feat(server): Prevent update of default roles, add e2e tests

server/e2e/__snapshots__/role.e2e-spec.ts.snap

@@ -0,0 +1,40 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Product resolver createRole creates a new role 1`] = `
+Object {
+  "channels": Array [
+    Object {
+      "code": "__default_channel__",
+      "id": "1",
+      "token": "fv7ujes35zmpe1vgkvn8",
+    },
+  ],
+  "code": "test",
+  "description": "test role",
+  "id": "3",
+  "permissions": Array [
+    "ReadCustomer",
+    "UpdateCustomer",
+  ],
+}
+`;
+
+exports[`Product resolver updateRole updates existing role 1`] = `
+Object {
+  "channels": Array [
+    Object {
+      "code": "__default_channel__",
+      "id": "1",
+      "token": "fv7ujes35zmpe1vgkvn8",
+    },
+  ],
+  "code": "test-modified",
+  "description": "test role modified",
+  "id": "3",
+  "permissions": Array [
+    "ReadCustomer",
+    "UpdateCustomer",
+    "DeleteCustomer",
+  ],
+}
+`;

server/e2e/product.e2e-spec.ts

@@ -38,7 +38,7 @@ import {
 
 import { TestClient } from './test-client';
 import { TestServer } from './test-server';
-// tslint:disable:quotemark
+
 describe('Product resolver', () => {
     const client = new TestClient();
     const server = new TestServer();
@@ -216,7 +216,7 @@ describe('Product resolver', () => {
                 fail('Should have thrown');
             } catch (err) {
                 expect(err.message).toEqual(
-                    expect.stringContaining("No Product with the id '999' could be found"),
+                    expect.stringContaining(`No Product with the id '999' could be found`),
                 );
             }
         });
@@ -245,7 +245,7 @@ describe('Product resolver', () => {
                 fail('Should have thrown');
             } catch (err) {
                 expect(err.message).toEqual(
-                    expect.stringContaining("No Product with the id '999' could be found"),
+                    expect.stringContaining(`No Product with the id '999' could be found`),
                 );
             }
         });
@@ -262,7 +262,7 @@ describe('Product resolver', () => {
                 fail('Should have thrown');
             } catch (err) {
                 expect(err.message).toEqual(
-                    expect.stringContaining("No OptionGroup with the id '999' could be found"),
+                    expect.stringContaining(`No OptionGroup with the id '999' could be found`),
                 );
             }
         });
@@ -290,7 +290,7 @@ describe('Product resolver', () => {
                 fail('Should have thrown');
             } catch (err) {
                 expect(err.message).toEqual(
-                    expect.stringContaining("No Product with the id '999' could be found"),
+                    expect.stringContaining(`No Product with the id '999' could be found`),
                 );
             }
         });
@@ -324,7 +324,7 @@ describe('Product resolver', () => {
                     fail('Should have thrown');
                 } catch (err) {
                     expect(err.message).toEqual(
-                        expect.stringContaining("No Product with the id '999' could be found"),
+                        expect.stringContaining(`No Product with the id '999' could be found`),
                     );
                 }
             });
@@ -374,7 +374,7 @@ describe('Product resolver', () => {
                     fail('Should have thrown');
                 } catch (err) {
                     expect(err.message).toEqual(
-                        expect.stringContaining("No ProductVariant with the id '999' could be found"),
+                        expect.stringContaining(`No ProductVariant with the id '999' could be found`),
                     );
                 }
             });
@@ -405,7 +405,7 @@ describe('Product resolver', () => {
                     fail('Should have thrown');
                 } catch (err) {
                     expect(err.message).toEqual(
-                        expect.stringContaining("No FacetValue with the id '999' could be found"),
+                        expect.stringContaining(`No FacetValue with the id '999' could be found`),
                     );
                 }
             });
@@ -422,7 +422,7 @@ describe('Product resolver', () => {
                     fail('Should have thrown');
                 } catch (err) {
                     expect(err.message).toEqual(
-                        expect.stringContaining("No ProductVariant with the id '999' could be found"),
+                        expect.stringContaining(`No ProductVariant with the id '999' could be found`),
                     );
                 }
             });

server/e2e/role.e2e-spec.ts

@@ -0,0 +1,127 @@
+import {
+    CreateRole,
+    CreateRoleVariables,
+    GetRole,
+    GetRoles,
+    GetRolesVariables,
+    GetRoleVariables,
+    Permission,
+    Role,
+    UpdateRole,
+    UpdateRoleVariables,
+} from 'shared/generated-types';
+import { CUSTOMER_ROLE_CODE, SUPER_ADMIN_ROLE_CODE } from 'shared/shared-constants';
+
+import {
+    CREATE_ROLE,
+    GET_ROLE,
+    GET_ROLES,
+    UPDATE_ROLE,
+} from '../../admin-ui/src/app/data/definitions/administrator-definitions';
+
+import { TestClient } from './test-client';
+import { TestServer } from './test-server';
+
+describe('Product resolver', () => {
+    const client = new TestClient();
+    const server = new TestServer();
+    let createdRole: Role;
+    let defaultRoles: Role[];
+
+    beforeAll(async () => {
+        const token = await server.init({
+            productCount: 1,
+            customerCount: 1,
+        });
+        await client.init();
+    }, 30000);
+
+    afterAll(async () => {
+        await server.destroy();
+    });
+
+    it('roles list returns default roles', async () => {
+        const result = await client.query<GetRoles, GetRolesVariables>(GET_ROLES);
+
+        defaultRoles = result.roles.items;
+        expect(result.roles.items.length).toBe(2);
+        expect(result.roles.totalItems).toBe(2);
+    });
+
+    it('createRole creates a new role', async () => {
+        const result = await client.query<CreateRole, CreateRoleVariables>(CREATE_ROLE, {
+            input: {
+                code: 'test',
+                description: 'test role',
+                permissions: [Permission.ReadCustomer, Permission.UpdateCustomer],
+            },
+        });
+
+        createdRole = result.createRole;
+        expect(createdRole).toMatchSnapshot();
+    });
+
+    it('role returns a role', async () => {
+        const result = await client.query<GetRole, GetRoleVariables>(GET_ROLE, { id: createdRole.id });
+        expect(result.role).toEqual(createdRole);
+    });
+
+    it('updateRole updates existing role', async () => {
+        const result = await client.query<UpdateRole, UpdateRoleVariables>(UPDATE_ROLE, {
+            input: {
+                id: createdRole.id,
+                code: 'test-modified',
+                description: 'test role modified',
+                permissions: [Permission.ReadCustomer, Permission.UpdateCustomer, Permission.DeleteCustomer],
+            },
+        });
+
+        expect(result.updateRole).toMatchSnapshot();
+    });
+
+    it('updateRole is not allowed for SuperAdmin role', async () => {
+        const superAdminRole = defaultRoles.find(r => r.code === SUPER_ADMIN_ROLE_CODE);
+        if (!superAdminRole) {
+            fail(`Could not find SuperAdmin role`);
+            return;
+        }
+        try {
+            const result = await client.query<UpdateRole, UpdateRoleVariables>(UPDATE_ROLE, {
+                input: {
+                    id: superAdminRole.id,
+                    code: 'superadmin-modified',
+                    description: 'superadmin modified',
+                    permissions: [Permission.Authenticated],
+                },
+            });
+            fail(`Should throw`);
+        } catch (err) {
+            expect(err.message).toEqual(
+                expect.stringContaining(`The role '${SUPER_ADMIN_ROLE_CODE}' cannot be modified`),
+            );
+        }
+    });
+
+    it('updateRole is not allowed for Customer role', async () => {
+        const customerRole = defaultRoles.find(r => r.code === CUSTOMER_ROLE_CODE);
+        if (!customerRole) {
+            fail(`Could not find Customer role`);
+            return;
+        }
+        try {
+            const result = await client.query<UpdateRole, UpdateRoleVariables>(UPDATE_ROLE, {
+                input: {
+                    id: customerRole.id,
+                    code: 'customer-modified',
+                    description: 'customer modified',
+                    permissions: [Permission.Authenticated, Permission.DeleteAdministrator],
+                },
+            });
+            fail(`Should throw`);
+        } catch (err) {
+            expect(err.message).toEqual(
+                expect.stringContaining(`The role '${CUSTOMER_ROLE_CODE}' cannot be modified`),
+            );
+        }
+    });
+});

server/src/i18n/messages/en.json

@@ -1,5 +1,6 @@
 {
   "error": {
+    "cannot-modify-role": "The role '{ roleCode }' cannot be modified",
     "entity-has-no-translation-in-language": "Translatable entity '{ entityName }' has not been translated into the requested language ({ languageCode })",
     "entity-with-id-not-found": "No { entityName } with the id '{ id }' could be found",
     "invalid-sort-field": "The sort field '{ fieldName }' is invalid. Valid fields are: { validFields }"

server/src/service/role.service.ts

@@ -71,6 +71,9 @@ export class RoleService {
         if (!role) {
             throw new I18nError(`error.entity-with-id-not-found`, { entityName: 'Role', id: input.id });
         }
+        if (role.code === SUPER_ADMIN_ROLE_CODE || role.code === CUSTOMER_ROLE_CODE) {
+            throw new I18nError(`error.cannot-modify-role`, { roleCode: role.code });
+        }
         role.code = input.code;
         role.description = input.description;
         role.permissions = input.permissions;