reactioncommerce · aldeed · Jan 7, 2020 · Dec 19, 2019 · Dec 19, 2019 · Dec 19, 2019
diff --git a/src/core-services/settings/mutations/updateAppSettings.js b/src/core-services/settings/mutations/updateAppSettings.js
@@ -29,7 +29,12 @@ export default async function updateAppSettings(context, settingsUpdates, shopId
     if (allowedRoles.length === 0) {
       throw new ReactionError("access-denied", `You are not allowed to edit the "${updateKey}" setting`);
     }
-    await context.validatePermissions(`reaction:shops:${shopId}`, "update", { shopId, legacyRoles: allowedRoles }); // eslint-disable-line no-await-in-loop
+
+    if (shopId) {
+      await context.validatePermissions(`reaction:shops:${shopId}`, "update", { shopId, legacyRoles: allowedRoles }); // eslint-disable-line no-await-in-loop
+    } else {
+      await context.validatePermissions("reaction:shops", "update", { shopId: null, legacyRoles: allowedRoles }); // eslint-disable-line no-await-in-loop
+    }
   }
 
   const { value: updatedDoc } = await AppSettings.findOneAndUpdate(

diff --git a/src/core-services/settings/util/settingsConfig.js b/src/core-services/settings/util/settingsConfig.js
@@ -45,7 +45,7 @@ export function addShopSettingDefaults(settings) {
  * @returns {String[]} List of roles that can edit this setting.
  */
 export function rolesThatCanEditGlobalSetting(field) {
-  const config = globalSettingsSchema[field];
+  const config = globalSettingsConfig[field];
   if (!config) return [];
 
   return config.rolesThatCanEdit || [];

diff --git a/...ration/api/mutations/updateGlobalSettings/__snapshots__/updateGlobalSettings.test.js.snap b/...ration/api/mutations/updateGlobalSettings/__snapshots__/updateGlobalSettings.test.js.snap
@@ -0,0 +1,28 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`an anonymous user cannot  update global settings 1`] = `
+Array [
+  Object {
+    "extensions": Object {
+      "code": "FORBIDDEN",
+      "exception": Object {
+        "details": Object {},
+        "error": "access-denied",
+        "eventData": Object {},
+        "isClientSafe": true,
+        "reason": "Access Denied",
+      },
+    },
+    "locations": Array [
+      Object {
+        "column": 3,
+        "line": 2,
+      },
+    ],
+    "message": "Access Denied",
+    "path": Array [
+      "updateGlobalSettings",
+    ],
+  },
+]
+`;
diff --git a/tests/integration/api/mutations/updateGlobalSettings/updateGlobalSettings.graphql b/tests/integration/api/mutations/updateGlobalSettings/updateGlobalSettings.graphql
@@ -0,0 +1,7 @@
+mutation updateGlobalSettings($input: UpdateGlobalSettingsInput!) {
+  updateGlobalSettings(input: $input) {
+    globalSettings {
+      canSellDigitalProducts
+    }
+  }
+}
diff --git a/tests/integration/api/mutations/updateGlobalSettings/updateGlobalSettings.test.js b/tests/integration/api/mutations/updateGlobalSettings/updateGlobalSettings.test.js
@@ -0,0 +1,107 @@
+import importAsString from "@reactioncommerce/api-utils/importAsString.js";
+import Factory from "/tests/util/factory.js";
+import TestApp from "/tests/util/TestApp.js";
+
+const updateGlobalSettings = importAsString("./updateGlobalSettings.graphql");
+const TestGlobalSettingSchema = ` 
+  extend type GlobalSettings {
+    canSellDigitalProducts: Boolean
+  }
+
+  extend input GlobalSettingsUpdates {
+    canSellDigitalProducts: Boolean
+  }
+
+  extend input UpdateGlobalSettingsInput {
+    """
+    If true a shop can sell digital products
+    """
+    canSellDigitalProducts: Boolean
+  }
+`;
+
+jest.setTimeout(300000);
+
+const shopId = "123";
+const shopName = "Test Shop";
+let testApp;
+let globalSettingsMutation;
+
+const mockGlobalSetting = {
+  canSellDigitalProducts: false
+};
+
+const mockAdminAccount = Factory.Account.makeOne({
+  roles: {
+    __global_roles__: ["admin"] // eslint-disable-line camelcase
+  }
+});
+
+beforeAll(async () => {
+  testApp = new TestApp();
+
+  testApp.registerPlugin({
+    name: "testGlobalSetting",
+    graphQL: {
+      schemas: [TestGlobalSettingSchema]
+    },
+    globalSettingsConfig: {
+      canSellDigitalProducts: {
+        rolesThatCanEdit: ["admin"],
+        simpleSchema: {
+          type: Boolean
+        }
+      }
+    }
+  });
+
+  await testApp.start();
+  await testApp.insertPrimaryShop({ _id: shopId, name: shopName });
+  await testApp.createUserAndAccount(mockAdminAccount);
+  await testApp.collections.AppSettings.insertOne(mockGlobalSetting);
+  globalSettingsMutation = testApp.query(updateGlobalSettings);
+});
+
+afterAll(async () => {
+  await testApp.collections.AppSettings.deleteMany({});
+  await testApp.collections.Shops.deleteMany({});
+  await testApp.stop();
+});
+
+test("an anonymous user cannot  update global settings", async () => {
+  try {
+    await globalSettingsMutation({
+      input: {
+        settingsUpdates: {
+          canSellDigitalProducts: true
+        }
+      }
+    });
+  } catch (error) {
+    expect(error).toMatchSnapshot();
+  }
+});
+
+test("an admin user can  update global settings", async () => {
+  let result;
+  await testApp.setLoggedInUser(mockAdminAccount);
+  const settings = await testApp.collections.AppSettings.findOne({
+    canSellDigitalProducts: false
+  });
+  expect(settings.canSellDigitalProducts).toEqual(false);
+
+  try {
+    result = await globalSettingsMutation({
+      input: {
+        settingsUpdates: {
+          canSellDigitalProducts: true
+        }
+      }
+    });
+  } catch (error) {
+    expect(error).toBeUndefined();
+    return;
+  }
+
+  expect(result.updateGlobalSettings.globalSettings.canSellDigitalProducts).toEqual(true);
+});
diff --git a/tests/integration/api/queries/globalSettings/TestGlobalSettingSchema.graphql b/tests/integration/api/queries/globalSettings/TestGlobalSettingSchema.graphql
diff --git a/tests/integration/api/queries/globalSettings/globalSettings.test.js b/tests/integration/api/queries/globalSettings/globalSettings.test.js
@@ -2,7 +2,11 @@ import importAsString from "@reactioncommerce/api-utils/importAsString.js";
 import TestApp from "/tests/util/TestApp.js";
 
 const GlobalSettingsQuery = importAsString("./GlobalSettingsQuery.graphql");
-const TestGlobalSettingSchema = importAsString("./TestGlobalSettingSchema.graphql");
+const TestGlobalSettingSchema = `
+  extend type GlobalSettings {
+    canSellVariantWithoutInventory: Boolean
+  }
+`;
 
 jest.setTimeout(300000);
 

diff --git a/tests/util/TestApp.js b/tests/util/TestApp.js
@@ -40,7 +40,7 @@ class TestApp {
       ...user,
       roles: {
         ...(user.roles || {}),
-        __global_roles__: globalRoles || [] // eslint-disable-line camelcase
+        __global_roles__: ((user.roles || {}).__global_roles__ || []).concat(globalRoles || []) // eslint-disable-line camelcase
       },
       services: {
         resume: {
@@ -66,14 +66,17 @@ class TestApp {
     }
 
     // Set the hashed login token on the users document
-    await users.updateOne({ _id: user._id }, {
-      $push: {
-        "services.resume.loginTokens": {
-          hashedToken,
-          when: new Date()
+    await users.updateOne(
+      { _id: user._id },
+      {
+        $push: {
+          "services.resume.loginTokens": {
+            hashedToken,
+            when: new Date()
+          }
         }
       }
-    });
+    );
 
     this.userId = user._id;