4a5f01a78f
Some checks failed
ci / changes (push) Has been cancelled
ci / lint (push) Has been cancelled
ci / build (push) Has been cancelled
ci / tests-unit (push) Has been cancelled
ci / tests-types (push) Has been cancelled
ci / int-cosmosdb (push) Has been cancelled
ci / int-documentdb (push) Has been cancelled
ci / int-firestore (push) Has been cancelled
ci / int-mongodb (push) Has been cancelled
ci / int-postgres (push) Has been cancelled
ci / int-postgres-custom-schema (push) Has been cancelled
ci / int-postgres-uuid (push) Has been cancelled
ci / int-sqlite (push) Has been cancelled
ci / int-sqlite-uuid (push) Has been cancelled
ci / int-supabase (push) Has been cancelled
ci / e2e-_community (push) Has been cancelled
ci / e2e-access-control (push) Has been cancelled
ci / e2e-admin-bar (push) Has been cancelled
ci / e2e-admin-root (push) Has been cancelled
ci / e2e-admin__e2e__document-view (push) Has been cancelled
ci / e2e-admin__e2e__general (push) Has been cancelled
ci / e2e-admin__e2e__list-view (push) Has been cancelled
ci / e2e-auth (push) Has been cancelled
ci / e2e-auth-basic (push) Has been cancelled
ci / e2e-bulk-edit (push) Has been cancelled
ci / e2e-field-error-states (push) Has been cancelled
ci / e2e-fields-relationship (push) Has been cancelled
ci / e2e-fields__collections__Array (push) Has been cancelled
ci / e2e-fields__collections__Blocks#config.blockreferences.ts (push) Has been cancelled
ci / e2e-fields__collections__Blocks (push) Has been cancelled
ci / e2e-fields__collections__Checkbox (push) Has been cancelled
ci / e2e-fields__collections__Collapsible (push) Has been cancelled
ci / e2e-fields__collections__ConditionalLogic (push) Has been cancelled
ci / e2e-fields__collections__CustomID (push) Has been cancelled
ci / e2e-fields__collections__Date (push) Has been cancelled
ci / e2e-fields__collections__Email (push) Has been cancelled
ci / e2e-fields__collections__Indexed (push) Has been cancelled
ci / e2e-fields__collections__JSON (push) Has been cancelled
ci / e2e-fields__collections__Number (push) Has been cancelled
ci / e2e-fields__collections__Point (push) Has been cancelled
ci / e2e-fields__collections__Radio (push) Has been cancelled
ci / e2e-fields__collections__Relationship (push) Has been cancelled
ci / e2e-fields__collections__Row (push) Has been cancelled
ci / e2e-fields__collections__Select (push) Has been cancelled
ci / e2e-fields__collections__Tabs (push) Has been cancelled
ci / e2e-fields__collections__Tabs2 (push) Has been cancelled
ci / e2e-fields__collections__Text (push) Has been cancelled
ci / e2e-fields__collections__UI (push) Has been cancelled
ci / e2e-fields__collections__Upload (push) Has been cancelled
ci / e2e-folders (push) Has been cancelled
ci / e2e-form-state (push) Has been cancelled
ci / e2e-group-by (push) Has been cancelled
ci / e2e-hooks (push) Has been cancelled
ci / e2e-i18n (push) Has been cancelled
ci / e2e-joins (push) Has been cancelled
ci / e2e-lexical__collections__LexicalHeadingFeature (push) Has been cancelled
ci / e2e-lexical__collections__LexicalJSXConverter (push) Has been cancelled
ci / e2e-lexical__collections__LexicalLinkFeature (push) Has been cancelled
ci / e2e-lexical__collections__Lexical__e2e__blocks#config.blockreferences.ts (push) Has been cancelled
ci / e2e-lexical__collections__Lexical__e2e__blocks (push) Has been cancelled
ci / e2e-lexical__collections__Lexical__e2e__main (push) Has been cancelled
ci / e2e-lexical__collections__OnDemandForm (push) Has been cancelled
ci / e2e-lexical__collections__RichText (push) Has been cancelled
ci / e2e-lexical__collections___LexicalFullyFeatured (push) Has been cancelled
ci / e2e-lexical__collections___LexicalFullyFeatured__db (push) Has been cancelled
ci / e2e-live-preview (push) Has been cancelled
ci / e2e-localization (push) Has been cancelled
ci / e2e-locked-documents (push) Has been cancelled
ci / e2e-plugin-cloud-storage (push) Has been cancelled
ci / e2e-plugin-form-builder (push) Has been cancelled
ci / e2e-plugin-import-export (push) Has been cancelled
ci / e2e-plugin-multi-tenant (push) Has been cancelled
ci / e2e-plugin-nested-docs (push) Has been cancelled
ci / e2e-plugin-seo (push) Has been cancelled
ci / e2e-query-presets (push) Has been cancelled
ci / e2e-sort (push) Has been cancelled
ci / e2e-trash (push) Has been cancelled
ci / e2e-uploads (push) Has been cancelled
ci / e2e-versions (push) Has been cancelled
ci / e2e-turbo-_community (push) Has been cancelled
ci / e2e-turbo-access-control (push) Has been cancelled
ci / e2e-turbo-admin-bar (push) Has been cancelled
ci / e2e-turbo-admin-root (push) Has been cancelled
ci / e2e-turbo-admin__e2e__document-view (push) Has been cancelled
ci / e2e-turbo-admin__e2e__general (push) Has been cancelled
ci / e2e-turbo-admin__e2e__list-view (push) Has been cancelled
ci / e2e-turbo-auth (push) Has been cancelled
ci / e2e-turbo-auth-basic (push) Has been cancelled
ci / e2e-turbo-bulk-edit (push) Has been cancelled
ci / e2e-turbo-field-error-states (push) Has been cancelled
ci / e2e-turbo-fields-relationship (push) Has been cancelled
ci / e2e-turbo-fields__collections__Array (push) Has been cancelled
ci / e2e-turbo-fields__collections__Blocks#config.blockreferences.ts (push) Has been cancelled
ci / e2e-turbo-fields__collections__Blocks (push) Has been cancelled
ci / e2e-turbo-fields__collections__Checkbox (push) Has been cancelled
ci / e2e-turbo-fields__collections__Collapsible (push) Has been cancelled
ci / e2e-turbo-fields__collections__ConditionalLogic (push) Has been cancelled
ci / e2e-turbo-fields__collections__CustomID (push) Has been cancelled
ci / e2e-turbo-fields__collections__Date (push) Has been cancelled
ci / e2e-turbo-fields__collections__Email (push) Has been cancelled
ci / e2e-turbo-fields__collections__Indexed (push) Has been cancelled
ci / e2e-turbo-fields__collections__JSON (push) Has been cancelled
ci / e2e-turbo-fields__collections__Number (push) Has been cancelled
ci / e2e-turbo-fields__collections__Point (push) Has been cancelled
ci / e2e-turbo-fields__collections__Radio (push) Has been cancelled
ci / e2e-turbo-fields__collections__Relationship (push) Has been cancelled
ci / e2e-turbo-fields__collections__Row (push) Has been cancelled
ci / e2e-turbo-fields__collections__Select (push) Has been cancelled
ci / e2e-turbo-fields__collections__Tabs (push) Has been cancelled
ci / e2e-turbo-fields__collections__Tabs2 (push) Has been cancelled
ci / e2e-turbo-fields__collections__Text (push) Has been cancelled
ci / e2e-turbo-fields__collections__UI (push) Has been cancelled
ci / e2e-turbo-fields__collections__Upload (push) Has been cancelled
ci / e2e-turbo-folders (push) Has been cancelled
ci / e2e-turbo-form-state (push) Has been cancelled
ci / e2e-turbo-group-by (push) Has been cancelled
ci / e2e-turbo-hooks (push) Has been cancelled
ci / e2e-turbo-i18n (push) Has been cancelled
ci / e2e-turbo-joins (push) Has been cancelled
ci / e2e-turbo-lexical__collections__LexicalHeadingFeature (push) Has been cancelled
ci / e2e-turbo-lexical__collections__LexicalJSXConverter (push) Has been cancelled
ci / e2e-turbo-lexical__collections__LexicalLinkFeature (push) Has been cancelled
ci / e2e-turbo-lexical__collections__Lexical__e2e__blocks#config.blockreferences.ts (push) Has been cancelled
ci / e2e-turbo-lexical__collections__Lexical__e2e__blocks (push) Has been cancelled
ci / e2e-turbo-lexical__collections__Lexical__e2e__main (push) Has been cancelled
ci / e2e-turbo-lexical__collections__OnDemandForm (push) Has been cancelled
ci / e2e-turbo-lexical__collections__RichText (push) Has been cancelled
ci / e2e-turbo-lexical__collections___LexicalFullyFeatured (push) Has been cancelled
ci / e2e-turbo-lexical__collections___LexicalFullyFeatured__db (push) Has been cancelled
ci / e2e-turbo-live-preview (push) Has been cancelled
ci / e2e-turbo-localization (push) Has been cancelled
ci / e2e-turbo-locked-documents (push) Has been cancelled
ci / e2e-turbo-plugin-cloud-storage (push) Has been cancelled
ci / e2e-turbo-plugin-form-builder (push) Has been cancelled
ci / e2e-turbo-plugin-import-export (push) Has been cancelled
ci / e2e-turbo-plugin-multi-tenant (push) Has been cancelled
ci / e2e-turbo-plugin-nested-docs (push) Has been cancelled
ci / e2e-turbo-plugin-seo (push) Has been cancelled
ci / e2e-turbo-query-presets (push) Has been cancelled
ci / e2e-turbo-sort (push) Has been cancelled
ci / e2e-turbo-trash (push) Has been cancelled
ci / e2e-turbo-uploads (push) Has been cancelled
ci / e2e-turbo-versions (push) Has been cancelled
ci / build-template-blank-mongodb (push) Has been cancelled
ci / build-template-website-mongodb (push) Has been cancelled
ci / build-template-with-payload-cloud-mongodb (push) Has been cancelled
ci / build-template-with-vercel-mongodb-mongodb (push) Has been cancelled
ci / build-template-plugin- (push) Has been cancelled
ci / build-template-with-postgres-postgres (push) Has been cancelled
ci / build-template-with-vercel-postgres-postgres (push) Has been cancelled
ci / tests-type-generation (push) Has been cancelled
ci / All Green (push) Has been cancelled
ci / Publish Canary (push) Has been cancelled
ci / analyze (push) Has been cancelled
publish-prerelease / publish-prerelease-${{ github.ref_name }}-${{ github.sha }} (push) Has been cancelled
lock-issues / lock_issues (push) Has been cancelled
stale / stale (push) Has been cancelled
audit-dependencies / audit (push) Has been cancelled
activity-notifications / run (push) Has been cancelled
745 lines
21 KiB
TypeScript
745 lines
21 KiB
TypeScript
import type { NextRESTClient } from 'helpers/NextRESTClient.js'
|
|
import type {
|
|
CollectionSlug,
|
|
DataFromCollectionSlug,
|
|
Payload,
|
|
PayloadRequest,
|
|
RequiredDataFromCollectionSlug,
|
|
} from 'tbsh-cms'
|
|
|
|
import path from 'path'
|
|
import { Forbidden, ValidationError } from 'tbsh-cms'
|
|
import { fileURLToPath } from 'url'
|
|
|
|
import type { FullyRestricted, Post } from './payload-types.js'
|
|
|
|
import { initPayloadInt } from '../helpers/initPayloadInt.js'
|
|
import { requestHeaders } from './config.js'
|
|
import {
|
|
firstArrayText,
|
|
fullyRestrictedSlug,
|
|
hiddenAccessCountSlug,
|
|
hiddenAccessSlug,
|
|
hiddenFieldsSlug,
|
|
hooksSlug,
|
|
relyOnRequestHeadersSlug,
|
|
restrictedVersionsSlug,
|
|
secondArrayText,
|
|
siblingDataSlug,
|
|
slug,
|
|
} from './shared.js'
|
|
|
|
let payload: Payload
|
|
let restClient: NextRESTClient
|
|
const filename = fileURLToPath(import.meta.url)
|
|
const dirname = path.dirname(filename)
|
|
describe('Access Control', () => {
|
|
let post1: Post
|
|
let restricted: FullyRestricted
|
|
|
|
beforeAll(async () => {
|
|
;({ payload, restClient } = await initPayloadInt(dirname))
|
|
})
|
|
|
|
beforeEach(async () => {
|
|
post1 = await payload.create({
|
|
collection: slug,
|
|
data: {},
|
|
})
|
|
|
|
restricted = await payload.create({
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: 'restricted' },
|
|
})
|
|
})
|
|
|
|
afterAll(async () => {
|
|
await payload.destroy()
|
|
})
|
|
|
|
describe('Fields', () => {
|
|
it('should not affect hidden fields when patching data', async () => {
|
|
const doc = await payload.create({
|
|
collection: hiddenFieldsSlug,
|
|
data: {
|
|
partiallyHiddenArray: [
|
|
{
|
|
name: 'public_name',
|
|
value: 'private_value',
|
|
},
|
|
],
|
|
partiallyHiddenGroup: {
|
|
name: 'public_name',
|
|
value: 'private_value',
|
|
},
|
|
},
|
|
})
|
|
|
|
await payload.update({
|
|
id: doc.id,
|
|
collection: hiddenFieldsSlug,
|
|
data: {
|
|
title: 'Doc Title',
|
|
},
|
|
})
|
|
|
|
const updatedDoc = await payload.findByID({
|
|
id: doc.id,
|
|
collection: hiddenFieldsSlug,
|
|
showHiddenFields: true,
|
|
})
|
|
|
|
expect(updatedDoc.partiallyHiddenGroup.value).toStrictEqual('private_value')
|
|
expect(updatedDoc.partiallyHiddenArray[0].value).toStrictEqual('private_value')
|
|
})
|
|
|
|
it('should not affect hidden fields when patching data - update many', async () => {
|
|
const docsMany = await payload.create({
|
|
collection: hiddenFieldsSlug,
|
|
data: {
|
|
partiallyHiddenArray: [
|
|
{
|
|
name: 'public_name',
|
|
value: 'private_value',
|
|
},
|
|
],
|
|
partiallyHiddenGroup: {
|
|
name: 'public_name',
|
|
value: 'private_value',
|
|
},
|
|
},
|
|
})
|
|
|
|
await payload.update({
|
|
collection: hiddenFieldsSlug,
|
|
data: {
|
|
title: 'Doc Title',
|
|
},
|
|
where: {
|
|
id: { equals: docsMany.id },
|
|
},
|
|
})
|
|
|
|
const updatedMany = await payload.findByID({
|
|
id: docsMany.id,
|
|
collection: hiddenFieldsSlug,
|
|
showHiddenFields: true,
|
|
})
|
|
|
|
expect(updatedMany.partiallyHiddenGroup.value).toStrictEqual('private_value')
|
|
expect(updatedMany.partiallyHiddenArray[0].value).toStrictEqual('private_value')
|
|
})
|
|
|
|
it('should be able to restrict access based upon siblingData', async () => {
|
|
const { id } = await payload.create({
|
|
collection: siblingDataSlug,
|
|
data: {
|
|
array: [
|
|
{
|
|
allowPublicReadability: true,
|
|
text: firstArrayText,
|
|
},
|
|
{
|
|
allowPublicReadability: false,
|
|
text: secondArrayText,
|
|
},
|
|
],
|
|
},
|
|
})
|
|
|
|
const doc = await payload.findByID({
|
|
id,
|
|
collection: siblingDataSlug,
|
|
overrideAccess: false,
|
|
})
|
|
|
|
expect(doc.array?.[0].text).toBe(firstArrayText)
|
|
// Should respect PublicReadabilityAccess function and not be sent
|
|
expect(doc.array?.[1].text).toBeUndefined()
|
|
|
|
// Retrieve with default of overriding access
|
|
const docOverride = await payload.findByID({
|
|
id,
|
|
collection: siblingDataSlug,
|
|
})
|
|
|
|
expect(docOverride.array?.[0].text).toBe(firstArrayText)
|
|
expect(docOverride.array?.[1].text).toBe(secondArrayText)
|
|
})
|
|
|
|
it('should use fallback value when trying to update a field without permission', async () => {
|
|
const doc = await payload.create({
|
|
collection: hooksSlug,
|
|
data: {
|
|
cannotMutateRequired: 'original',
|
|
},
|
|
})
|
|
|
|
const updatedDoc = await payload.update({
|
|
id: doc.id,
|
|
collection: hooksSlug,
|
|
overrideAccess: false,
|
|
data: {
|
|
cannotMutateRequired: 'new',
|
|
canMutate: 'canMutate',
|
|
},
|
|
})
|
|
|
|
expect(updatedDoc.cannotMutateRequired).toBe('original')
|
|
})
|
|
|
|
it('should use fallback value when required data is missing', async () => {
|
|
const doc = await payload.create({
|
|
collection: hooksSlug,
|
|
data: {
|
|
cannotMutateRequired: 'original',
|
|
},
|
|
})
|
|
|
|
const updatedDoc = await payload.update({
|
|
id: doc.id,
|
|
collection: hooksSlug,
|
|
overrideAccess: false,
|
|
data: {
|
|
canMutate: 'canMutate',
|
|
},
|
|
})
|
|
|
|
// should fallback to original data and not throw validation error
|
|
expect(updatedDoc.cannotMutateRequired).toBe('original')
|
|
})
|
|
|
|
it('should pass fallback value through to beforeChange hook when access returns false', async () => {
|
|
const doc = await payload.create({
|
|
collection: hooksSlug,
|
|
data: {
|
|
cannotMutateRequired: 'cannotMutateRequired',
|
|
cannotMutateNotRequired: 'cannotMutateNotRequired',
|
|
},
|
|
})
|
|
|
|
const updatedDoc = await payload.update({
|
|
id: doc.id,
|
|
collection: hooksSlug,
|
|
overrideAccess: false,
|
|
data: {
|
|
cannotMutateNotRequired: 'updated',
|
|
},
|
|
})
|
|
|
|
// should fallback to original data and not throw validation error
|
|
expect(updatedDoc.cannotMutateRequired).toBe('cannotMutateRequired')
|
|
expect(updatedDoc.cannotMutateNotRequired).toBe('cannotMutateNotRequired')
|
|
})
|
|
|
|
it('should not return default values for hidden fields with values', async () => {
|
|
const doc = await payload.create({
|
|
collection: hiddenFieldsSlug,
|
|
data: {
|
|
title: 'Test Title',
|
|
},
|
|
showHiddenFields: true,
|
|
})
|
|
|
|
expect(doc.hiddenWithDefault).toBe('default value')
|
|
|
|
const findDoc2 = await payload.findByID({
|
|
id: doc.id,
|
|
collection: hiddenFieldsSlug,
|
|
overrideAccess: false,
|
|
})
|
|
|
|
expect(findDoc2.hiddenWithDefault).toBeUndefined()
|
|
})
|
|
})
|
|
describe('Collections', () => {
|
|
describe('restricted collection', () => {
|
|
it('field without read access should not show', async () => {
|
|
const { id } = await createDoc({ restrictedField: 'restricted' })
|
|
|
|
const retrievedDoc = await payload.findByID({ id, collection: slug, overrideAccess: false })
|
|
|
|
expect(retrievedDoc.restrictedField).toBeUndefined()
|
|
})
|
|
|
|
it('should error when querying field without read access', async () => {
|
|
const { id } = await createDoc({ restrictedField: 'restricted' })
|
|
|
|
await expect(
|
|
async () =>
|
|
await payload.find({
|
|
collection: slug,
|
|
overrideAccess: false,
|
|
where: {
|
|
and: [
|
|
{
|
|
id: { equals: id },
|
|
},
|
|
{
|
|
restrictedField: {
|
|
equals: 'restricted',
|
|
},
|
|
},
|
|
],
|
|
},
|
|
}),
|
|
).rejects.toThrow('The following path cannot be queried: restrictedField')
|
|
})
|
|
|
|
it('should respect access control for join request where queries of relationship properties', async () => {
|
|
const post = await createDoc({})
|
|
await createDoc({ post: post.id, name: 'test' }, 'relation-restricted')
|
|
await expect(
|
|
async () =>
|
|
await payload.find({
|
|
collection: 'relation-restricted',
|
|
overrideAccess: false,
|
|
where: {
|
|
'post.restrictedField': {
|
|
equals: 'restricted',
|
|
},
|
|
},
|
|
}),
|
|
).rejects.toThrow('The following path cannot be queried: restrictedField')
|
|
})
|
|
|
|
it('field without read access should not show when overrideAccess: true', async () => {
|
|
const { id, restrictedField } = await createDoc({ restrictedField: 'restricted' })
|
|
|
|
const retrievedDoc = await payload.findByID({ id, collection: slug, overrideAccess: true })
|
|
|
|
expect(retrievedDoc.restrictedField).toStrictEqual(restrictedField)
|
|
})
|
|
|
|
it('field without read access should not show when overrideAccess default', async () => {
|
|
const { id, restrictedField } = await createDoc({ restrictedField: 'restricted' })
|
|
|
|
const retrievedDoc = await payload.findByID({ id, collection: slug })
|
|
|
|
expect(retrievedDoc.restrictedField).toStrictEqual(restrictedField)
|
|
})
|
|
})
|
|
describe('non-enumerated request properties passed to access control', () => {
|
|
it('access control ok when passing request headers', async () => {
|
|
const req = {
|
|
headers: requestHeaders,
|
|
} as PayloadRequest
|
|
const name = 'name'
|
|
const overrideAccess = false
|
|
|
|
const { id } = await createDoc({ name }, relyOnRequestHeadersSlug, {
|
|
overrideAccess,
|
|
req,
|
|
})
|
|
const docById = await payload.findByID({
|
|
id,
|
|
collection: relyOnRequestHeadersSlug,
|
|
overrideAccess,
|
|
req,
|
|
})
|
|
const { docs: docsByName } = await payload.find({
|
|
collection: relyOnRequestHeadersSlug,
|
|
overrideAccess,
|
|
req,
|
|
where: {
|
|
name: {
|
|
equals: name,
|
|
},
|
|
},
|
|
})
|
|
|
|
expect(docById).not.toBeUndefined()
|
|
expect(docsByName.length).toBeGreaterThan(0)
|
|
})
|
|
|
|
it('access control fails when omitting request headers', async () => {
|
|
const name = 'name'
|
|
const overrideAccess = false
|
|
|
|
await expect(() =>
|
|
createDoc({ name }, relyOnRequestHeadersSlug, {
|
|
overrideAccess,
|
|
}),
|
|
).rejects.toThrow(Forbidden)
|
|
const { id } = await createDoc({ name }, relyOnRequestHeadersSlug)
|
|
|
|
await expect(() =>
|
|
payload.findByID({ id, collection: relyOnRequestHeadersSlug, overrideAccess }),
|
|
).rejects.toThrow(Forbidden)
|
|
|
|
await expect(() =>
|
|
payload.find({
|
|
collection: relyOnRequestHeadersSlug,
|
|
overrideAccess,
|
|
where: {
|
|
name: {
|
|
equals: name,
|
|
},
|
|
},
|
|
}),
|
|
).rejects.toThrow(Forbidden)
|
|
})
|
|
})
|
|
})
|
|
|
|
describe('Override Access', () => {
|
|
describe('Fields', () => {
|
|
it('should allow overrideAccess: false', async () => {
|
|
const req = async () =>
|
|
await payload.update({
|
|
id: post1.id,
|
|
collection: slug,
|
|
data: { restrictedField: restricted.id },
|
|
overrideAccess: false, // this should respect access control
|
|
})
|
|
|
|
await expect(req).rejects.toThrow(Forbidden)
|
|
})
|
|
|
|
it('should allow overrideAccess: true', async () => {
|
|
const doc = await payload.update({
|
|
id: post1.id,
|
|
collection: slug,
|
|
data: { restrictedField: restricted.id },
|
|
overrideAccess: true, // this should override access control
|
|
})
|
|
|
|
expect(doc).toMatchObject({ id: post1.id })
|
|
})
|
|
|
|
it('should allow overrideAccess by default', async () => {
|
|
const doc = await payload.update({
|
|
id: post1.id,
|
|
collection: slug,
|
|
data: { restrictedField: restricted.id },
|
|
})
|
|
|
|
expect(doc).toMatchObject({ id: post1.id })
|
|
})
|
|
|
|
it('should allow overrideAccess: false - update many', async () => {
|
|
const req = async () =>
|
|
await payload.update({
|
|
collection: slug,
|
|
data: { restrictedField: restricted.id },
|
|
overrideAccess: false, // this should respect access control
|
|
where: {
|
|
id: { equals: post1.id },
|
|
},
|
|
})
|
|
|
|
await expect(req).rejects.toThrow(Forbidden)
|
|
})
|
|
|
|
it('should allow overrideAccess: true - update many', async () => {
|
|
const doc = await payload.update({
|
|
collection: slug,
|
|
data: { restrictedField: restricted.id },
|
|
overrideAccess: true, // this should override access control
|
|
where: {
|
|
id: { equals: post1.id },
|
|
},
|
|
})
|
|
|
|
expect(doc.docs[0]).toMatchObject({ id: post1.id })
|
|
})
|
|
|
|
it('should allow overrideAccess by default - update many', async () => {
|
|
const doc = await payload.update({
|
|
collection: slug,
|
|
data: { restrictedField: restricted.id },
|
|
where: {
|
|
id: { equals: post1.id },
|
|
},
|
|
})
|
|
|
|
expect(doc.docs[0]).toMatchObject({ id: post1.id })
|
|
})
|
|
})
|
|
|
|
describe('Collections', () => {
|
|
const updatedName = 'updated'
|
|
|
|
it('should allow overrideAccess: false', async () => {
|
|
const req = async () =>
|
|
await payload.update({
|
|
id: restricted.id,
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: updatedName },
|
|
overrideAccess: false, // this should respect access control
|
|
})
|
|
|
|
await expect(req).rejects.toThrow(Forbidden)
|
|
})
|
|
|
|
it('should allow overrideAccess: true', async () => {
|
|
const doc = await payload.update({
|
|
id: restricted.id,
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: updatedName },
|
|
overrideAccess: true, // this should override access control
|
|
})
|
|
|
|
expect(doc).toMatchObject({ id: restricted.id, name: updatedName })
|
|
})
|
|
|
|
it('should allow overrideAccess by default', async () => {
|
|
const doc = await payload.update({
|
|
id: restricted.id,
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: updatedName },
|
|
})
|
|
|
|
expect(doc).toMatchObject({ id: restricted.id, name: updatedName })
|
|
})
|
|
|
|
it('should allow overrideAccess: false - update many', async () => {
|
|
const req = async () =>
|
|
await payload.update({
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: updatedName },
|
|
overrideAccess: false, // this should respect access control
|
|
where: {
|
|
id: { equals: restricted.id },
|
|
},
|
|
})
|
|
|
|
await expect(req).rejects.toThrow(Forbidden)
|
|
})
|
|
|
|
it('should allow overrideAccess: true - update many', async () => {
|
|
const doc = await payload.update({
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: updatedName },
|
|
overrideAccess: true, // this should override access control
|
|
where: {
|
|
id: { equals: restricted.id },
|
|
},
|
|
})
|
|
|
|
expect(doc.docs[0]).toMatchObject({ id: restricted.id, name: updatedName })
|
|
})
|
|
|
|
it('should allow overrideAccess by default - update many', async () => {
|
|
const doc = await payload.update({
|
|
collection: fullyRestrictedSlug,
|
|
data: { name: updatedName },
|
|
where: {
|
|
id: { equals: restricted.id },
|
|
},
|
|
})
|
|
|
|
expect(doc.docs[0]).toMatchObject({ id: restricted.id, name: updatedName })
|
|
})
|
|
})
|
|
})
|
|
|
|
describe('Querying', () => {
|
|
it('should respect query constraint using hidden field', async () => {
|
|
await payload.create({
|
|
collection: hiddenAccessSlug,
|
|
data: {
|
|
title: 'hello',
|
|
},
|
|
})
|
|
|
|
await payload.create({
|
|
collection: hiddenAccessSlug,
|
|
data: {
|
|
hidden: true,
|
|
title: 'hello',
|
|
},
|
|
})
|
|
|
|
const { docs } = await payload.find({
|
|
collection: hiddenAccessSlug,
|
|
overrideAccess: false,
|
|
})
|
|
|
|
expect(docs).toHaveLength(1)
|
|
})
|
|
|
|
it('should respect query constraint using hidden field on count', async () => {
|
|
await payload.create({
|
|
collection: hiddenAccessCountSlug,
|
|
data: {
|
|
title: 'hello',
|
|
},
|
|
})
|
|
|
|
await payload.create({
|
|
collection: hiddenAccessCountSlug,
|
|
data: {
|
|
hidden: true,
|
|
title: 'hello',
|
|
},
|
|
})
|
|
|
|
const { totalDocs } = await payload.count({
|
|
collection: hiddenAccessCountSlug,
|
|
overrideAccess: false,
|
|
})
|
|
|
|
expect(totalDocs).toBe(1)
|
|
})
|
|
|
|
it('should respect query constraint using hidden field on versions', async () => {
|
|
await payload.create({
|
|
collection: restrictedVersionsSlug,
|
|
data: {
|
|
name: 'match',
|
|
hidden: true,
|
|
},
|
|
})
|
|
|
|
await payload.create({
|
|
collection: restrictedVersionsSlug,
|
|
data: {
|
|
name: 'match',
|
|
hidden: false,
|
|
},
|
|
})
|
|
|
|
const { docs } = await payload.findVersions({
|
|
collection: restrictedVersionsSlug,
|
|
overrideAccess: false,
|
|
where: {
|
|
'version.name': { equals: 'match' },
|
|
},
|
|
})
|
|
|
|
expect(docs).toHaveLength(1)
|
|
})
|
|
|
|
it('should ignore false access on query constraint added by top collection level access control', async () => {
|
|
await payload.create({
|
|
collection: 'fields-and-top-access',
|
|
data: { secret: 'will-fail-access-read' },
|
|
})
|
|
const { id: hitID } = await payload.create({
|
|
collection: 'fields-and-top-access',
|
|
data: { secret: 'will-success-access-read' },
|
|
})
|
|
await payload.create({
|
|
collection: 'fields-and-top-access',
|
|
data: { secret: 'will-fail-access-read' },
|
|
})
|
|
|
|
// assert find, only will-success should be in the result
|
|
const resFind = await payload.find({
|
|
overrideAccess: false,
|
|
collection: 'fields-and-top-access',
|
|
})
|
|
expect(resFind.docs[0].id).toBe(hitID)
|
|
expect(resFind.docs).toHaveLength(1)
|
|
|
|
// assert find draft: true
|
|
const resFindDraft = await payload.find({
|
|
draft: true,
|
|
overrideAccess: false,
|
|
collection: 'fields-and-top-access',
|
|
})
|
|
|
|
expect(resFindDraft.docs).toHaveLength(1)
|
|
expect(resFind.docs[0].id).toBe(hitID)
|
|
|
|
// assert findByID
|
|
const res = await payload.findByID({
|
|
id: hitID,
|
|
collection: 'fields-and-top-access',
|
|
overrideAccess: false,
|
|
})
|
|
|
|
expect(res).toBeTruthy()
|
|
})
|
|
|
|
it('should ignore false access in versions on query constraint added by top collection level access control', async () => {
|
|
// clean up
|
|
await payload.delete({ collection: 'fields-and-top-access', where: {} })
|
|
|
|
await payload.create({
|
|
collection: 'fields-and-top-access',
|
|
data: { secret: 'will-fail-access-read' },
|
|
})
|
|
const { id: hitID } = await payload.create({
|
|
collection: 'fields-and-top-access',
|
|
data: { secret: 'will-success-access-read' },
|
|
})
|
|
await payload.create({
|
|
collection: 'fields-and-top-access',
|
|
data: { secret: 'will-fail-access-read' },
|
|
})
|
|
|
|
// Assert findVersions only will-success should be in the result
|
|
const resFind = await payload.findVersions({
|
|
overrideAccess: false,
|
|
collection: 'fields-and-top-access',
|
|
})
|
|
expect(resFind.docs).toHaveLength(1)
|
|
|
|
const version = resFind.docs[0]
|
|
expect(version.parent).toBe(hitID)
|
|
|
|
// Assert findVersionByID
|
|
const res = await payload.findVersionByID({
|
|
id: version.id,
|
|
collection: 'fields-and-top-access',
|
|
overrideAccess: false,
|
|
})
|
|
|
|
expect(res).toBeTruthy()
|
|
})
|
|
})
|
|
|
|
describe('Auth - Local API', () => {
|
|
it('should not allow reset password if forgotPassword expiration token is expired', async () => {
|
|
// Mock Date.now() to simulate the forgotPassword call happening 1 hour ago (default is 1 hour)
|
|
const originalDateNow = Date.now
|
|
const mockDateNow = jest.spyOn(Date, 'now').mockImplementation(() => {
|
|
// Move the current time back by 1 hour
|
|
return originalDateNow() - 60 * 60 * 1000
|
|
})
|
|
|
|
let forgot
|
|
try {
|
|
// Call forgotPassword while the mocked Date.now() is active
|
|
forgot = await payload.forgotPassword({
|
|
collection: 'users',
|
|
data: {
|
|
email: 'dev@payloadcms.com',
|
|
},
|
|
})
|
|
} finally {
|
|
// Restore the original Date.now() after the forgotPassword call
|
|
mockDateNow.mockRestore()
|
|
}
|
|
|
|
// Attempt to reset password, which should fail because the token is expired
|
|
await expect(
|
|
payload.resetPassword({
|
|
collection: 'users',
|
|
data: {
|
|
password: 'test',
|
|
token: forgot,
|
|
},
|
|
overrideAccess: true,
|
|
}),
|
|
).rejects.toThrow('Token is either invalid or has expired.')
|
|
})
|
|
})
|
|
})
|
|
|
|
async function createDoc<TSlug extends CollectionSlug = 'posts'>(
|
|
data: RequiredDataFromCollectionSlug<TSlug>,
|
|
overrideSlug?: TSlug,
|
|
options?: Partial<Parameters<Payload['create']>[0]>,
|
|
): Promise<DataFromCollectionSlug<TSlug>> {
|
|
// @ts-expect-error
|
|
return await payload.create({
|
|
...options,
|
|
collection: overrideSlug ?? slug,
|
|
// @ts-expect-error
|
|
data: data ?? {},
|
|
})
|
|
}
|