mirror of
https://github.com/documenso/documenso.git
synced 2026-07-11 05:25:08 +10:00
90 lines
3.0 KiB
TypeScript
90 lines
3.0 KiB
TypeScript
import { cancelDocument } from '@documenso/lib/server-only/document/cancel-document';
|
|
import { deleteDocument } from '@documenso/lib/server-only/document/delete-document';
|
|
import { getEnvelopeWhereInput } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
|
|
import { prisma } from '@documenso/prisma';
|
|
import { DocumentStatus, DocumentVisibility, TeamMemberRole } from '@documenso/prisma/client';
|
|
import { seedBlankDocument } from '@documenso/prisma/seed/documents';
|
|
import { seedTeamMember } from '@documenso/prisma/seed/teams';
|
|
import { seedUser } from '@documenso/prisma/seed/users';
|
|
import { expect, test } from '@playwright/test';
|
|
|
|
const requestMetadata = {
|
|
auth: null,
|
|
requestMetadata: {},
|
|
source: 'app' as const,
|
|
};
|
|
|
|
test.describe.configure({ mode: 'parallel' });
|
|
|
|
const canReadEnvelope = async (envelopeId: string, userId: number, teamId: number) => {
|
|
try {
|
|
await getEnvelopeWhereInput({
|
|
id: { type: 'envelopeId', id: envelopeId },
|
|
userId,
|
|
teamId,
|
|
type: null,
|
|
}).then(({ envelopeWhereInput }) => prisma.envelope.findFirstOrThrow({ where: envelopeWhereInput }));
|
|
|
|
return true;
|
|
} catch {
|
|
return false;
|
|
}
|
|
};
|
|
|
|
test('[DOCUMENTS]: a member cannot delete a document with restricted visibility', async () => {
|
|
const { user: owner, team } = await seedUser();
|
|
const member = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
|
|
|
|
const envelope = await seedBlankDocument(owner, team.id, {
|
|
createDocumentOptions: {
|
|
visibility: DocumentVisibility.ADMIN,
|
|
status: DocumentStatus.DRAFT,
|
|
},
|
|
});
|
|
|
|
// The member cannot read an ADMIN-visibility document, so they must not be
|
|
// able to delete it either.
|
|
expect(await canReadEnvelope(envelope.id, member.id, team.id)).toBe(false);
|
|
|
|
await expect(
|
|
deleteDocument({
|
|
id: { type: 'envelopeId', id: envelope.id },
|
|
userId: member.id,
|
|
teamId: team.id,
|
|
requestMetadata,
|
|
}),
|
|
).rejects.toThrow();
|
|
|
|
const stillExists = await prisma.envelope.findUnique({ where: { id: envelope.id } });
|
|
expect(stillExists).not.toBeNull();
|
|
});
|
|
|
|
test('[DOCUMENTS]: a manager cannot cancel a document with restricted visibility', async () => {
|
|
const { user: owner, team } = await seedUser();
|
|
const manager = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MANAGER });
|
|
|
|
const envelope = await seedBlankDocument(owner, team.id, {
|
|
createDocumentOptions: {
|
|
visibility: DocumentVisibility.ADMIN,
|
|
status: DocumentStatus.PENDING,
|
|
},
|
|
});
|
|
|
|
// A manager outranks a member but still cannot read an ADMIN-visibility
|
|
// document, so cancellation must be blocked despite the sufficient role.
|
|
expect(await canReadEnvelope(envelope.id, manager.id, team.id)).toBe(false);
|
|
|
|
await expect(
|
|
cancelDocument({
|
|
id: { type: 'envelopeId', id: envelope.id },
|
|
userId: manager.id,
|
|
teamId: team.id,
|
|
reason: 'test-cancel',
|
|
requestMetadata,
|
|
}),
|
|
).rejects.toThrow();
|
|
|
|
const after = await prisma.envelope.findUnique({ where: { id: envelope.id } });
|
|
expect(after?.status).toBe(DocumentStatus.PENDING);
|
|
});
|