feat: Return 404 for read/delete requests if there is no resource

2024-10-03 14:55:10 +00:00 · 2022-02-28 11:46:38 +01:00
parent 9a29cc2257
commit e86e0cf36b
4 changed files with 49 additions and 5 deletions
--- a/test/unit/authorization/PermissionBasedAuthorizer.test.ts
+++ b/test/unit/authorization/PermissionBasedAuthorizer.test.ts
@@ -2,11 +2,14 @@ import { CredentialGroup } from '../../../src/authentication/Credentials';
 import type { AuthorizerInput } from '../../../src/authorization/Authorizer';
 import { PermissionBasedAuthorizer } from '../../../src/authorization/PermissionBasedAuthorizer';
 import { AccessMode } from '../../../src/authorization/permissions/Permissions';
+import type { ResourceSet } from '../../../src/storage/ResourceSet';
 import { ForbiddenHttpError } from '../../../src/util/errors/ForbiddenHttpError';
+import { NotFoundHttpError } from '../../../src/util/errors/NotFoundHttpError';
 import { UnauthorizedHttpError } from '../../../src/util/errors/UnauthorizedHttpError';

 describe('A PermissionBasedAuthorizer', (): void => {
  let input: AuthorizerInput;
+  let resourceSet: jest.Mocked<ResourceSet>;
  let authorizer: PermissionBasedAuthorizer;

  beforeEach(async(): Promise<void> => {
@@ -16,8 +19,11 @@ describe('A PermissionBasedAuthorizer', (): void => {
      permissionSet: {},
      credentials: {},
    };
+    resourceSet = {
+      hasResource: jest.fn().mockResolvedValue(true),
+    };

-    authorizer = new PermissionBasedAuthorizer();
+    authorizer = new PermissionBasedAuthorizer(resourceSet);
  });

  it('can handle any input.', async(): Promise<void> => {
@@ -53,4 +59,13 @@ describe('A PermissionBasedAuthorizer', (): void => {
  it('defaults to empty permissions for the Authorization.', async(): Promise<void> => {
    await expect(authorizer.handle(input)).resolves.toBeUndefined();
  });
+
+  it('throws a 404 in case the target resource does not exist and would not be written to.', async(): Promise<void> => {
+    resourceSet.hasResource.mockResolvedValueOnce(false);
+    input.modes = new Set([ AccessMode.delete ]);
+    input.permissionSet = {
+      [CredentialGroup.public]: { read: true },
+    };
+    await expect(authorizer.handle(input)).rejects.toThrow(NotFoundHttpError);
+  });
 });