Added e2e test checking integration access

refs https://github.com/TryGhost/Team/issues/2790

- The Self-Serve Integration should only be accessible to the Owner and Admin user roles otherwise we risk accidental indirect increase in role permissions - Self-Serve Integration has permissions which editors/contributors don't have.
This commit is contained in:
Naz 2023-03-24 11:23:42 +01:00
parent fe4e9897fc
commit 2231981880
No known key found for this signature in database
2 changed files with 61 additions and 0 deletions

View File

@ -0,0 +1,32 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`Integrations API As Administrator Can't see Self-Serve or any other integration 1: [body] 1`] = `
Object {
"errors": Array [
Object {
"code": null,
"context": "You do not have permission to browse integrations",
"details": null,
"ghostErrorCode": null,
"help": null,
"id": StringMatching /\\[a-f0-9\\]\\{8\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{12\\}/,
"message": "Permission error, cannot list integrations.",
"property": null,
"type": "NoPermissionError",
},
],
}
`;
exports[`Integrations API As Administrator Can't see Self-Serve or any other integration 2: [headers] 1`] = `
Object {
"access-control-allow-origin": "http://127.0.0.1:2369",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "280",
"content-type": "application/json; charset=utf-8",
"content-version": StringMatching /v\\\\d\\+\\\\\\.\\\\d\\+/,
"etag": StringMatching /\\(\\?:W\\\\/\\)\\?"\\(\\?:\\[ !#-\\\\x7E\\\\x80-\\\\xFF\\]\\*\\|\\\\r\\\\n\\[\\\\t \\]\\|\\\\\\\\\\.\\)\\*"/,
"vary": "Accept-Version, Origin, Accept-Encoding",
"x-powered-by": "Express",
}
`;

View File

@ -4,6 +4,8 @@ const supertest = require('supertest');
const config = require('../../../core/shared/config');
const testUtils = require('../../utils');
const localUtils = require('./utils');
const {agentProvider, fixtureManager, matchers} = require('../../utils/e2e-framework');
const {anyEtag, anyErrorId, anyContentVersion} = matchers;
describe('Integrations API', function () {
let request;
@ -350,4 +352,31 @@ describe('Integrations API', function () {
editRes.body.errors[0].context.should.eql('Integration not found.');
});
describe('As Administrator', function () {
let agent;
before(async function () {
agent = await agentProvider.getAdminAPIAgent();
await fixtureManager.init('users', 'integrations');
await agent.loginAsContributor();
});
it('Can\'t see Self-Serve or any other integration', async function () {
await agent
.get('integrations')
.matchHeaderSnapshot({
'content-version': anyContentVersion,
etag: anyEtag
})
.matchBodySnapshot({
errors: [
{
id: anyErrorId
}
]
})
.expectStatus(403);
});
});
});