added auth check for deleteRow

campudus · Aug 9, 2019 · 59ac6f5 · 59ac6f5
1 parent 06f342a
commit 59ac6f5
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/src/main/scala/com/campudus/tableaux/controller/TableauxController.scala b/src/main/scala/com/campudus/tableaux/controller/TableauxController.scala
@@ -338,6 +338,7 @@ class TableauxController(
     logger.info(s"deleteRow $tableId $rowId")
     for {
       table <- repository.retrieveTable(tableId)
+      _ <- roleModel.checkAuthorization(DeleteRow, ScopeTable, ComparisonObjects(table))
       _ <- repository.deleteRow(table, rowId)
     } yield EmptyObject()
   }

diff --git a/src/test/scala/com/campudus/tableaux/api/auth/TableauxControllerAuthTest.scala b/src/test/scala/com/campudus/tableaux/api/auth/TableauxControllerAuthTest.scala
@@ -717,4 +717,48 @@ class TableauxControllerAuthTest_row extends TableauxControllerAuthTest {
         assertEquals("column 1 and 2 are not changeable", new NoSuchElementException().getClass, ex2.getClass)
       }
     }
+
+  @Test
+  def deleteRow_notAuthorized_throwsException(implicit c: TestContext): Unit =
+    okTest {
+      val controller = createTableauxController()
+
+      for {
+        _ <- createTestTable()
+        ex1 <- controller.deleteRow(1, 1).recover({ case ex => ex })
+        ex2 <- controller.deleteRow(1, 2).recover({ case ex => ex })
+      } yield {
+        assertEquals(UnauthorizedException(DeleteRow, ScopeTable), ex1)
+        assertEquals(UnauthorizedException(DeleteRow, ScopeTable), ex2)
+      }
+    }
+
+  @Test
+  def deleteRow_authorized_ok(implicit c: TestContext): Unit =
+    okTest {
+      val roleModel = initRoleModel("""
+                                      |{
+                                      |  "create-rows": [
+                                      |    {
+                                      |      "type": "grant",
+                                      |      "action": ["deleteRow"],
+                                      |      "scope": "table",
+                                      |      "condition": {
+                                      |        "table": {
+                                      |          "name": ".*"
+                                      |        }
+                                      |      }
+                                      |    }
+                                      |  ]
+                                      |}""".stripMargin)
+
+      val controller = createTableauxController(roleModel)
+
+      for {
+        _ <- createTestTable()
+        _ <- controller.deleteRow(1, 1)
+        _ <- controller.deleteRow(1, 2)
+      } yield ()
+    }
+
 }