.get(`/api/private/notes/${newAlias}`).expect(200); }); it('deletes a primary alias (if it is the only one)', async () => { - await agent.delete(`/api/private/alias/${newAlias}`).expect(204); - await agent.delete(`/api/private/alias/${testAlias}`).expect(204); + await agent1.delete(`/api/private/alias/${newAlias}`).expect(204); + await agent1.delete(`/api/private/alias/${testAlias}`).expect(204); }); }); });