From 9706680f7da7acf12a3e439096d7b15e24dc1e44 Mon Sep 17 00:00:00 2001 From: Mia Bennett Date: Sun, 14 Jul 2024 18:37:05 +0930 Subject: [PATCH] test(events): test permissions for #add_attendee --- spec/controllers/events_spec.cr | 56 +++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/spec/controllers/events_spec.cr b/spec/controllers/events_spec.cr index 489db4d..77d22f2 100644 --- a/spec/controllers/events_spec.cr +++ b/spec/controllers/events_spec.cr @@ -255,9 +255,61 @@ describe Events do end end + describe "permission", tags: ["auth", "group-event"], focus: true do + it "#add_attendee should NOT allow adding public or same tenant users to PRIVATE events" do + WebMock.stub(:post, "https://graph.microsoft.com/v1.0/users/dev%40acaprojects.onmicrosoft.com/calendar/events") + .to_return(body: File.read("./spec/fixtures/events/o365/create.json")) + + WebMock.stub(:get, "https://graph.microsoft.com/v1.0/users/room1%40example.com/calendar/events/AAMkADE3YmQxMGQ2LTRmZDgtNDljYy1hNDg1LWM0NzFmMGI0ZTQ3YgBGAAAAAADFYQb3DJ_xSJHh14kbXHWhBwB08dwEuoS_QYSBDzuv558sAAAAAAENAAB08dwEuoS_QYSBDzuv558sAACGVOwUAAA%3D") + .to_return(body: File.read("./spec/fixtures/events/o365/create.json")) + + WebMock.stub(:patch, "https://graph.microsoft.com/v1.0/users/dev%40acaprojects.onmicrosoft.com/calendar/events/AAMkADE3YmQxMGQ2LTRmZDgtNDljYy1hNDg1LWM0NzFmMGI0ZTQ3YgBGAAAAAADFYQb3DJ_xSJHh14kbXHWhBwB08dwEuoS_QYSBDzuv558sAAAAAAENAAB08dwEuoS_QYSBDzuv558sAACGVOwUAAA%3D") + .to_return(body: File.read("./spec/fixtures/events/o365/update.json")) + + WebMock.stub(:get, "https://graph.microsoft.com/v1.0/users/dev%40acaprojects.com/calendars") + .to_return(body: File.read("./spec/fixtures/calendars/o365/show.json")) + + # Stub getting the host event + WebMock.stub(:get, "https://graph.microsoft.com/v1.0/users/dev%40acaprojects.onmicrosoft.com/calendar/calendarView?startDateTime=2020-08-26T14%3A00%3A00-00%3A00&endDateTime=2020-08-27T13%3A59%3A59-00%3A00&%24filter=iCalUId+eq+%27040000008200E00074C5B7101A82E008000000006DE2E3761F8AD6010000000000000000100000009CCCDBB1F09DE74D8B157797D97F6A10%27&%24top=10000") + .to_return(body: File.read("./spec/fixtures/events/o365/events_query.json")) + + req_body = EventsHelper.create_event_input + + event = JSON.parse(client.post(EVENTS_BASE, headers: headers, body: req_body).body).as_h + event_id = event["id"].to_s + + WebMock.stub(:get, "https://graph.microsoft.com/v1.0/users/room1%40example.com/calendar/calendarView?startDateTime=2020-08-26T14:00:00-00:00&endDateTime=2020-08-27T13:59:59-00:00&%24filter=iCalUId+eq+%27040000008200E00074C5B7101A82E008000000006DE2E3761F8AD6010000000000000000100000009CCCDBB1F09DE74D8B157797D97F6A10%27&$top=10000") + .to_return(EventsHelper.event_query_response(event_id)) + + system_id = "sys-rJQQlR4Cn7" + EventsHelper.stub_permissions_check(system_id) - describe "permission", tags: ["auth", "group-event"] do - pending "#add_attendee should NOT allow adding public or same tenant users to PRIVATE events" do + # public user + no_auth_headers = Mock::Headers.office365_no_auth + response = client.post(%(#{EVENTS_BASE}/#{event_id}/attendee?system_id=#{system_id}), headers: no_auth_headers, body: { + name: "User Two", + email: "user-two@example.com", + checked_in: true, + visit_expected: true, + }.to_json) + response.status_code.should eq(401) + + # same tenant user + same_tenant_headers = Mock::Headers.office365_normal_user(email: "user-three@example.com") + response = client.post(%(#{EVENTS_BASE}/#{event_id}/attendee?system_id=#{system_id}), headers: same_tenant_headers, body: { + name: "User Three", + email: "user-three@example.com", + checked_in: true, + visit_expected: true, + }.to_json) + response.status_code.should eq(403) + + event_metadata = EventMetadata.find_by(event_id: event_id) + # Should only have the event creator and room + event_metadata.attendees.count.should eq(2) + + guests = event_metadata.attendees.map(&.guest.not_nil!) + (guests.map(&.email) - ["jon@example.com", "dev@acaprojects.onmicrosoft.com"]).size.should eq(0) end pending "#add_attendee should allow adding same tenant users to OPEN events" do