add missing test for missing item

keystonejs · Oct 5, 2022 · be5e789 · be5e789
1 parent 2aacbc9
commit be5e789
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 13 deletions.
diff --git a/packages/core/src/lib/core/mutations/access-control.ts b/packages/core/src/lib/core/mutations/access-control.ts
@@ -11,16 +11,6 @@ import {
   UniquePrismaFilter,
 } from '../where-inputs';
 
-function cannotWithFilter(
-  operation: string,
-  list: InitialisedList,
-  uniqueWhere: UniquePrismaFilter
-) {
-  return `You cannot '${operation}' a ${list.listKey} with the filter ${JSON.stringify(
-    uniqueWhere
-  )} - it may not exist`;
-}
-
 function cannotForItemFields(operation: string, list: InitialisedList, fieldsDenied: string[]) {
   return `You cannot '${operation}' that ${
     list.listKey
@@ -43,7 +33,7 @@ async function getFilteredItem(
 ) {
   // early exit if they want to exclude everything
   if (accessFilters === false) {
-    throw accessDeniedError(cannotWithFilter(operation, list, uniqueWhere));
+    throw accessDeniedError(cannotForItem(operation, list));
   }
 
   // merge the filter access control and try to get the item
@@ -55,7 +45,7 @@ async function getFilteredItem(
   const item = await runWithPrisma(context, list, model => model.findFirst({ where }));
   if (item !== null) return item;
 
-  throw accessDeniedError(cannotWithFilter(operation, list, uniqueWhere));
+  throw accessDeniedError(cannotForItem(operation, list));
 }
 
 export async function checkUniqueItemExists(
@@ -73,7 +63,7 @@ export async function checkUniqueItemExists(
     if (item !== null) return uniqueWhere;
   } catch (err) {}
 
-  throw accessDeniedError(cannotWithFilter(operation, foreignList, uniqueWhere));
+  throw accessDeniedError(cannotForItem(operation, foreignList));
 }
 
 async function enforceListLevelAccessControl({

diff --git a/tests/api-tests/access-control/mutations-list-item.test.ts b/tests/api-tests/access-control/mutations-list-item.test.ts
@@ -12,6 +12,11 @@ const runner = setupTestRunner({
       User: list({
         access: {
           operation: allowAll,
+          filter: () => {
+            return {
+              name: { not: { equals: 'hidden' }  }
+            }
+          },
           item: {
             create: ({ inputData }) => {
               return inputData.name !== 'bad';
@@ -130,6 +135,31 @@ describe('Access control - Item', () => {
     })
   );
 
+  test(
+    'updateOne - Missing item',
+    runner(async ({ context }) => {
+      const user = await context.query.User.createOne({ data: { name: 'hidden' } });
+      const { data, errors } = await context.graphql.raw({
+        query: `mutation ($id: ID! $data: UserUpdateInput!) { updateUser(where: { id: $id }, data: $data) { id } }`,
+        variables: { id: user.id, data: { name: 'something else' } },
+      });
+
+      // Returns null and throws an error
+      expect(data).toEqual({ updateUser: null });
+      expectAccessDenied(errors, [
+        {
+          path: ['updateUser'],
+          msg: `You cannot 'update' that User - it may not exist`,
+        },
+      ]);
+
+      // should be unchanged
+      const userAgain = await context.sudo().db.User.findOne({ where: { id: user.id } });
+      expect(userAgain).not.toEqual(null);
+      expect(userAgain!.name).toEqual('hidden');
+    })
+  );
+
   test(
     'updateOne - Bad function return value',
     runner(async ({ context }) => {