BC-4709 Create authorisation service

apps/server/src/modules/board/controller/api-test/drawing-item-check-permission.api.spec.ts

@@ -0,0 +1,133 @@
+import { EntityManager } from '@mikro-orm/mongodb';
+import { ServerTestModule } from '@modules/server';
+import { INestApplication } from '@nestjs/common';
+import { Test, TestingModule } from '@nestjs/testing';
+import { BoardExternalReferenceType } from '@shared/domain/domainobject';
+import {
+	TestApiClient,
+	UserAndAccountTestFactory,
+	cardNodeFactory,
+	cleanupCollections,
+	columnBoardNodeFactory,
+	columnNodeFactory,
+	courseFactory,
+} from '@shared/testing';
+import { drawingElementNodeFactory } from '@shared/testing/factory/boardnode/drawing-element-node.factory';
+
+const baseRouteName = '/elements';
+describe('drawing permission check (api)', () => {
+	let app: INestApplication;
+	let em: EntityManager;
+	let testApiClient: TestApiClient;
+
+	beforeAll(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			imports: [ServerTestModule],
+		}).compile();
+
+		app = module.createNestApplication();
+		await app.init();
+		em = module.get(EntityManager);
+		testApiClient = new TestApiClient(app, baseRouteName);
+	});
+
+	afterAll(async () => {
+		await app.close();
+	});
+
+	describe('when user is a valid teacher who is part of course', () => {
+		const setup = async () => {
+			await cleanupCollections(em);
+
+			const { teacherAccount, teacherUser } = UserAndAccountTestFactory.buildTeacher();
+			const course = courseFactory.build({ teachers: [teacherUser] });
+			await em.persistAndFlush([teacherAccount, teacherUser, course]);
+
+			const columnBoardNode = columnBoardNodeFactory.buildWithId({
+				context: { id: course.id, type: BoardExternalReferenceType.Course },
+			});
+
+			const columnNode = columnNodeFactory.buildWithId({ parent: columnBoardNode });
+
+			const cardNode = cardNodeFactory.buildWithId({ parent: columnNode });
+
+			const drawingItemNode = drawingElementNodeFactory.buildWithId({ parent: cardNode });
+
+			await em.persistAndFlush([columnBoardNode, columnNode, cardNode, drawingItemNode]);
+			em.clear();
+
+			const loggedInClient = await testApiClient.login(teacherAccount);
+
+			return { loggedInClient, teacherUser, columnBoardNode, columnNode, cardNode, drawingItemNode };
+		};
+
+		it('should return status 200', async () => {
+			const { loggedInClient, drawingItemNode } = await setup();
+
+			const response = await loggedInClient.get(`${drawingItemNode.id}/permission`);
+
+			expect(response.status).toEqual(200);
+		});
+	});
+
+	describe('when only teacher is part of course', () => {
+		const setup = async () => {
+			await cleanupCollections(em);
+
+			const { teacherAccount, teacherUser } = UserAndAccountTestFactory.buildTeacher();
+			const { studentAccount, studentUser } = UserAndAccountTestFactory.buildStudent();
+
+			const course = courseFactory.build({ students: [teacherUser] });
+			await em.persistAndFlush([teacherAccount, teacherUser, course, studentAccount, studentUser]);
+
+			const columnBoardNode = columnBoardNodeFactory.buildWithId({
+				context: { id: course.id, type: BoardExternalReferenceType.Course },
+			});
+
+			const columnNode = columnNodeFactory.buildWithId({ parent: columnBoardNode });
+
+			const cardNode = cardNodeFactory.buildWithId({ parent: columnNode });
+
+			const drawingItemNode = drawingElementNodeFactory.buildWithId({ parent: cardNode });
+
+			await em.persistAndFlush([columnBoardNode, columnNode, cardNode, drawingItemNode]);
+			em.clear();
+
+			const loggedInClient = await testApiClient.login(studentAccount);
+
+			return { loggedInClient, studentUser, columnBoardNode, columnNode, cardNode, drawingItemNode };
+		};
+
+		it('should return status 403 for student not assigned to course', async () => {
+			const { loggedInClient, drawingItemNode } = await setup();
+
+			const response = await loggedInClient.get(`${drawingItemNode.id}/permission`);
+
+			expect(response.status).toEqual(403);
+		});
+	});
+
+	describe('when asking for non-existing resource', () => {
+		const setup = async () => {
+			await cleanupCollections(em);
+
+			const { teacherAccount, teacherUser } = UserAndAccountTestFactory.buildTeacher();
+			await em.persistAndFlush([teacherAccount, teacherUser]);
+
+			em.clear();
+
+			const loggedInClient = await testApiClient.login(teacherAccount);
+
+			return { loggedInClient };
+		};
+
+		it('should return status 404 for wrong id', async () => {
+			const { loggedInClient } = await setup();
+			const wrongRandomId = '655b048616056135293d1e63';
+
+			const response = await loggedInClient.get(`${wrongRandomId}/permission`);
+
+			expect(response.status).toEqual(404);
+		});
+	});
+});

apps/server/src/modules/board/controller/element.controller.ts

@@ -4,6 +4,7 @@ import {
 	Controller,
 	Delete,
 	ForbiddenException,
+	Get,
 	HttpCode,
 	NotFoundException,
 	Param,
@@ -141,4 +142,17 @@ export class ElementController {
 
 		return response;
 	}
+
+	@ApiOperation({ summary: 'Check if user has read permission for any board element.' })
+	@ApiResponse({ status: 200 })
+	@ApiResponse({ status: 400, type: ApiValidationError })
+	@ApiResponse({ status: 403, type: ForbiddenException })
+	@ApiResponse({ status: 404, type: NotFoundException })
+	@Get(':contentElementId/permission')
+	async readPermission(
+		@Param() urlParams: ContentElementUrlParams,
+		@CurrentUser() currentUser: ICurrentUser
+	): Promise<void> {
+		await this.elementUc.checkElementReadPermission(currentUser.userId, urlParams.contentElementId);
+	}
 }

apps/server/src/modules/board/uc/element.uc.spec.ts

@@ -3,9 +3,11 @@ import { Action, AuthorizationService } from '@modules/authorization';
 import { HttpService } from '@nestjs/axios';
 import { ForbiddenException } from '@nestjs/common';
 import { Test, TestingModule } from '@nestjs/testing';
-import { BoardDoAuthorizable } from '@shared/domain/domainobject';
+import { BoardDoAuthorizable, BoardRoles, UserRoleEnum } from '@shared/domain/domainobject';
 import { InputFormat } from '@shared/domain/types';
 import {
+	cardFactory,
+	columnBoardFactory,
 	drawingElementFactory,
 	fileElementFactory,
 	richTextElementFactory,
@@ -79,7 +81,7 @@ describe(ElementUc.name, () => {
 				const richTextElement = richTextElementFactory.build();
 				const content = { text: 'this has been updated', inputFormat: InputFormat.RICH_TEXT_CK5 };
 
-				const elementSpy = elementService.findById.mockResolvedValue(richTextElement);
+				const elementSpy = elementService.findById.mockResolvedValueOnce(richTextElement);
 
 				return { richTextElement, user, content, elementSpy };
 			};
@@ -107,7 +109,7 @@ describe(ElementUc.name, () => {
 				const fileElement = fileElementFactory.build();
 				const content = { caption: 'this has been updated', alternativeText: 'this altText has been updated' };
 
-				const elementSpy = elementService.findById.mockResolvedValue(fileElement);
+				const elementSpy = elementService.findById.mockResolvedValueOnce(fileElement);
 
 				return { fileElement, user, content, elementSpy };
 			};
@@ -225,7 +227,7 @@ describe(ElementUc.name, () => {
 				const user = userFactory.build();
 				const fileElement = fileElementFactory.build();
 
-				elementService.findById.mockResolvedValue(fileElement);
+				elementService.findById.mockResolvedValueOnce(fileElement);
 
 				return { fileElement, user };
 			};
@@ -246,7 +248,7 @@ describe(ElementUc.name, () => {
 
 				const submissionContainer = submissionContainerElementFactory.build({ children: [fileElement] });
 
-				elementService.findById.mockResolvedValue(submissionContainer);
+				elementService.findById.mockResolvedValueOnce(submissionContainer);
 
 				return { submissionContainer, fileElement, user };
 			};
@@ -267,7 +269,7 @@ describe(ElementUc.name, () => {
 				const submissionItem = submissionItemFactory.build({ userId: user.id });
 				const submissionContainer = submissionContainerElementFactory.build({ children: [submissionItem] });
 
-				elementService.findById.mockResolvedValue(submissionContainer);
+				elementService.findById.mockResolvedValueOnce(submissionContainer);
 
 				return { submissionContainer, submissionItem, user };
 			};
@@ -281,4 +283,56 @@ describe(ElementUc.name, () => {
 			});
 		});
 	});
+
+	describe('checkElementReadPermission', () => {
+		const setup = () => {
+			const user = userFactory.build();
+			const drawingElement = drawingElementFactory.build();
+			const card = cardFactory.build({ children: [drawingElement] });
+			const columnBoard = columnBoardFactory.build({ children: [card] });
+			authorizationService.getUserWithPermissions.mockResolvedValueOnce(user);
+
+			const authorizableMock: BoardDoAuthorizable = new BoardDoAuthorizable({
+				users: [{ userId: user.id, roles: [BoardRoles.EDITOR], userRoleEnum: UserRoleEnum.TEACHER }],
+				id: columnBoard.id,
+			});
+
+			boardDoAuthorizableService.findById.mockResolvedValueOnce(authorizableMock);
+
+			return { drawingElement, user };
+		};
+
+		it('should properly find the element', async () => {
+			const { drawingElement, user } = setup();
+			elementService.findById.mockResolvedValueOnce(drawingElement);
+
+			await uc.checkElementReadPermission(user.id, drawingElement.id);
+
+			expect(elementService.findById).toHaveBeenCalledWith(drawingElement.id);
+		});
+
+		it('should properly check element permission and not throw', async () => {
+			const { drawingElement, user } = setup();
+			elementService.findById.mockResolvedValueOnce(drawingElement);
+
+			await expect(uc.checkElementReadPermission(user.id, drawingElement.id)).resolves.not.toThrow();
+		});
+
+		it('should throw at find element by Id', async () => {
+			const { drawingElement, user } = setup();
+			elementService.findById.mockRejectedValueOnce(new Error());
+
+			await expect(uc.checkElementReadPermission(user.id, drawingElement.id)).rejects.toThrow();
+		});
+
+		it('should throw at check permission', async () => {
+			const { user } = setup();
+			const testElementId = 'wrongTestId123';
+			authorizationService.checkPermission.mockImplementationOnce(() => {
+				throw new Error();
+			});
+
+			await expect(uc.checkElementReadPermission(user.id, testElementId)).rejects.toThrow();
+		});
+	});
 });

apps/server/src/modules/board/uc/element.uc.ts

@@ -60,6 +60,11 @@ export class ElementUc extends BaseUc {
 		return element;
 	}
 
+	async checkElementReadPermission(userId: EntityId, elementId: EntityId): Promise<void> {
+		const element = await this.elementService.findById(elementId);
+		await this.checkPermission(userId, element, Action.read);
+	}
+
 	async createSubmissionItem(
 		userId: EntityId,
 		contentElementId: EntityId,

apps/server/src/modules/tldraw/config.ts

@@ -10,6 +10,7 @@ export interface TldrawConfig {
 	FEATURE_TLDRAW_ENABLED: boolean;
 	TLDRAW_PING_TIMEOUT: number;
 	TLDRAW_GC_ENABLED: number;
+	API_HOST: number;
 }
 
 const tldrawConnectionString: string = Configuration.get('TLDRAW_DB_URL') as string;
@@ -24,6 +25,7 @@ const tldrawConfig = {
 	CONNECTION_STRING: tldrawConnectionString,
 	TLDRAW_PING_TIMEOUT: Configuration.get('TLDRAW__PING_TIMEOUT') as number,
 	TLDRAW_GC_ENABLED: Configuration.get('TLDRAW__GC_ENABLED') as boolean,
+	API_HOST: Configuration.get('API_HOST') as string,
 };
 
 export const SOCKET_PORT = Configuration.get('TLDRAW__SOCKET_PORT') as number;

apps/server/src/modules/tldraw/controller/api-test/tldraw.controller.api.spec.ts

@@ -0,0 +1,69 @@
+import { INestApplication } from '@nestjs/common';
+import { EntityManager } from '@mikro-orm/mongodb';
+import { cleanupCollections, courseFactory, TestApiClient, UserAndAccountTestFactory } from '@shared/testing';
+import { Test, TestingModule } from '@nestjs/testing';
+import { ServerTestModule } from '@modules/server';
+import { Logger } from '@src/core/logger';
+import { TldrawService } from '../../service';
+import { TldrawController } from '..';
+import { TldrawRepo } from '../../repo';
+import { tldrawEntityFactory } from '../../factory';
+
+const baseRouteName = '/tldraw-document';
+describe('tldraw controller (api)', () => {
+	let app: INestApplication;
+	let em: EntityManager;
+	let testApiClient: TestApiClient;
+
+	beforeAll(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			imports: [ServerTestModule],
+			controllers: [TldrawController],
+			providers: [Logger, TldrawService, TldrawRepo],
+		}).compile();
+
+		app = module.createNestApplication();
+		await app.init();
+		em = module.get(EntityManager);
+		testApiClient = new TestApiClient(app, baseRouteName);
+	});
+
+	afterAll(async () => {
+		await app.close();
+	});
+
+	describe('with valid user', () => {
+		const setup = async () => {
+			await cleanupCollections(em);
+
+			const { teacherAccount, teacherUser } = UserAndAccountTestFactory.buildTeacher();
+			const course = courseFactory.build({ teachers: [teacherUser] });
+			await em.persistAndFlush([teacherAccount, teacherUser, course]);
+
+			const drawingItemData = tldrawEntityFactory.build();
+
+			await em.persistAndFlush([drawingItemData]);
+			em.clear();
+
+			const loggedInClient = await testApiClient.login(teacherAccount);
+
+			return { loggedInClient, teacherUser, drawingItemData };
+		};
+
+		it('should return status 200 for delete', async () => {
+			const { loggedInClient, drawingItemData } = await setup();
+
+			const response = await loggedInClient.delete(`${drawingItemData.docName}`);
+
+			expect(response.status).toEqual(204);
+		});
+
+		it('should return status 404 for delete with wrong id', async () => {
+			const { loggedInClient } = await setup();
+
+			const response = await loggedInClient.delete(`testID123`);
+
+			expect(response.status).toEqual(404);
+		});
+	});
+});