tabshift/payload
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39462bc6b9ddd956beefc342d4e100b3b8587570
payload/test/query-presets/int.spec.ts
Jacob Fletcher 998181b986 feat: query presets (#11330) 
Query Presets allow you to save and share filters, columns, and sort
orders for your collections. This is useful for reusing common or
complex filtering patterns and column configurations across your team.
Query Presets are defined on the fly by the users of your app, rather
than being hard coded into the Payload Config.

Here's a screen recording demonstrating the general workflow as it
relates to the list view. Query Presets are not exclusive to the admin
panel, however, as they could be useful in a number of other contexts
and environments.


https://github.com/user-attachments/assets/1fe1155e-ae78-4f59-9138-af352762a1d5

Each Query Preset is saved as a new record in the database under the
`payload-query-presets` collection. This will effectively make them
CRUDable and allows for an endless number of preset configurations. As
you make changes to filters, columns, limit, etc. you can choose to save
them as a new record and optionally share them with others.

Normal document-level access control will determine who can read,
update, and delete these records. Payload provides a set of sensible
defaults here, such as "only me", "everyone", and "specific users", but
you can also extend your own set of access rules on top of this, such as
"by role", etc. Access control is customizable at the operation-level,
for example you can set this to "everyone" can read, but "only me" can
update.

To enable the Query Presets within a particular collection, set
`enableQueryPresets` on that collection's config.

Here's an example:

```ts
{
  // ...
  enableQueryPresets: true
}
```

Once enabled, a new set of controls will appear within the list view of
the admin panel. This is where you can select and manage query presets.

General settings for Query Presets are configured under the root
`queryPresets` property. This is where you can customize the labels,
apply custom access control rules, etc.

Here's an example of how you might augment the access control properties
with your own custom rule to achieve RBAC:

```ts
{
  // ...
  queryPresets: {
    constraints: {
      read: [
        {
          label: 'Specific Roles',
          value: 'specificRoles',
          fields: [roles],
          access: ({ req: { user } }) => ({
            'access.update.roles': {
              in: [user?.roles],
            },
          }),
        },
      ],
    }
  }
}
```

Related: #4193 and #3092

---------

Co-authored-by: Dan Ribbens <dan.ribbens@gmail.com>
2025-03-24 13:16:39 -04:00

569 lines
15 KiB
TypeScript
Raw Blame History

import type { NextRESTClient } from 'helpers/NextRESTClient.js'
import type { Payload, User } from 'payload'
import path from 'path'
import { fileURLToPath } from 'url'
import { devUser, regularUser } from '../credentials.js'
import { initPayloadInt } from '../helpers/initPayloadInt.js'
const queryPresetsCollectionSlug = 'payload-query-presets'
let payload: Payload
let restClient: NextRESTClient
let user: User
let user2: User
let anonymousUser: User
const filename = fileURLToPath(import.meta.url)
const dirname = path.dirname(filename)
describe('Query Presets', () => {
beforeAll(async () => {
// @ts-expect-error: initPayloadInt does not have a proper type definition
;({ payload, restClient } = await initPayloadInt(dirname))
user = await payload
.login({
collection: 'users',
data: {
email: devUser.email,
password: devUser.password,
},
})
?.then((result) => result.user)
user2 = await payload
.login({
collection: 'users',
data: {
email: regularUser.email,
password: regularUser.password,
},
})
?.then((result) => result.user)
anonymousUser = await payload
.login({
collection: 'users',
data: {
email: 'anonymous@email.com',
password: regularUser.password,
},
})
?.then((result) => result.user)
})
afterAll(async () => {
if (typeof payload.db.destroy === 'function') {
await payload.db.destroy()
}
})
describe('default access control', () => {
it('should only allow logged in users to perform actions', async () => {
// create
try {
const result = await payload.create({
collection: queryPresetsCollectionSlug,
user: undefined,
overrideAccess: false,
data: {
title: 'Only Logged In Users',
relatedCollection: 'pages',
},
})
expect(result).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
}
const { id } = await payload.create({
collection: queryPresetsCollectionSlug,
data: {
title: 'Only Logged In Users',
relatedCollection: 'pages',
},
})
// read
try {
const result = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user: undefined,
overrideAccess: false,
id,
})
expect(result).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
}
// update
try {
const result = await payload.update({
collection: queryPresetsCollectionSlug,
id,
user: undefined,
overrideAccess: false,
data: {
title: 'Only Logged In Users (Updated)',
},
})
expect(result).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
// make sure the update didn't go through
const preset = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
id,
})
expect(preset.title).toBe('Only Logged In Users')
}
// delete
try {
const result = await payload.delete({
collection: queryPresetsCollectionSlug,
id: 'some-id',
user: undefined,
overrideAccess: false,
})
expect(result).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
// make sure the delete didn't go through
const preset = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
id,
})
expect(preset.title).toBe('Only Logged In Users')
}
})
it('should respect access when set to "specificUsers"', async () => {
const presetForSpecificUsers = await payload.create({
collection: queryPresetsCollectionSlug,
user,
data: {
title: 'Specific Users',
where: {
text: {
equals: 'example page',
},
},
access: {
read: {
constraint: 'specificUsers',
users: [user.id],
},
update: {
constraint: 'specificUsers',
users: [user.id],
},
},
relatedCollection: 'pages',
},
})
const foundPresetWithUser1 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user,
overrideAccess: false,
id: presetForSpecificUsers.id,
})
expect(foundPresetWithUser1.id).toBe(presetForSpecificUsers.id)
try {
const foundPresetWithUser2 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user: user2,
overrideAccess: false,
id: presetForSpecificUsers.id,
})
expect(foundPresetWithUser2).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('Not Found')
}
const presetUpdatedByUser1 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForSpecificUsers.id,
user,
overrideAccess: false,
data: {
title: 'Specific Users (Updated)',
},
})
expect(presetUpdatedByUser1.title).toBe('Specific Users (Updated)')
try {
const presetUpdatedByUser2 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForSpecificUsers.id,
user: user2,
overrideAccess: false,
data: {
title: 'Specific Users (Updated)',
},
})
expect(presetUpdatedByUser2).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
}
})
it('should respect access when set to "onlyMe"', async () => {
// create a new doc so that the creating user is the owner
const presetForOnlyMe = await payload.create({
collection: queryPresetsCollectionSlug,
user,
data: {
title: 'Only Me',
where: {
text: {
equals: 'example page',
},
},
access: {
read: {
constraint: 'onlyMe',
},
update: {
constraint: 'onlyMe',
},
},
relatedCollection: 'pages',
},
})
const foundPresetWithUser1 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user,
overrideAccess: false,
id: presetForOnlyMe.id,
})
expect(foundPresetWithUser1.id).toBe(presetForOnlyMe.id)
try {
const foundPresetWithUser2 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user: user2,
overrideAccess: false,
id: presetForOnlyMe.id,
})
expect(foundPresetWithUser2).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('Not Found')
}
const presetUpdatedByUser1 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForOnlyMe.id,
user,
overrideAccess: false,
data: {
title: 'Only Me (Updated)',
},
})
expect(presetUpdatedByUser1.title).toBe('Only Me (Updated)')
try {
const presetUpdatedByUser2 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForOnlyMe.id,
user: user2,
overrideAccess: false,
data: {
title: 'Only Me (Updated)',
},
})
expect(presetUpdatedByUser2).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
}
})
it('should respect access when set to "everyone"', async () => {
const presetForEveryone = await payload.create({
collection: queryPresetsCollectionSlug,
user,
data: {
title: 'Everyone',
where: {
text: {
equals: 'example page',
},
},
access: {
read: {
constraint: 'everyone',
},
update: {
constraint: 'everyone',
},
delete: {
constraint: 'everyone',
},
},
relatedCollection: 'pages',
},
})
const foundPresetWithUser1 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user,
overrideAccess: false,
id: presetForEveryone.id,
})
expect(foundPresetWithUser1.id).toBe(presetForEveryone.id)
const foundPresetWithUser2 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user: user2,
overrideAccess: false,
id: presetForEveryone.id,
})
expect(foundPresetWithUser2.id).toBe(presetForEveryone.id)
const presetUpdatedByUser1 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForEveryone.id,
user,
overrideAccess: false,
data: {
title: 'Everyone (Update 1)',
},
})
expect(presetUpdatedByUser1.title).toBe('Everyone (Update 1)')
const presetUpdatedByUser2 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForEveryone.id,
user: user2,
overrideAccess: false,
data: {
title: 'Everyone (Update 2)',
},
})
expect(presetUpdatedByUser2.title).toBe('Everyone (Update 2)')
})
})
describe('user-defined access control', () => {
it('should respect top-level access control overrides', async () => {
const preset = await payload.create({
collection: queryPresetsCollectionSlug,
user,
data: {
title: 'Top-Level Access Control Override',
relatedCollection: 'pages',
access: {
read: {
constraint: 'everyone',
},
update: {
constraint: 'everyone',
},
delete: {
constraint: 'everyone',
},
},
},
})
const foundPresetWithUser1 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user,
overrideAccess: false,
id: preset.id,
})
expect(foundPresetWithUser1.id).toBe(preset.id)
try {
const foundPresetWithAnonymousUser = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user: anonymousUser,
overrideAccess: false,
id: preset.id,
})
expect(foundPresetWithAnonymousUser).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
}
})
it('should respect access when set to "specificRoles"', async () => {
const presetForSpecificRoles = await payload.create({
collection: queryPresetsCollectionSlug,
user,
data: {
title: 'Specific Roles',
where: {
text: {
equals: 'example page',
},
},
access: {
read: {
constraint: 'specificRoles',
roles: ['admin'],
},
update: {
constraint: 'specificRoles',
roles: ['admin'],
},
},
relatedCollection: 'pages',
},
})
const foundPresetWithUser1 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user,
overrideAccess: false,
id: presetForSpecificRoles.id,
})
expect(foundPresetWithUser1.id).toBe(presetForSpecificRoles.id)
try {
const foundPresetWithUser2 = await payload.findByID({
collection: queryPresetsCollectionSlug,
depth: 0,
user: user2,
overrideAccess: false,
id: presetForSpecificRoles.id,
})
expect(foundPresetWithUser2).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('Not Found')
}
const presetUpdatedByUser1 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForSpecificRoles.id,
user,
overrideAccess: false,
data: {
title: 'Specific Roles (Updated)',
},
})
expect(presetUpdatedByUser1.title).toBe('Specific Roles (Updated)')
try {
const presetUpdatedByUser2 = await payload.update({
collection: queryPresetsCollectionSlug,
id: presetForSpecificRoles.id,
user: user2,
overrideAccess: false,
data: {
title: 'Specific Roles (Updated)',
},
})
expect(presetUpdatedByUser2).toBeFalsy()
} catch (error: unknown) {
expect((error as Error).message).toBe('You are not allowed to perform this action.')
}
})
})
it.skip('should disable query presets when "enabledQueryPresets" is not true on the collection', async () => {
try {
const result = await payload.create({
collection: 'payload-query-presets',
user,
data: {
title: 'Disabled Query Presets',
relatedCollection: 'pages',
},
})
// TODO: this test always passes because this expect throws an error which is caught and passes the 'catch' block
expect(result).toBeFalsy()
} catch (error) {
expect(error).toBeDefined()
}
})
describe('Where object formatting', () => {
it('transforms "where" query objects into the "and" / "or" format', async () => {
const result = await payload.create({
collection: queryPresetsCollectionSlug,
user,
data: {
title: 'Where Object Formatting',
where: {
text: {
equals: 'example page',
},
},
access: {
read: {
constraint: 'everyone',
},
update: {
constraint: 'everyone',
},
delete: {
constraint: 'everyone',
},
},
relatedCollection: 'pages',
},
})
expect(result.where).toMatchObject({
or: [
{
and: [
{
text: {
equals: 'example page',
},
},
],
},
],
})
})
})
})
Reference in New Issue View Git Blame Copy Permalink