Don't require token if enableAccessToken is disabled and the resource…

… is not write protected.
salesforce · Aug 18, 2017 · 49f801d · 49f801d
1 parent ac8db62
commit 49f801d
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 4 deletions.
diff --git a/api/v1/helpers/verbs/utils.js b/api/v1/helpers/verbs/utils.js
@@ -182,18 +182,25 @@ function isWritable(req, modelInst) {
       jwtUtil.getTokenDetailsFromRequest(req)
       .then((resObj) => modelInst.isWritableBy(resObj.username))
       .then((ok) => ok ? resolve(modelInst) :
-          reject(new apiErrors.ForbiddenError())
+        reject(new apiErrors.ForbiddenError(
+          'Resource not writable for provided token'))
       )
       .catch((err) => reject(err));
     } else if (req.user) {
       // try to use the logged-in user
       modelInst.isWritableBy(req.user.name)
       .then((ok) => ok ? resolve(modelInst) :
-          reject(new apiErrors.ForbiddenError())
+        reject(new apiErrors.ForbiddenError(
+          'Resource not writable by this user'))
       )
       .catch((err) => reject(err));
     } else {
-      reject(new apiErrors.ForbiddenError());
+      // check if isWritable by default (no writers)
+      modelInst.isWritableBy()
+      .then((ok) => ok ? resolve(modelInst) :
+        reject(new apiErrors.ForbiddenError('Resource is write protected'))
+      )
+      .catch((err) => reject(err));
     }
   });
 }

diff --git a/tests/api/v1/helpers/utils.js b/tests/api/v1/helpers/utils.js
@@ -18,6 +18,7 @@ const apiUtils = require('../../../../api/v1/helpers/verbs/utils.js');
 describe('tests/api/v1/helpers/utils.js >', () => {
   let token;
   let subject;
+  let user;
   const na = {
     name: `${tu.namePrefix}NorthAmerica`,
     description: 'continent',
@@ -28,7 +29,10 @@ describe('tests/api/v1/helpers/utils.js >', () => {
       subject = sub;
       return tu.createUser('myUNiqueUser');
     })
-    .then((usr) => tu.createTokenFromUserName(usr.name))
+    .then((usr) => {
+      user = usr;
+      return tu.createTokenFromUserName(usr.name)
+    })
     .then((tkn) => {
       token = tkn;
       done();
@@ -68,6 +72,32 @@ describe('tests/api/v1/helpers/utils.js >', () => {
         done();
       });
     });
+
+    it('no token required if requireAccessToken is false and the resource is not' +
+      ' write-protected', (done) => {
+      tu.toggleOverride('requireAccessToken', false);
+      const fakeReq = { headers: {} };
+      apiUtils.isWritable(fakeReq, subject)
+      .then((ok) => {
+        expect(ok).to.equal(subject);
+        done();
+      })
+      .catch(done);
+    });
+
+    it('token required if requireAccessToken is false and the resource is' +
+      ' write-protected', (done) => {
+      tu.toggleOverride('requireAccessToken', false);
+      const fakeReq = { headers: {} };
+      subject.addWriters([user])
+      .then(() => apiUtils.isWritable(fakeReq, subject))
+      .then(() => done('expecting error'))
+      .catch((err) => {
+        expect(err.name).to.equal('ForbiddenError');
+        done();
+      });
+    });
+
   });
 
   describe('getUserNameFromToken >', () => {