Skip to content

Commit b1b0b0a

Browse files
author
Dylan
committed
Add open permission check for card ownership and new tests for non-owner actions
1 parent 3ce85fd commit b1b0b0a

2 files changed

Lines changed: 117 additions & 1 deletion

File tree

src/cards/mod.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ pub async fn assert_card_owner(
2020
firestore.get_documents_path(),
2121
participant.id
2222
));
23-
if board.owner == participant_reference || card.owner == participant_reference {
23+
if board.owner == participant_reference || card.owner == participant_reference || board.open_permission {
2424
Ok(())
2525
} else {
2626
Err(Error::Forbidden)

src/integration_tests/card_tests.rs

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -374,6 +374,122 @@ async fn delete_as_board_owner_returns_200() {
374374
boards::db::delete(&db, &board_id).await.unwrap();
375375
}
376376

377+
#[tokio::test]
378+
#[ignore = "requires Firestore emulator: FIRESTORE_EMULATOR_HOST=localhost:8080"]
379+
async fn update_as_non_owner_with_open_permission_returns_200() {
380+
let db = emulator_db().await;
381+
let app = make_app!(db.clone());
382+
383+
let board_resp = actix_web::test::call_service(
384+
&app,
385+
TestRequest::post()
386+
.uri("/boards")
387+
.set_json(json!({"open_permission": true}))
388+
.to_request(),
389+
)
390+
.await;
391+
let owner_cookie = session_cookie(&board_resp);
392+
let board_id = body_json(board_resp).await["id"].as_str().unwrap().to_string();
393+
394+
let col_resp = actix_web::test::call_service(
395+
&app,
396+
TestRequest::post()
397+
.uri(&format!("/boards/{board_id}/columns"))
398+
.cookie(owner_cookie.clone())
399+
.set_json(json!({"name": "Col"}))
400+
.to_request(),
401+
)
402+
.await;
403+
let col_id = body_json(col_resp).await["id"].as_str().unwrap().to_string();
404+
405+
let card_resp = actix_web::test::call_service(
406+
&app,
407+
TestRequest::post()
408+
.uri(&format!("/boards/{board_id}/columns/{col_id}/cards"))
409+
.cookie(owner_cookie)
410+
.set_json(json!({"text": "Original"}))
411+
.to_request(),
412+
)
413+
.await;
414+
let card_id = body_json(card_resp).await["id"].as_str().unwrap().to_string();
415+
416+
let list_resp =
417+
actix_web::test::call_service(&app, TestRequest::get().uri("/boards").to_request()).await;
418+
let cookie_b = session_cookie(&list_resp);
419+
420+
let resp = actix_web::test::call_service(
421+
&app,
422+
TestRequest::patch()
423+
.uri(&format!("/boards/{board_id}/cards/{card_id}"))
424+
.cookie(cookie_b)
425+
.set_json(json!({"text": "Updated by non-owner"}))
426+
.to_request(),
427+
)
428+
.await;
429+
430+
assert_eq!(resp.status(), StatusCode::OK);
431+
assert_eq!(body_json(resp).await["text"], "Updated by non-owner");
432+
433+
boards::db::delete(&db, &board_id).await.unwrap();
434+
}
435+
436+
#[tokio::test]
437+
#[ignore = "requires Firestore emulator: FIRESTORE_EMULATOR_HOST=localhost:8080"]
438+
async fn delete_as_non_owner_with_open_permission_returns_200() {
439+
let db = emulator_db().await;
440+
let app = make_app!(db.clone());
441+
442+
let board_resp = actix_web::test::call_service(
443+
&app,
444+
TestRequest::post()
445+
.uri("/boards")
446+
.set_json(json!({"open_permission": true}))
447+
.to_request(),
448+
)
449+
.await;
450+
let owner_cookie = session_cookie(&board_resp);
451+
let board_id = body_json(board_resp).await["id"].as_str().unwrap().to_string();
452+
453+
let col_resp = actix_web::test::call_service(
454+
&app,
455+
TestRequest::post()
456+
.uri(&format!("/boards/{board_id}/columns"))
457+
.cookie(owner_cookie.clone())
458+
.set_json(json!({"name": "Col"}))
459+
.to_request(),
460+
)
461+
.await;
462+
let col_id = body_json(col_resp).await["id"].as_str().unwrap().to_string();
463+
464+
let card_resp = actix_web::test::call_service(
465+
&app,
466+
TestRequest::post()
467+
.uri(&format!("/boards/{board_id}/columns/{col_id}/cards"))
468+
.cookie(owner_cookie)
469+
.set_json(json!({"text": "To be deleted"}))
470+
.to_request(),
471+
)
472+
.await;
473+
let card_id = body_json(card_resp).await["id"].as_str().unwrap().to_string();
474+
475+
let list_resp =
476+
actix_web::test::call_service(&app, TestRequest::get().uri("/boards").to_request()).await;
477+
let cookie_b = session_cookie(&list_resp);
478+
479+
let resp = actix_web::test::call_service(
480+
&app,
481+
TestRequest::delete()
482+
.uri(&format!("/boards/{board_id}/cards/{card_id}"))
483+
.cookie(cookie_b)
484+
.to_request(),
485+
)
486+
.await;
487+
488+
assert_eq!(resp.status(), StatusCode::OK);
489+
490+
boards::db::delete(&db, &board_id).await.unwrap();
491+
}
492+
377493
#[tokio::test]
378494
#[ignore = "requires Firestore emulator: FIRESTORE_EMULATOR_HOST=localhost:8080"]
379495
async fn vote_returns_201() {

0 commit comments

Comments
 (0)