From 7738db74318f45d662f3aef0e56a9dae54b8ed95 Mon Sep 17 00:00:00 2001
From: petruki <31597636+petruki@users.noreply.github.com>
Date: Sun, 9 Jul 2023 18:52:47 -0700
Subject: [PATCH 1/2] Fixes Permission sanitiation middlewares

---
 src/routers/permission.js | 16 +++++++++++-----
 tests/permission.test.js  |  8 +++++---
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/routers/permission.js b/src/routers/permission.js
index de41e3b..93277ad 100644
--- a/src/routers/permission.js
+++ b/src/routers/permission.js
@@ -21,10 +21,15 @@ async function updatePermission(req, res) {
 
 router.post('/permission/create/:team', auth, [
     check('team').isMongoId(),
-    body('action').not().isEmpty(),
-    body('router').not().isEmpty(),
-    body('environments').isArray().optional(),
-], validate, verifyInputUpdateParameters(['action', 'router', 'environments']), async (req, res) => {
+    body('action').isString().optional(),
+    body('active').isBoolean().optional(),
+    body('router').isString().optional(),
+    body('identifiedBy').isString().optional(),
+    body('values').isArray().optional(),
+    body('environments').isArray().optional()
+], validate, verifyInputUpdateParameters([
+    'action', 'active', 'router', 'identifiedBy', 'values', 'environments'
+]), async (req, res) => {
     try {
         const permission = await Services.createPermission(req.body, req.params.team, req.admin);
         res.status(201).send(permission);
@@ -86,9 +91,10 @@ router.patch('/permission/:id', auth, [
     body('active').isBoolean().optional(),
     body('router').isString().optional(),
     body('identifiedBy').isString().optional(),
+    body('values').isArray().optional(),
     body('environments').isArray().optional()
 ], validate, verifyInputUpdateParameters([
-    'action', 'active', 'router', 'identifiedBy', 'environments'
+    'action', 'active', 'router', 'identifiedBy', 'values', 'environments'
 ]), async (req, res) => {
     await updatePermission(req, res);
 });
diff --git a/tests/permission.test.js b/tests/permission.test.js
index ba56cd0..4349da7 100644
--- a/tests/permission.test.js
+++ b/tests/permission.test.js
@@ -24,7 +24,9 @@ describe('Insertion tests', () => {
             .set('Authorization', `Bearer ${adminMasterAccountToken}`)
             .send({
                 action: ActionTypes.READ,
-                router: RouterTypes.GROUP
+                router: RouterTypes.GROUP,
+                identifiedBy: KeyTypes.NAME,
+                values: ['Group 1', 'Group 2']
             }).expect(201);
 
         // DB validation - document created
@@ -42,7 +44,7 @@ describe('Insertion tests', () => {
             .send({
                 action: ActionTypes.READ,
                 route: RouterTypes.GROUP
-            }).expect(422);
+            }).expect(400);
     });
 
     test('PERMISSION_SUITE - Should NOT create a new Permission - Missing required parameter', async () => {
@@ -51,7 +53,7 @@ describe('Insertion tests', () => {
             .set('Authorization', `Bearer ${adminMasterAccountToken}`)
             .send({
                 action: ActionTypes.READ
-            }).expect(422);
+            }).expect(400);
     });
 
     test('PERMISSION_SUITE - Should NOT create a new Permission - Team not found', async () => {

From 4e5f3f550c608cfaafb322c8c5616248e555a80a Mon Sep 17 00:00:00 2001
From: petruki <31597636+petruki@users.noreply.github.com>
Date: Sun, 9 Jul 2023 19:01:29 -0700
Subject: [PATCH 2/2] Moved body sanitizer to global constant for reuse

---
 src/routers/permission.js | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/routers/permission.js b/src/routers/permission.js
index 93277ad..f1458e7 100644
--- a/src/routers/permission.js
+++ b/src/routers/permission.js
@@ -19,14 +19,18 @@ async function updatePermission(req, res) {
     }
 }
 
-router.post('/permission/create/:team', auth, [
-    check('team').isMongoId(),
+const sanitizeBody = [
     body('action').isString().optional(),
     body('active').isBoolean().optional(),
     body('router').isString().optional(),
     body('identifiedBy').isString().optional(),
     body('values').isArray().optional(),
     body('environments').isArray().optional()
+];
+
+router.post('/permission/create/:team', auth, [
+    check('team').isMongoId(),
+    ...sanitizeBody
 ], validate, verifyInputUpdateParameters([
     'action', 'active', 'router', 'identifiedBy', 'values', 'environments'
 ]), async (req, res) => {
@@ -87,12 +91,7 @@ router.get('/permission/:id', auth, [
 
 router.patch('/permission/:id', auth, [
     check('id').isMongoId(),
-    body('action').isString().optional(),
-    body('active').isBoolean().optional(),
-    body('router').isString().optional(),
-    body('identifiedBy').isString().optional(),
-    body('values').isArray().optional(),
-    body('environments').isArray().optional()
+    ...sanitizeBody
 ], validate, verifyInputUpdateParameters([
     'action', 'active', 'router', 'identifiedBy', 'values', 'environments'
 ]), async (req, res) => {