strapi/tests/api/plugins/users-permissions/graphql.test.api.js

'use strict';

// Helpers.
const { createStrapiInstance } = require('api-tests/strapi');
const { createAuthRequest, createRequest } = require('api-tests/request');

let strapi;
let authReq;

describe('Test Graphql user service', () => {
  beforeAll(async () => {
    strapi = await createStrapiInstance({ bypassAuth: false });
    authReq = await createAuthRequest({ strapi });
  });

  afterAll(async () => {
    await strapi.destroy();
  });

  describe('Check createUser authorizations', () => {
    test('createUser is forbidden to public', async () => {
      const rq = createRequest({ strapi });
      const res = await rq({
        url: '/graphql',
        method: 'POST',
        body: {
          query: /* GraphQL */ `
            mutation {
              createUsersPermissionsUser(
                data: { username: "test", email: "test", password: "test" }
              ) {
                data {
                  id
                  attributes {
                    username
                  }
                }
              }
            }
          `,
        },
      });

      expect(res.statusCode).toBe(200);
      expect(res.body).toMatchObject({
        data: null,
        errors: [
          {
            message: 'Forbidden access',
          },
        ],
      });
    });

    test('createUser is forbidden for admins', async () => {
      const res = await authReq({
        url: '/graphql',
        method: 'POST',
        body: {
          query: /* GraphQL */ `
            mutation {
              createUsersPermissionsUser(
                data: { username: "test", email: "test", password: "test" }
              ) {
                data {
                  id
                  attributes {
                    username
                  }
                }
              }
            }
          `,
        },
      });

      expect(res.statusCode).toBe(401);
      expect(res.body).toMatchObject({
        error: {
          status: 401,
          name: 'UnauthorizedError',
          message: 'Missing or invalid credentials',
          details: {},
        },
      });
    });
  });

  describe('Check updateUser authorizations', () => {
    test('updateUser is forbidden to public', async () => {
      const rq = createRequest({ strapi });
      const res = await rq({
        url: '/graphql',
        method: 'POST',
        body: {
          query: /* GraphQL */ `
            mutation {
              updateUsersPermissionsUser(
                id: 1
                data: { username: "test", email: "test", password: "test" }
              ) {
                data {
                  id
                  attributes {
                    username
                  }
                }
              }
            }
          `,
        },
      });

      expect(res.statusCode).toBe(200);
      expect(res.body).toMatchObject({
        data: null,
        errors: [
          {
            message: 'Forbidden access',
          },
        ],
      });
    });

    test('updateUser is forbidden for admins', async () => {
      const res = await authReq({
        url: '/graphql',
        method: 'POST',
        body: {
          query: /* GraphQL */ `
            mutation {
              updateUsersPermissionsUser(
                id: 1
                data: { username: "test", email: "test", password: "test" }
              ) {
                data {
                  id
                  attributes {
                    username
                  }
                }
              }
            }
          `,
        },
      });

      expect(res.statusCode).toBe(401);
      expect(res.body).toMatchObject({
        error: {
          status: 401,
          name: 'UnauthorizedError',
          message: 'Missing or invalid credentials',
          details: {},
        },
      });
    });

    describe('Check deleteUser authorizations', () => {
      test('deleteUser is forbidden to public', async () => {
        const rq = createRequest({ strapi });
        const res = await rq({
          url: '/graphql',
          method: 'POST',
          body: {
            query: /* GraphQL */ `
              mutation deleteUser {
                deleteUsersPermissionsUser(id: 1) {
                  data {
                    id
                    attributes {
                      username
                    }
                  }
                }
              }
            `,
          },
        });

        expect(res.statusCode).toBe(200);
        expect(res.body).toMatchObject({
          data: null,
          errors: [
            {
              message: 'Forbidden access',
            },
          ],
        });
      });

      test('deleteUser is authorized for admins', async () => {
        const res = await authReq({
          url: '/graphql',
          method: 'POST',
          body: {
            query: /* GraphQL */ `
              mutation deleteUser {
                deleteUsersPermissionsUser(id: 1) {
                  data {
                    id
                    attributes {
                      username
                    }
                  }
                }
              }
            `,
          },
        });

        expect(res.statusCode).toBe(401);
        expect(res.body).toMatchObject({
          error: {
            status: 401,
            name: 'UnauthorizedError',
            message: 'Missing or invalid credentials',
            details: {},
          },
        });
      });
    });
  });
});
Make lint stricter and fix the errors Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 11:27:17 +01:00			`'use strict';`

Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`// Helpers.`
Move api tests to root of repo with same structure (#16242) 2023-04-05 10:32:20 +02:00			`const { createStrapiInstance } = require('api-tests/strapi');`
			`const { createAuthRequest, createRequest } = require('api-tests/request');`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00
Add all missing e2e tests (draft) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-11-17 15:38:41 +01:00			`let strapi;`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`let authReq;`

			`describe('Test Graphql user service', () => {`
			`beforeAll(async () => {`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`strapi = await createStrapiInstance({ bypassAuth: false });`
Add all missing e2e tests (draft) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-11-17 15:38:41 +01:00			`authReq = await createAuthRequest({ strapi });`
Use a global timeout instead of redefining it everytime 2021-03-26 20:15:38 +01:00			`});`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00
Add all missing e2e tests (draft) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-11-17 15:38:41 +01:00			`afterAll(async () => {`
			`await strapi.destroy();`
			`});`

Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`describe('Check createUser authorizations', () => {`
			`test('createUser is forbidden to public', async () => {`
Add all missing e2e tests (draft) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-11-17 15:38:41 +01:00			`const rq = createRequest({ strapi });`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`const res = await rq({`
			`url: '/graphql',`
			`method: 'POST',`
			`body: {`
			query: /* GraphQL */ `
			`mutation {`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`createUsersPermissionsUser(`
			`data: { username: "test", email: "test", password: "test" }`
			`) {`
			`data {`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`id`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`attributes {`
			`username`
			`}`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`}`
			`}`
			`}`
			`,
			`},`
			`});`

			`expect(res.statusCode).toBe(200);`
			`expect(res.body).toMatchObject({`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`data: null,`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`errors: [`
			`{`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`message: 'Forbidden access',`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`},`
			`],`
			`});`
			`});`

Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`test('createUser is forbidden for admins', async () => {`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`const res = await authReq({`
			`url: '/graphql',`
			`method: 'POST',`
			`body: {`
			query: /* GraphQL */ `
			`mutation {`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`createUsersPermissionsUser(`
			`data: { username: "test", email: "test", password: "test" }`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`) {`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`data {`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`id`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`attributes {`
			`username`
			`}`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`}`
			`}`
			`}`
			`,
			`},`
			`});`

Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`expect(res.statusCode).toBe(401);`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`expect(res.body).toMatchObject({`
refactor error handling 2021-10-20 17:30:05 +02:00			`error: {`
			`status: 401,`
			`name: 'UnauthorizedError',`
			`message: 'Missing or invalid credentials',`
			`details: {},`
			`},`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`});`
			`});`
			`});`

			`describe('Check updateUser authorizations', () => {`
			`test('updateUser is forbidden to public', async () => {`
Add all missing e2e tests (draft) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-11-17 15:38:41 +01:00			`const rq = createRequest({ strapi });`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`const res = await rq({`
			`url: '/graphql',`
			`method: 'POST',`
			`body: {`
			query: /* GraphQL */ `
			`mutation {`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`updateUsersPermissionsUser(`
			`id: 1`
			`data: { username: "test", email: "test", password: "test" }`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`) {`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`data {`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`id`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`attributes {`
			`username`
			`}`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`}`
			`}`
			`}`
			`,
			`},`
			`});`

			`expect(res.statusCode).toBe(200);`
			`expect(res.body).toMatchObject({`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`data: null,`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`errors: [`
			`{`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`message: 'Forbidden access',`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`},`
			`],`
			`});`
			`});`

Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`test('updateUser is forbidden for admins', async () => {`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`const res = await authReq({`
			`url: '/graphql',`
			`method: 'POST',`
			`body: {`
			query: /* GraphQL */ `
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`mutation {`
			`updateUsersPermissionsUser(`
			`id: 1`
			`data: { username: "test", email: "test", password: "test" }`
			`) {`
			`data {`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`id`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`attributes {`
			`username`
			`}`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`}`
			`}`
			`}`
			`,
			`},`
			`});`

Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`expect(res.statusCode).toBe(401);`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`expect(res.body).toMatchObject({`
refactor error handling 2021-10-20 17:30:05 +02:00			`error: {`
			`status: 401,`
			`name: 'UnauthorizedError',`
			`message: 'Missing or invalid credentials',`
			`details: {},`
			`},`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`});`
			`});`

Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`describe('Check deleteUser authorizations', () => {`
			`test('deleteUser is forbidden to public', async () => {`
			`const rq = createRequest({ strapi });`
			`const res = await rq({`
			`url: '/graphql',`
			`method: 'POST',`
			`body: {`
			query: /* GraphQL */ `
			`mutation deleteUser {`
			`deleteUsersPermissionsUser(id: 1) {`
			`data {`
			`id`
			`attributes {`
			`username`
			`}`
			`}`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`}`
			`}`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`,
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`},`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`});`

			`expect(res.statusCode).toBe(200);`
			`expect(res.body).toMatchObject({`
			`data: null,`
			`errors: [`
			`{`
			`message: 'Forbidden access',`
			`},`
			`],`
			`});`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`});`

Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`test('deleteUser is authorized for admins', async () => {`
			`const res = await authReq({`
			`url: '/graphql',`
			`method: 'POST',`
			`body: {`
			query: /* GraphQL */ `
			`mutation deleteUser {`
			`deleteUsersPermissionsUser(id: 1) {`
			`data {`
			`id`
			`attributes {`
			`username`
			`}`
			`}`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`}`
			`}`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`,
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`},`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`});`

			`expect(res.statusCode).toBe(401);`
			`expect(res.body).toMatchObject({`
refactor error handling 2021-10-20 17:30:05 +02:00			`error: {`
			`status: 401,`
			`name: 'UnauthorizedError',`
			`message: 'Missing or invalid credentials',`
			`details: {},`
			`},`
Fix e2e test for UP, i18n & upload + various i18n fixes 2021-09-27 17:17:24 +02:00			`});`
Add tests on graphql upload and user perm graphql 2019-09-18 12:07:59 +02:00			`});`
			`});`
			`});`
			`});`