|
|
|
|
'use strict';
|
|
|
|
|
|
|
|
|
|
const assert = require('assert');
|
|
|
|
|
const nconf = require('nconf');
|
|
|
|
|
const request = require('request-promise-native');
|
|
|
|
|
const db = require('./mocks/databasemock');
|
|
|
|
|
|
|
|
|
|
const user = require('../src/user');
|
|
|
|
|
const groups = require('../src/groups');
|
|
|
|
|
const utils = require('../src/utils');
|
|
|
|
|
|
|
|
|
|
const helpers = require('./helpers');
|
|
|
|
|
|
|
|
|
|
describe('Middlewares', () => {
|
|
|
|
|
describe('expose', () => {
|
|
|
|
|
let adminUid;
|
|
|
|
|
|
|
|
|
|
before(async () => {
|
|
|
|
|
adminUid = await user.create({ username: 'admin', password: '123456' });
|
|
|
|
|
await groups.join('administrators', adminUid);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should expose res.locals.isAdmin = false', (done) => {
|
|
|
|
|
const middleware = require('../src/middleware');
|
|
|
|
|
const resMock = { locals: {} };
|
|
|
|
|
middleware.exposeAdmin({}, resMock, () => {
|
|
|
|
|
assert.strictEqual(resMock.locals.isAdmin, false);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should expose res.locals.isAdmin = true', (done) => {
|
|
|
|
|
const middleware = require('../src/middleware');
|
|
|
|
|
const reqMock = { user: { uid: adminUid } };
|
|
|
|
|
const resMock = { locals: {} };
|
|
|
|
|
middleware.exposeAdmin(reqMock, resMock, () => {
|
|
|
|
|
assert.strictEqual(resMock.locals.isAdmin, true);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should expose privileges in res.locals.privileges and isSelf=true', (done) => {
|
|
|
|
|
const middleware = require('../src/middleware');
|
|
|
|
|
const reqMock = { user: { uid: adminUid }, params: { uid: adminUid } };
|
|
|
|
|
const resMock = { locals: {} };
|
|
|
|
|
middleware.exposePrivileges(reqMock, resMock, () => {
|
|
|
|
|
assert(resMock.locals.privileges);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isAdmin, true);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isGmod, false);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isPrivileged, true);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isSelf, true);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should expose privileges in res.locals.privileges and isSelf=false', (done) => {
|
|
|
|
|
const middleware = require('../src/middleware');
|
|
|
|
|
const reqMock = { user: { uid: 0 }, params: { uid: adminUid } };
|
|
|
|
|
const resMock = { locals: {} };
|
|
|
|
|
middleware.exposePrivileges(reqMock, resMock, () => {
|
|
|
|
|
assert(resMock.locals.privileges);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isAdmin, false);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isGmod, false);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isPrivileged, false);
|
|
|
|
|
assert.strictEqual(resMock.locals.privileges.isSelf, false);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should expose privilege set', (done) => {
|
|
|
|
|
const middleware = require('../src/middleware');
|
|
|
|
|
const reqMock = { user: { uid: adminUid } };
|
|
|
|
|
const resMock = { locals: {} };
|
|
|
|
|
middleware.exposePrivilegeSet(reqMock, resMock, () => {
|
|
|
|
|
assert(resMock.locals.privileges);
|
|
|
|
|
assert.deepStrictEqual(resMock.locals.privileges, {
|
|
|
|
|
chat: true,
|
|
|
|
|
'upload:post:image': true,
|
|
|
|
|
'upload:post:file': true,
|
|
|
|
|
signature: true,
|
|
|
|
|
invite: true,
|
|
|
|
|
'group:create': true,
|
|
|
|
|
'search:content': true,
|
|
|
|
|
'search:users': true,
|
|
|
|
|
'search:tags': true,
|
|
|
|
|
'view:users': true,
|
|
|
|
|
'view:tags': true,
|
|
|
|
|
'view:groups': true,
|
|
|
|
|
'local:login': true,
|
|
|
|
|
ban: true,
|
|
|
|
|
mute: true,
|
|
|
|
|
'view:users:info': true,
|
|
|
|
|
'admin:dashboard': true,
|
|
|
|
|
'admin:categories': true,
|
|
|
|
|
'admin:privileges': true,
|
|
|
|
|
'admin:admins-mods': true,
|
|
|
|
|
'admin:users': true,
|
|
|
|
|
'admin:groups': true,
|
|
|
|
|
'admin:tags': true,
|
|
|
|
|
'admin:settings': true,
|
|
|
|
|
superadmin: true,
|
|
|
|
|
});
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('cache-control header', () => {
|
|
|
|
|
let uid;
|
|
|
|
|
let jar;
|
|
|
|
|
|
|
|
|
|
before(async () => {
|
|
|
|
|
uid = await user.create({ username: 'testuser', password: '123456' });
|
|
|
|
|
({ jar } = await helpers.loginUser('testuser', '123456'));
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be absent on non-existent routes, for guests', async () => {
|
|
|
|
|
const res = await request(`${nconf.get('url')}/${utils.generateUUID()}`, {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 404);
|
|
|
|
|
assert(!Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be set to "private" on non-existent routes, for logged in users', async () => {
|
|
|
|
|
const res = await request(`${nconf.get('url')}/${utils.generateUUID()}`, {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
jar,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 404);
|
|
|
|
|
assert(Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
assert.strictEqual(res.headers['cache-control'], 'private');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be absent on regular routes, for guests', async () => {
|
|
|
|
|
const res = await request(nconf.get('url'), {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
assert(!Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be absent on api routes, for guests', async () => {
|
|
|
|
|
const res = await request(`${nconf.get('url')}/api`, {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
assert(!Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be set to "private" on regular routes, for logged-in users', async () => {
|
|
|
|
|
const res = await request(nconf.get('url'), {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
jar,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
assert(Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
assert.strictEqual(res.headers['cache-control'], 'private');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be set to "private" on api routes, for logged-in users', async () => {
|
|
|
|
|
const res = await request(`${nconf.get('url')}/api`, {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
jar,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
assert(Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
assert.strictEqual(res.headers['cache-control'], 'private');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be set to "private" on apiv3 routes, for logged-in users', async () => {
|
|
|
|
|
const res = await request(`${nconf.get('url')}/api/v3/users/${uid}`, {
|
|
|
|
|
simple: false,
|
|
|
|
|
resolveWithFullResponse: true,
|
|
|
|
|
jar,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
assert.strictEqual(res.statusCode, 200);
|
|
|
|
|
assert(Object.keys(res.headers).includes('cache-control'));
|
|
|
|
|
assert.strictEqual(res.headers['cache-control'], 'private');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
