prosody
cfc42ed3892c
spec/util_roles_spec.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

spec/util_roles_spec.lua @ 13524:cfc42ed3892c

mod_pubsub: Check new role framework for node creation privileges This enables granting regular users permission to create nodes via the new roles framework. Previously this required either making everyone an admin or writing a custom mod_pubsub variant with different permission details. Previous default behavior of only allowing creation by admin is kept as to not give out unexpected permissions on upgrade, but could be reevaluated at a later time. Fixes #1324
author Kim Alvefur <zash@zash.se>
date Sun, 13 Oct 2024 13:03:08 +0200
parent 12754:a92ca737d05f
line wrap: on
line source

describe("util.roles", function ()
	randomize(false);
	local roles;
	it("can be loaded", function ()
		roles = require "util.roles";
	end);
	local test_role;
	it("can create a new role", function ()
		test_role = roles.new();
		assert.is_not_nil(test_role);
		assert.is_truthy(roles.is_role(test_role));
	end);
	describe("role object", function ()
		it("can be initialized with permissions", function ()
			local test_role_2 = roles.new({
				permissions = {
					perm1 = true;
					perm2 = false;
				};
			});
			assert.truthy(test_role_2:may("perm1"));
			assert.falsy(test_role_2:may("perm2"));
		end);
		it("has a sensible tostring", function ()
			local test_role_2 = roles.new({
				id = "test-role-2";
				name = "Test Role 2";
			});
			assert.truthy(tostring(test_role_2):find(test_role_2.id, 1, true));
			assert.truthy(tostring(test_role_2):find("Test Role 2", 1, true));
		end);
		it("is restrictive by default", function ()
			assert.falsy(test_role:may("my-permission"));
		end);
		it("allows you to set permissions", function ()
			test_role:set_permission("my-permission", true);
			assert.truthy(test_role:may("my-permission"));
		end);
		it("allows you to set negative permissions", function ()
			test_role:set_permission("my-other-permission", false);
			assert.falsy(test_role:may("my-other-permission"));
		end);
		it("does not allows you to override previously set permissions by default", function ()
			local ok, err = test_role:set_permission("my-permission", false);
			assert.falsy(ok);
			assert.is_equal("policy-already-exists", err);
			-- Confirm old permission still in place
			assert.truthy(test_role:may("my-permission"));
		end);
		it("allows you to explicitly override previously set permissions", function ()
			assert.truthy(test_role:set_permission("my-permission", false, true));
			assert.falsy(test_role:may("my-permission"));
		end);
		describe("inheritance", function ()
			local child_role;
			it("works", function ()
				test_role:set_permission("inherited-permission", true);
				child_role = roles.new({
					inherits = { test_role };
				});
				assert.truthy(child_role:may("inherited-permission"));
				assert.falsy(child_role:may("my-permission"));
			end);
			it("allows listing policies", function ()
				local expected = {
					["my-permission"] = false;
					["my-other-permission"] = false;
					["inherited-permission"] = true;
				};
				local received = {};
				for permission_name, permission_policy in child_role:policies() do
					received[permission_name] = permission_policy;
				end
				assert.same(expected, received);
			end);
			it("supports multiple depths of inheritance", function ()
				local grandchild_role = roles.new({
					inherits = { child_role };
				});
				assert.truthy(grandchild_role:may("inherited-permission"));
			end);
			describe("supports ordered inheritance from multiple roles", function ()
				local parent_role = roles.new();
				local final_role = roles.new({
					-- Yes, the names are getting confusing.
					-- btw, test_role is inherited through child_role.
					inherits = { parent_role, child_role };
				});

				local test_cases = {
					-- { <final_role policy>, <parent_role policy>, <test_role policy> }
					{ true,   nil, false, result = true };
					{  nil, false,  true, result = false };
					{  nil,  true, false, result = true };
					{  nil,  nil,  false, result = false };
					{  nil,  nil,   true, result = true };
				};

				for n, test_case in ipairs(test_cases) do
					it("(case "..n..")", function ()
						local perm_name = ("multi-inheritance-perm-%d"):format(n);
						assert.truthy(final_role:set_permission(perm_name, test_case[1]));
						assert.truthy(parent_role:set_permission(perm_name, test_case[2]));
						assert.truthy(test_role:set_permission(perm_name, test_case[3]));
						assert.equal(test_case.result, final_role:may(perm_name));
					end);
				end
			end);
			it("updates child roles when parent roles change", function ()
				assert.truthy(child_role:may("inherited-permission"));
				assert.truthy(test_role:set_permission("inherited-permission", false, true));
				assert.falsy(child_role:may("inherited-permission"));
			end);
		end);
		describe("cloning", function ()
			local cloned_role;
			it("works", function ()
				assert.truthy(test_role:set_permission("perm-1", true));
				cloned_role = test_role:clone();
				assert.truthy(cloned_role:may("perm-1"));
			end);
			it("isolates changes", function ()
				-- After cloning, changes in either the original or the clone
				-- should not appear in the other.
				assert.truthy(test_role:set_permission("perm-1", false, true));
				assert.truthy(test_role:set_permission("perm-2", true));
				assert.truthy(cloned_role:set_permission("perm-3", true));
				assert.truthy(cloned_role:may("perm-1"));
				assert.falsy(cloned_role:may("perm-2"));
				assert.falsy(test_role:may("perm-3"));
			end);
		end);
	end);
end);