cturan
/
vendure
mirror of https://github.com/vendure-ecommerce/vendure


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696
							/* eslint-disable @typescript-eslint/no-non-null-assertion */
import { omit } from '@vendure/common/lib/omit';
import {
    CUSTOMER_ROLE_CODE,
    DEFAULT_CHANNEL_CODE,
    SUPER_ADMIN_ROLE_CODE,
} from '@vendure/common/lib/shared-constants';
import { createTestEnvironment, E2E_DEFAULT_CHANNEL_TOKEN } from '@vendure/testing';
import gql from 'graphql-tag';
import path from 'path';
import { afterAll, beforeAll, describe, expect, it } from 'vitest';

import { initialData } from '../../../e2e-common/e2e-initial-data';
import { testConfig, TEST_SETUP_TIMEOUT_MS } from '../../../e2e-common/test-config';

import { ROLE_FRAGMENT } from './graphql/fragments';
import * as Codegen from './graphql/generated-e2e-admin-types';
import { CurrencyCode, DeletionResult, LanguageCode, Permission } from './graphql/generated-e2e-admin-types';
import {
    CREATE_ADMINISTRATOR,
    CREATE_CHANNEL,
    CREATE_ROLE,
    GET_CHANNELS,
    UPDATE_ADMINISTRATOR,
    UPDATE_ROLE,
} from './graphql/shared-definitions';
import { assertThrowsWithMessage } from './utils/assert-throws-with-message';
import { sortById } from './utils/test-order-utils';

describe('Role resolver', () => {
    const { server, adminClient } = createTestEnvironment(testConfig());
    let createdRole: Codegen.RoleFragment;
    let defaultRoles: Codegen.RoleFragment[];

    beforeAll(async () => {
        await server.init({
            initialData,
            productsCsvPath: path.join(__dirname, 'fixtures/e2e-products-minimal.csv'),
            customerCount: 1,
        });
        await adminClient.asSuperAdmin();
    }, TEST_SETUP_TIMEOUT_MS);

    afterAll(async () => {
        await server.destroy();
    });

    it('roles', async () => {
        const result = await adminClient.query<Codegen.GetRolesQuery, Codegen.GetRolesQueryVariables>(
            GET_ROLES,
        );

        defaultRoles = result.roles.items;
        expect(result.roles.items.length).toBe(2);
        expect(result.roles.totalItems).toBe(2);
    });

    it('createRole with invalid permission', async () => {
        try {
            await adminClient.query<Codegen.CreateRoleMutation, Codegen.CreateRoleMutationVariables>(
                CREATE_ROLE,
                {
                    input: {
                        code: 'test',
                        description: 'test role',
                        permissions: ['ReadCatalogx' as any],
                    },
                },
            );
            fail('Should have thrown');
        } catch (e: any) {
            expect(e.response.errors[0]?.extensions.code).toBe('BAD_USER_INPUT');
        }
    });

    it('createRole with no permissions includes Authenticated', async () => {
        const { createRole } = await adminClient.query<
            Codegen.CreateRoleMutation,
            Codegen.CreateRoleMutationVariables
        >(CREATE_ROLE, {
            input: {
                code: 'test',
                description: 'test role',
                permissions: [],
            },
        });

        expect(omit(createRole, ['channels'])).toEqual({
            code: 'test',
            description: 'test role',
            id: 'T_3',
            permissions: [Permission.Authenticated],
        });
    });

    it('createRole deduplicates permissions', async () => {
        const { createRole } = await adminClient.query<
            Codegen.CreateRoleMutation,
            Codegen.CreateRoleMutationVariables
        >(CREATE_ROLE, {
            input: {
                code: 'test2',
                description: 'test role2',
                permissions: [Permission.ReadSettings, Permission.ReadSettings],
            },
        });

        expect(omit(createRole, ['channels'])).toEqual({
            code: 'test2',
            description: 'test role2',
            id: 'T_4',
            permissions: [Permission.Authenticated, Permission.ReadSettings],
        });
    });

    it('createRole with permissions', async () => {
        const result = await adminClient.query<
            Codegen.CreateRoleMutation,
            Codegen.CreateRoleMutationVariables
        >(CREATE_ROLE, {
            input: {
                code: 'test',
                description: 'test role',
                permissions: [Permission.ReadCustomer, Permission.UpdateCustomer],
            },
        });

        createdRole = result.createRole;
        expect(createdRole).toEqual({
            code: 'test',
            description: 'test role',
            id: 'T_5',
            permissions: [Permission.Authenticated, Permission.ReadCustomer, Permission.UpdateCustomer],
            channels: [
                {
                    code: DEFAULT_CHANNEL_CODE,
                    id: 'T_1',
                    token: 'e2e-default-channel',
                },
            ],
        });
    });

    it('role', async () => {
        const result = await adminClient.query<Codegen.GetRoleQuery, Codegen.GetRoleQueryVariables>(
            GET_ROLE,
            {
                id: createdRole.id,
            },
        );
        expect(result.role).toEqual(createdRole);
    });

    describe('updateRole', () => {
        it('updates role', async () => {
            const result = await adminClient.query<
                Codegen.UpdateRoleMutation,
                Codegen.UpdateRoleMutationVariables
            >(UPDATE_ROLE, {
                input: {
                    id: createdRole.id,
                    code: 'test-modified',
                    description: 'test role modified',
                    permissions: [
                        Permission.ReadCustomer,
                        Permission.UpdateCustomer,
                        Permission.DeleteCustomer,
                    ],
                },
            });

            expect(omit(result.updateRole, ['channels'])).toEqual({
                code: 'test-modified',
                description: 'test role modified',
                id: 'T_5',
                permissions: [
                    Permission.Authenticated,
                    Permission.ReadCustomer,
                    Permission.UpdateCustomer,
                    Permission.DeleteCustomer,
                ],
            });
        });

        it('works with partial input', async () => {
            const result = await adminClient.query<
                Codegen.UpdateRoleMutation,
                Codegen.UpdateRoleMutationVariables
            >(UPDATE_ROLE, {
                input: {
                    id: createdRole.id,
                    code: 'test-modified-again',
                },
            });

            expect(result.updateRole.code).toBe('test-modified-again');
            expect(result.updateRole.description).toBe('test role modified');
            expect(result.updateRole.permissions).toEqual([
                Permission.Authenticated,
                Permission.ReadCustomer,
                Permission.UpdateCustomer,
                Permission.DeleteCustomer,
            ]);
        });

        it('deduplicates permissions', async () => {
            const result = await adminClient.query<
                Codegen.UpdateRoleMutation,
                Codegen.UpdateRoleMutationVariables
            >(UPDATE_ROLE, {
                input: {
                    id: createdRole.id,
                    permissions: [
                        Permission.Authenticated,
                        Permission.Authenticated,
                        Permission.ReadCustomer,
                        Permission.ReadCustomer,
                    ],
                },
            });

            expect(result.updateRole.permissions).toEqual([
                Permission.Authenticated,
                Permission.ReadCustomer,
            ]);
        });

        it(
            'does not allow setting non-assignable permissions - Owner',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.UpdateRoleMutation, Codegen.UpdateRoleMutationVariables>(
                    UPDATE_ROLE,
                    {
                        input: {
                            id: createdRole.id,
                            permissions: [Permission.Owner],
                        },
                    },
                );
            }, 'The permission "Owner" may not be assigned'),
        );

        it(
            'does not allow setting non-assignable permissions - Public',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.UpdateRoleMutation, Codegen.UpdateRoleMutationVariables>(
                    UPDATE_ROLE,
                    {
                        input: {
                            id: createdRole.id,
                            permissions: [Permission.Public],
                        },
                    },
                );
            }, 'The permission "Public" may not be assigned'),
        );

        it(
            'does not allow setting SuperAdmin permission',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.UpdateRoleMutation, Codegen.UpdateRoleMutationVariables>(
                    UPDATE_ROLE,
                    {
                        input: {
                            id: createdRole.id,
                            permissions: [Permission.SuperAdmin],
                        },
                    },
                );
            }, 'The permission "SuperAdmin" may not be assigned'),
        );

        it(
            'is not allowed for SuperAdmin role',
            assertThrowsWithMessage(async () => {
                const superAdminRole = defaultRoles.find(r => r.code === SUPER_ADMIN_ROLE_CODE);
                if (!superAdminRole) {
                    fail('Could not find SuperAdmin role');
                    return;
                }
                return adminClient.query<Codegen.UpdateRoleMutation, Codegen.UpdateRoleMutationVariables>(
                    UPDATE_ROLE,
                    {
                        input: {
                            id: superAdminRole.id,
                            code: 'superadmin-modified',
                            description: 'superadmin modified',
                            permissions: [Permission.Authenticated],
                        },
                    },
                );
            }, `The role "${SUPER_ADMIN_ROLE_CODE}" cannot be modified`),
        );

        it(
            'is not allowed for Customer role',
            assertThrowsWithMessage(async () => {
                const customerRole = defaultRoles.find(r => r.code === CUSTOMER_ROLE_CODE);
                if (!customerRole) {
                    fail('Could not find Customer role');
                    return;
                }
                return adminClient.query<Codegen.UpdateRoleMutation, Codegen.UpdateRoleMutationVariables>(
                    UPDATE_ROLE,
                    {
                        input: {
                            id: customerRole.id,
                            code: 'customer-modified',
                            description: 'customer modified',
                            permissions: [Permission.Authenticated, Permission.DeleteAdministrator],
                        },
                    },
                );
            }, `The role "${CUSTOMER_ROLE_CODE}" cannot be modified`),
        );
    });

    it(
        'deleteRole is not allowed for Customer role',
        assertThrowsWithMessage(async () => {
            const customerRole = defaultRoles.find(r => r.code === CUSTOMER_ROLE_CODE);
            if (!customerRole) {
                fail('Could not find Customer role');
                return;
            }
            return adminClient.query<Codegen.DeleteRoleMutation, Codegen.DeleteRoleMutationVariables>(
                DELETE_ROLE,
                {
                    id: customerRole.id,
                },
            );
        }, `The role "${CUSTOMER_ROLE_CODE}" cannot be deleted`),
    );

    it(
        'deleteRole is not allowed for SuperAdmin role',
        assertThrowsWithMessage(async () => {
            const superAdminRole = defaultRoles.find(r => r.code === SUPER_ADMIN_ROLE_CODE);
            if (!superAdminRole) {
                fail('Could not find Customer role');
                return;
            }
            return adminClient.query<Codegen.DeleteRoleMutation, Codegen.DeleteRoleMutationVariables>(
                DELETE_ROLE,
                {
                    id: superAdminRole.id,
                },
            );
        }, `The role "${SUPER_ADMIN_ROLE_CODE}" cannot be deleted`),
    );

    it('deleteRole deletes a role', async () => {
        const { deleteRole } = await adminClient.query<
            Codegen.DeleteRoleMutation,
            Codegen.DeleteRoleMutationVariables
        >(DELETE_ROLE, {
            id: createdRole.id,
        });

        expect(deleteRole.result).toBe(DeletionResult.DELETED);

        const { role } = await adminClient.query<Codegen.GetRoleQuery, Codegen.GetRoleQueryVariables>(
            GET_ROLE,
            {
                id: createdRole.id,
            },
        );
        expect(role).toBeNull();
    });

    describe('multi-channel', () => {
        let secondChannel: Codegen.ChannelFragment;
        let multiChannelRole: Codegen.CreateRoleMutation['createRole'];

        beforeAll(async () => {
            const { createChannel } = await adminClient.query<
                Codegen.CreateChannelMutation,
                Codegen.CreateChannelMutationVariables
            >(CREATE_CHANNEL, {
                input: {
                    code: 'second-channel',
                    token: 'second-channel-token',
                    defaultLanguageCode: LanguageCode.en,
                    currencyCode: CurrencyCode.GBP,
                    pricesIncludeTax: true,
                    defaultShippingZoneId: 'T_1',
                    defaultTaxZoneId: 'T_1',
                },
            });

            secondChannel = createChannel as any;
        });

        it('createRole with specified channel', async () => {
            const result = await adminClient.query<
                Codegen.CreateRoleMutation,
                Codegen.CreateRoleMutationVariables
            >(CREATE_ROLE, {
                input: {
                    code: 'multi-test',
                    description: 'multi channel test role',
                    permissions: [Permission.ReadCustomer],
                    channelIds: [secondChannel.id],
                },
            });

            multiChannelRole = result.createRole;
            expect(multiChannelRole).toEqual({
                code: 'multi-test',
                description: 'multi channel test role',
                id: 'T_6',
                permissions: [Permission.Authenticated, Permission.ReadCustomer],
                channels: [
                    {
                        code: 'second-channel',
                        id: 'T_2',
                        token: 'second-channel-token',
                    },
                ],
            });
        });

        it('updateRole with specified channel', async () => {
            const { updateRole } = await adminClient.query<
                Codegen.UpdateRoleMutation,
                Codegen.UpdateRoleMutationVariables
            >(UPDATE_ROLE, {
                input: {
                    id: multiChannelRole.id,
                    channelIds: ['T_1', 'T_2'],
                },
            });

            expect(updateRole.channels.sort(sortById)).toEqual([
                {
                    code: DEFAULT_CHANNEL_CODE,
                    id: 'T_1',
                    token: 'e2e-default-channel',
                },
                {
                    code: 'second-channel',
                    id: 'T_2',
                    token: 'second-channel-token',
                },
            ]);
        });
    });

    // https://github.com/vendure-ecommerce/vendure/issues/1874
    describe('role escalation', () => {
        let defaultChannel: Codegen.GetChannelsQuery['channels'][number];
        let secondChannel: Codegen.GetChannelsQuery['channels'][number];
        let limitedAdmin: Codegen.CreateAdministratorMutation['createAdministrator'];
        let orderReaderRole: Codegen.CreateRoleMutation['createRole'];
        let adminCreatorRole: Codegen.CreateRoleMutation['createRole'];
        let adminCreatorAdministrator: Codegen.CreateAdministratorMutation['createAdministrator'];

        beforeAll(async () => {
            const { channels } = await adminClient.query<Codegen.GetChannelsQuery>(GET_CHANNELS);
            defaultChannel = channels.items.find(c => c.token === E2E_DEFAULT_CHANNEL_TOKEN)!;
            secondChannel = channels.items.find(c => c.token !== E2E_DEFAULT_CHANNEL_TOKEN)!;
            adminClient.setChannelToken(E2E_DEFAULT_CHANNEL_TOKEN);
            await adminClient.asSuperAdmin();
            const { createRole } = await adminClient.query<
                Codegen.CreateRoleMutation,
                Codegen.CreateRoleMutationVariables
            >(CREATE_ROLE, {
                input: {
                    code: 'second-channel-admin-manager',
                    description: '',
                    channelIds: [secondChannel.id],
                    permissions: [
                        Permission.CreateAdministrator,
                        Permission.ReadAdministrator,
                        Permission.UpdateAdministrator,
                        Permission.DeleteAdministrator,
                    ],
                },
            });

            const { createAdministrator } = await adminClient.query<
                Codegen.CreateAdministratorMutation,
                Codegen.CreateAdministratorMutationVariables
            >(CREATE_ADMINISTRATOR, {
                input: {
                    firstName: 'channel2',
                    lastName: 'admin manager',
                    emailAddress: 'channel2@test.com',
                    roleIds: [createRole.id],
                    password: 'test',
                },
            });
            limitedAdmin = createAdministrator;

            const { createRole: createRole2 } = await adminClient.query<
                Codegen.CreateRoleMutation,
                Codegen.CreateRoleMutationVariables
            >(CREATE_ROLE, {
                input: {
                    code: 'second-channel-order-manager',
                    description: '',
                    channelIds: [secondChannel.id],
                    permissions: [Permission.ReadOrder],
                },
            });

            orderReaderRole = createRole2;

            adminClient.setChannelToken(secondChannel.token);
            await adminClient.asUserWithCredentials(limitedAdmin.emailAddress, 'test');
        });

        it(
            'limited admin cannot create Role with SuperAdmin permission',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.CreateRoleMutation, Codegen.CreateRoleMutationVariables>(
                    CREATE_ROLE,
                    {
                        input: {
                            code: 'evil-superadmin',
                            description: '',
                            channelIds: [secondChannel.id],
                            permissions: [Permission.SuperAdmin],
                        },
                    },
                );
            }, 'The permission "SuperAdmin" may not be assigned'),
        );

        it(
            'limited admin cannot create Administrator with SuperAdmin role',
            assertThrowsWithMessage(async () => {
                const superAdminRole = defaultRoles.find(r => r.code === SUPER_ADMIN_ROLE_CODE)!;
                await adminClient.query<
                    Codegen.CreateAdministratorMutation,
                    Codegen.CreateAdministratorMutationVariables
                >(CREATE_ADMINISTRATOR, {
                    input: {
                        firstName: 'Dr',
                        lastName: 'Evil',
                        emailAddress: 'drevil@test.com',
                        roleIds: [superAdminRole.id],
                        password: 'test',
                    },
                });
            }, 'Active user does not have sufficient permissions'),
        );

        it(
            'limited admin cannot create Role with permissions it itself does not have',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.CreateRoleMutation, Codegen.CreateRoleMutationVariables>(
                    CREATE_ROLE,
                    {
                        input: {
                            code: 'evil-order-manager',
                            description: '',
                            channelIds: [secondChannel.id],
                            permissions: [Permission.ReadOrder],
                        },
                    },
                );
            }, 'Active user does not have sufficient permissions'),
        );

        it(
            'limited admin cannot create Role on channel it does not have permissions on',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.CreateRoleMutation, Codegen.CreateRoleMutationVariables>(
                    CREATE_ROLE,
                    {
                        input: {
                            code: 'evil-order-manager',
                            description: '',
                            channelIds: [defaultChannel.id],
                            permissions: [Permission.CreateAdministrator],
                        },
                    },
                );
            }, 'You are not currently authorized to perform this action'),
        );

        it(
            'limited admin cannot create Administrator with a Role with greater permissions than they themselves have',
            assertThrowsWithMessage(async () => {
                await adminClient.query<
                    Codegen.CreateAdministratorMutation,
                    Codegen.CreateAdministratorMutationVariables
                >(CREATE_ADMINISTRATOR, {
                    input: {
                        firstName: 'Dr',
                        lastName: 'Evil',
                        emailAddress: 'drevil@test.com',
                        roleIds: [orderReaderRole.id],
                        password: 'test',
                    },
                });
            }, 'Active user does not have sufficient permissions'),
        );

        it('limited admin can create Role with permissions it itself has', async () => {
            const { createRole } = await adminClient.query<
                Codegen.CreateRoleMutation,
                Codegen.CreateRoleMutationVariables
            >(CREATE_ROLE, {
                input: {
                    code: 'good-admin-creator',
                    description: '',
                    channelIds: [secondChannel.id],
                    permissions: [Permission.CreateAdministrator],
                },
            });

            expect(createRole.code).toBe('good-admin-creator');
            adminCreatorRole = createRole;
        });

        it('limited admin can create Administrator with permissions it itself has', async () => {
            const { createAdministrator } = await adminClient.query<
                Codegen.CreateAdministratorMutation,
                Codegen.CreateAdministratorMutationVariables
            >(CREATE_ADMINISTRATOR, {
                input: {
                    firstName: 'Admin',
                    lastName: 'Creator',
                    emailAddress: 'admincreator@test.com',
                    roleIds: [adminCreatorRole.id],
                    password: 'test',
                },
            });

            expect(createAdministrator.emailAddress).toBe('admincreator@test.com');
            adminCreatorAdministrator = createAdministrator;
        });

        it(
            'limited admin cannot update Role with permissions it itself lacks',
            assertThrowsWithMessage(async () => {
                await adminClient.query<Codegen.UpdateRoleMutation, Codegen.UpdateRoleMutationVariables>(
                    UPDATE_ROLE,
                    {
                        input: {
                            id: adminCreatorRole.id,
                            permissions: [Permission.ReadOrder],
                        },
                    },
                );
            }, 'Active user does not have sufficient permissions'),
        );

        it(
            'limited admin cannot update Administrator with Role containing permissions it itself lacks',
            assertThrowsWithMessage(async () => {
                await adminClient.query<
                    Codegen.UpdateAdministratorMutation,
                    Codegen.UpdateAdministratorMutationVariables
                >(UPDATE_ADMINISTRATOR, {
                    input: {
                        id: adminCreatorAdministrator.id,
                        roleIds: [adminCreatorRole.id, orderReaderRole.id],
                    },
                });
            }, 'Active user does not have sufficient permissions'),
        );
    });
});

export const GET_ROLES = gql`
    query GetRoles($options: RoleListOptions) {
        roles(options: $options) {
            items {
                ...Role
            }
            totalItems
        }
    }
    ${ROLE_FRAGMENT}
`;

export const GET_ROLE = gql`
    query GetRole($id: ID!) {
        role(id: $id) {
            ...Role
        }
    }
    ${ROLE_FRAGMENT}
`;

export const DELETE_ROLE = gql`
    mutation DeleteRole($id: ID!) {
        deleteRole(id: $id) {
            result
            message
        }
    }
`;