yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: add server side validation schema for groups (#4881)

Browse Source 
* refactor: move files to subfolder

* refactor: schema for groups.list

* refactor: schema for groups.info

* refactor: schema for groups.create

* refactor: schema for groups.update

* refactor: schema for groups.delete

* refactor: schema for groups.memberships

* refactor: schema for groups.add_user

* refactor: schema for groups.remove_user
This commit is contained in:
Mohamed ELIDRISSI
2023-02-25 21:03:23 +01:00
committed by GitHub
parent fc8c20149f
commit 00baa2bd6d
6 changed files with 411 additions and 306 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
server/routes/api/groups/__snapshots__/groups.test.ts.snap Normal file
View File

@@ -0,0 +1,91 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`#groups.add_user should require admin 1`] = `
{
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#groups.add_user should require user in team 1`] = `
{
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
"status": 403,
}
`;
exports[`#groups.delete should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.info should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.list should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.memberships should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.remove_user should require admin 1`] = `
{
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#groups.remove_user should require user in team 1`] = `
{
"error": "authorization_error",
"message": "Authorization error",
"ok": false,
"status": 403,
}
`;
exports[`#groups.update should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#groups.update when user is admin fails with validation error when name already taken 1`] = `
{
"error": "validation_error",
"message": "The name of this group is already in use (isUniqueNameInTeam)",
"ok": false,
"status": 400,
}
`;

544
server/routes/api/groups/groups.test.ts Normal file
View File

@@ -0,0 +1,544 @@
import { Event } from "@server/models";
import { buildUser, buildAdmin, buildGroup } from "@server/test/factories";
import { getTestServer } from "@server/test/support";
const server = getTestServer();
describe("#groups.create", () => {
it("should create a group", async () => {
const name = "hello I am a group";
const user = await buildAdmin();
const res = await server.post("/api/groups.create", {
body: {
token: user.getJwtToken(),
name,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toEqual(name);
});
});
describe("#groups.update", () => {
it("should require authentication", async () => {
const group = await buildGroup();
const res = await server.post("/api/groups.update", {
body: {
id: group.id,
name: "Test",
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const group = await buildGroup();
const user = await buildUser();
const res = await server.post("/api/groups.update", {
body: {
token: user.getJwtToken(),
id: group.id,
name: "Test",
},
});
expect(res.status).toEqual(403);
});
it("should require authorization", async () => {
const group = await buildGroup();
const user = await buildAdmin();
const res = await server.post("/api/groups.update", {
body: {
token: user.getJwtToken(),
id: group.id,
name: "Test",
},
});
expect(res.status).toEqual(403);
});
describe("when user is admin", () => {
// @ts-expect-error ts-migrate(7034) FIXME: Variable 'user' implicitly has type 'any' in some ... Remove this comment to see the full error message
let user, group;
beforeEach(async () => {
user = await buildAdmin();
group = await buildGroup({
teamId: user.teamId,
});
});
it("allows admin to edit a group", async () => {
const res = await server.post("/api/groups.update", {
body: {
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'user' implicitly has an 'any' type.
token: user.getJwtToken(),
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'group' implicitly has an 'any' type.
id: group.id,
name: "Test",
},
});
const events = await Event.findAll();
expect(events.length).toEqual(1);
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toBe("Test");
});
it("does not create an event if the update is a noop", async () => {
const res = await server.post("/api/groups.update", {
body: {
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'user' implicitly has an 'any' type.
token: user.getJwtToken(),
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'group' implicitly has an 'any' type.
id: group.id,
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'group' implicitly has an 'any' type.
name: group.name,
},
});
const events = await Event.findAll();
expect(events.length).toEqual(0);
const body = await res.json();
expect(res.status).toEqual(200);
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'group' implicitly has an 'any' type.
expect(body.data.name).toBe(group.name);
});
it("fails with validation error when name already taken", async () => {
await buildGroup({
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'user' implicitly has an 'any' type.
teamId: user.teamId,
name: "test",
});
const res = await server.post("/api/groups.update", {
body: {
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'user' implicitly has an 'any' type.
token: user.getJwtToken(),
// @ts-expect-error ts-migrate(7005) FIXME: Variable 'group' implicitly has an 'any' type.
id: group.id,
name: "TEST",
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body).toMatchSnapshot();
});
});
});
describe("#groups.list", () => {
it("should require authentication", async () => {
const res = await server.post("/api/groups.list");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should return groups with memberships preloaded", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.list", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data["groups"].length).toEqual(1);
expect(body.data["groups"][0].id).toEqual(group.id);
expect(body.data["groupMemberships"].length).toEqual(1);
expect(body.data["groupMemberships"][0].groupId).toEqual(group.id);
expect(body.data["groupMemberships"][0].user.id).toEqual(user.id);
expect(body.policies.length).toEqual(1);
expect(body.policies[0].abilities.read).toEqual(true);
});
it("should return groups when membership user is deleted", async () => {
const me = await buildUser();
const user = await buildUser({
teamId: me.teamId,
});
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: me.id,
},
});
await group.$add("user", me, {
through: {
createdById: me.id,
},
});
await user.destroy();
const res = await server.post("/api/groups.list", {
body: {
token: me.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data["groups"].length).toEqual(1);
expect(body.data["groups"][0].id).toEqual(group.id);
expect(body.data["groupMemberships"].length).toEqual(1);
expect(body.data["groupMemberships"][0].groupId).toEqual(group.id);
expect(body.data["groupMemberships"][0].user.id).toEqual(me.id);
expect(body.policies.length).toEqual(1);
expect(body.policies[0].abilities.read).toEqual(true);
});
});
describe("#groups.info", () => {
it("should return group if admin", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.info", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should return group if member", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.info", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should still return group if non-member, non-admin", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.info", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(group.id);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.info");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const user = await buildUser();
const group = await buildGroup();
const res = await server.post("/api/groups.info", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
expect(res.status).toEqual(403);
});
});
describe("#groups.delete", () => {
it("should require authentication", async () => {
const group = await buildGroup();
const res = await server.post("/api/groups.delete", {
body: {
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const group = await buildGroup();
const user = await buildUser();
const res = await server.post("/api/groups.delete", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
expect(res.status).toEqual(403);
});
it("should require authorization", async () => {
const group = await buildGroup();
const user = await buildAdmin();
const res = await server.post("/api/groups.delete", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
expect(res.status).toEqual(403);
});
it("allows admin to delete a group", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.delete", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.success).toEqual(true);
});
});
describe("#groups.memberships", () => {
it("should return members in a group", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
const res = await server.post("/api/groups.memberships", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(user.id);
expect(body.data.groupMemberships.length).toEqual(1);
expect(body.data.groupMemberships[0].user.id).toEqual(user.id);
});
it("should allow filtering members in group by name", async () => {
const user = await buildUser();
const user2 = await buildUser({
name: "Won't find",
});
const user3 = await buildUser({
teamId: user.teamId,
name: "Deleted",
});
const group = await buildGroup({
teamId: user.teamId,
});
await group.$add("user", user, {
through: {
createdById: user.id,
},
});
await group.$add("user", user2, {
through: {
createdById: user.id,
},
});
await group.$add("user", user3, {
through: {
createdById: user.id,
},
});
await user3.destroy();
const res = await server.post("/api/groups.memberships", {
body: {
token: user.getJwtToken(),
id: group.id,
query: user.name.slice(0, 3),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.users.length).toEqual(1);
expect(body.data.users[0].id).toEqual(user.id);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.memberships");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it("should require authorization", async () => {
const user = await buildUser();
const group = await buildGroup();
const res = await server.post("/api/groups.memberships", {
body: {
token: user.getJwtToken(),
id: group.id,
},
});
expect(res.status).toEqual(403);
});
});
describe("#groups.add_user", () => {
it("should add user to group", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const res = await server.post("/api/groups.add_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: user.id,
},
});
const users = await group.$get("users");
expect(res.status).toEqual(200);
expect(users.length).toEqual(1);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.add_user");
expect(res.status).toEqual(401);
});
it("should require user in team", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser();
const res = await server.post("/api/groups.add_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/groups.add_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#groups.remove_user", () => {
it("should remove user from group", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
await server.post("/api/groups.add_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: user.id,
},
});
const users = await group.$get("users");
expect(users.length).toEqual(1);
const res = await server.post("/api/groups.remove_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: user.id,
},
});
const users1 = await group.$get("users");
expect(res.status).toEqual(200);
expect(users1.length).toEqual(0);
});
it("should require authentication", async () => {
const res = await server.post("/api/groups.remove_user");
expect(res.status).toEqual(401);
});
it("should require user in team", async () => {
const user = await buildAdmin();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser();
const res = await server.post("/api/groups.remove_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const group = await buildGroup({
teamId: user.teamId,
});
const anotherUser = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/groups.remove_user", {
body: {
token: user.getJwtToken(),
id: group.id,
userId: anotherUser.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});

326
server/routes/api/groups/groups.ts Normal file
View File

@@ -0,0 +1,326 @@
import Router from "koa-router";
import { Op } from "sequelize";
import { MAX_AVATAR_DISPLAY } from "@shared/constants";
import auth from "@server/middlewares/authentication";
import validate from "@server/middlewares/validate";
import { User, Event, Group, GroupUser } from "@server/models";
import { authorize } from "@server/policies";
import {
presentGroup,
presentPolicies,
presentUser,
presentGroupMembership,
} from "@server/presenters";
import { APIContext } from "@server/types";
import pagination from "../middlewares/pagination";
import * as T from "./schema";
const router = new Router();
router.post(
"groups.list",
auth(),
pagination(),
validate(T.GroupsListSchema),
async (ctx: APIContext<T.GroupsListReq>) => {
const { direction, sort } = ctx.input.body;
const { user } = ctx.state.auth;
const groups = await Group.findAll({
where: {
teamId: user.teamId,
},
order: [[sort, direction]],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
});
ctx.body = {
pagination: ctx.state.pagination,
data: {
groups: groups.map(presentGroup),
groupMemberships: groups
.map((g) =>
g.groupMemberships
.filter((membership) => !!membership.user)
.slice(0, MAX_AVATAR_DISPLAY)
)
.flat()
.map((membership) =>
presentGroupMembership(membership, { includeUser: true })
),
},
policies: presentPolicies(user, groups),
};
}
);
router.post(
"groups.info",
auth(),
validate(T.GroupsInfoSchema),
async (ctx: APIContext<T.GroupsInfoReq>) => {
const { id } = ctx.input.body;
const { user } = ctx.state.auth;
const group = await Group.findByPk(id);
authorize(user, "read", group);
ctx.body = {
data: presentGroup(group),
policies: presentPolicies(user, [group]),
};
}
);
router.post(
"groups.create",
auth(),
validate(T.GroupsCreateSchema),
async (ctx: APIContext<T.GroupsCreateReq>) => {
const { name } = ctx.input.body;
const { user } = ctx.state.auth;
authorize(user, "createGroup", user.team);
const g = await Group.create({
name,
teamId: user.teamId,
createdById: user.id,
});
// reload to get default scope
const group = await Group.findByPk(g.id, { rejectOnEmpty: true });
await Event.create({
name: "groups.create",
actorId: user.id,
teamId: user.teamId,
modelId: group.id,
data: {
name: group.name,
},
ip: ctx.request.ip,
});
ctx.body = {
data: presentGroup(group),
policies: presentPolicies(user, [group]),
};
}
);
router.post(
"groups.update",
auth(),
validate(T.GroupsUpdateSchema),
async (ctx: APIContext<T.GroupsUpdateReq>) => {
const { id, name } = ctx.input.body;
const { user } = ctx.state.auth;
const group = await Group.findByPk(id);
authorize(user, "update", group);
group.name = name;
if (group.changed()) {
await group.save();
await Event.create({
name: "groups.update",
teamId: user.teamId,
actorId: user.id,
modelId: group.id,
data: {
name,
},
ip: ctx.request.ip,
});
}
ctx.body = {
data: presentGroup(group),
policies: presentPolicies(user, [group]),
};
}
);
router.post(
"groups.delete",
auth(),
validate(T.GroupsDeleteSchema),
async (ctx: APIContext<T.GroupsDeleteReq>) => {
const { id } = ctx.input.body;
const { user } = ctx.state.auth;
const group = await Group.findByPk(id);
authorize(user, "delete", group);
await group.destroy();
await Event.create({
name: "groups.delete",
actorId: user.id,
modelId: group.id,
teamId: group.teamId,
data: {
name: group.name,
},
ip: ctx.request.ip,
});
ctx.body = {
success: true,
};
}
);
router.post(
"groups.memberships",
auth(),
pagination(),
validate(T.GroupsMembershipsSchema),
async (ctx: APIContext<T.GroupsMembershipsReq>) => {
const { id, query } = ctx.input.body;
const { user } = ctx.state.auth;
const group = await Group.findByPk(id);
authorize(user, "read", group);
let userWhere;
if (query) {
userWhere = {
name: {
[Op.iLike]: `%${query}%`,
},
};
}
const memberships = await GroupUser.findAll({
where: {
groupId: id,
},
order: [["createdAt", "DESC"]],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
include: [
{
model: User,
as: "user",
where: userWhere,
required: true,
},
],
});
ctx.body = {
pagination: ctx.state.pagination,
data: {
groupMemberships: memberships.map((membership) =>
presentGroupMembership(membership, { includeUser: true })
),
users: memberships.map((membership) => presentUser(membership.user)),
},
};
}
);
router.post(
"groups.add_user",
auth(),
validate(T.GroupsAddUserSchema),
async (ctx: APIContext<T.GroupsAddUserReq>) => {
const { id, userId } = ctx.input.body;
const actor = ctx.state.auth.user;
const user = await User.findByPk(userId);
authorize(actor, "read", user);
let group = await Group.findByPk(id);
authorize(actor, "update", group);
let membership = await GroupUser.findOne({
where: {
groupId: id,
userId,
},
});
if (!membership) {
await group.$add("user", user, {
through: {
createdById: actor.id,
},
});
// reload to get default scope
membership = await GroupUser.findOne({
where: {
groupId: id,
userId,
},
rejectOnEmpty: true,
});
// reload to get default scope
group = await Group.findByPk(id, { rejectOnEmpty: true });
await Event.create({
name: "groups.add_user",
userId,
teamId: user.teamId,
modelId: group.id,
actorId: actor.id,
data: {
name: user.name,
},
ip: ctx.request.ip,
});
}
ctx.body = {
data: {
users: [presentUser(user)],
groupMemberships: [
presentGroupMembership(membership, { includeUser: true }),
],
groups: [presentGroup(group)],
},
};
}
);
router.post(
"groups.remove_user",
auth(),
validate(T.GroupsRemoveUserSchema),
async (ctx: APIContext<T.GroupsRemoveUserReq>) => {
const { id, userId } = ctx.input.body;
const actor = ctx.state.auth.user;
let group = await Group.findByPk(id);
authorize(actor, "update", group);
const user = await User.findByPk(userId);
authorize(actor, "read", user);
await group.$remove("user", user);
await Event.create({
name: "groups.remove_user",
userId,
modelId: group.id,
teamId: user.teamId,
actorId: actor.id,
data: {
name: user.name,
},
ip: ctx.request.ip,
});
// reload to get default scope
group = await Group.findByPk(id, { rejectOnEmpty: true });
ctx.body = {
data: {
groups: [presentGroup(group)],
},
};
}
);
export default router;

1
server/routes/api/groups/index.ts Normal file
View File

@@ -0,0 +1 @@
export { default } from "./groups";

84
server/routes/api/groups/schema.ts Normal file
View File

@@ -0,0 +1,84 @@
import { z } from "zod";
import { Group } from "@server/models";
const BaseIdSchema = z.object({
/** Group Id */
id: z.string().uuid(),
});
export const GroupsListSchema = z.object({
body: z.object({
/** Groups sorting direction */
direction: z
.string()
.optional()
.transform((val) => (val !== "ASC" ? "DESC" : val)),
/** Groups sorting column */
sort: z
.string()
.refine((val) => Object.keys(Group.getAttributes()).includes(val), {
message: "Invalid sort parameter",
})
.default("updatedAt"),
}),
});
export type GroupsListReq = z.infer<typeof GroupsListSchema>;
export const GroupsInfoSchema = z.object({
body: BaseIdSchema,
});
export type GroupsInfoReq = z.infer<typeof GroupsInfoSchema>;
export const GroupsCreateSchema = z.object({
body: z.object({
/** Group name */
name: z.string(),
}),
});
export type GroupsCreateReq = z.infer<typeof GroupsCreateSchema>;
export const GroupsUpdateSchema = z.object({
body: BaseIdSchema.extend({
/** Group name */
name: z.string(),
}),
});
export type GroupsUpdateReq = z.infer<typeof GroupsUpdateSchema>;
export const GroupsDeleteSchema = z.object({
body: BaseIdSchema,
});
export type GroupsDeleteReq = z.infer<typeof GroupsDeleteSchema>;
export const GroupsMembershipsSchema = z.object({
body: BaseIdSchema.extend({
/** Group name search query */
query: z.string().optional(),
}),
});
export type GroupsMembershipsReq = z.infer<typeof GroupsMembershipsSchema>;
export const GroupsAddUserSchema = z.object({
body: BaseIdSchema.extend({
/** User Id */
userId: z.string().uuid(),
}),
});
export type GroupsAddUserReq = z.infer<typeof GroupsAddUserSchema>;
export const GroupsRemoveUserSchema = z.object({
body: BaseIdSchema.extend({
/** User Id */
userId: z.string().uuid(),
}),
});
export type GroupsRemoveUserReq = z.infer<typeof GroupsRemoveUserSchema>;