fix(next): admin access control (#5887)

2024-04-17 10:31:39 -04:00
parent abf0461d80
commit 6cd5b253f1
8 changed files with 108 additions and 15 deletions
--- a/test/access-control/e2e.spec.ts
+++ b/test/access-control/e2e.spec.ts
@@ -1,8 +1,10 @@
 import type { Page } from '@playwright/test'
-import type { Payload, TypeWithID } from 'payload/types'
+import type { TypeWithID } from 'payload/types'

 import { expect, test } from '@playwright/test'
+import { devUser } from 'credentials.js'
 import path from 'path'
+import { wait } from 'payload/utilities'
 import { fileURLToPath } from 'url'

 import type { PayloadTestSDK } from '../helpers/sdk/index.js'
@@ -13,6 +15,7 @@ import {
  ensureAutoLoginAndCompilationIsDone,
  exactText,
  initPageConsoleErrorCatch,
+  login,
  openDocControls,
  openNav,
  saveDocAndAssert,
@@ -22,6 +25,7 @@ import { initPayloadE2ENoConfig } from '../helpers/initPayloadE2ENoConfig.js'
 import { POLL_TOPASS_TIMEOUT } from '../playwright.config.js'
 import {
  docLevelAccessSlug,
+  noAdminAccessEmail,
  readOnlySlug,
  restrictedSlug,
  restrictedVersionsSlug,
@@ -61,7 +65,8 @@ describe('access control', () => {
    const context = await browser.newContext()
    page = await context.newPage()
    initPageConsoleErrorCatch(page)
-    await ensureAutoLoginAndCompilationIsDone({ page, serverURL })
+
+    await login({ page, serverURL })
  })

  test('field without read access should not show', async () => {
@@ -328,6 +333,28 @@ describe('access control', () => {
    // ensure user is allowed to edit this document
    await expect(documentDrawer2.locator('#field-name')).toBeEnabled()
  })
+
+  test('should completely block admin access', async () => {
+    const adminURL = `${serverURL}/admin`
+    await page.goto(adminURL)
+    await page.waitForURL(adminURL)
+
+    await expect(page.locator('.dashboard')).toBeVisible()
+
+    await page.goto(`${serverURL}/admin/logout`)
+    await page.waitForURL(`${serverURL}/admin/logout`)
+
+    await login({
+      page,
+      serverURL,
+      data: {
+        email: noAdminAccessEmail,
+        password: 'test',
+      },
+    })
+
+    await expect(page.locator('.next-error-h1')).toBeVisible()
+  })
 })

 // eslint-disable-next-line @typescript-eslint/require-await