Disallowing the use of API Model.create and Model.remove (#12)

These two methods can't be protected by this plugin, so it's best to disallow them entirely. By doing so, it makes it safe to wrap your mongoose models with an Restify wrapper.

Also, this diff introduces Ava and the new testing engine. Very similar syntax as before, just a newer, modern, maintained library.

Author: makinde

CHANGELOG.md

@@ -0,0 +1,4 @@
+# 2.0.0
+
+- Removing the ability to call Model.remove() and Model.create() since those aren't compatible with how this library works.
+-

__tests__/restrictedMethods.test.js

@@ -0,0 +1,27 @@
+const test = require('ava');
+const mongoose = require('mongoose');
+const authz = require('../');
+const IncompatibleMethodError = require('../lib/IncompatibleMethodError');
+
+test.before((t) => {
+  const schema = new mongoose.Schema({ friend: String });
+  schema.plugin(authz);
+  t.context.MyModel = mongoose.model('MyModel', schema);
+});
+
+test('Model.create should not be callable', (t) => {
+  const { MyModel } = t.context;
+  t.throws(
+    () => MyModel.create({ friend: 'bar' }),
+    IncompatibleMethodError,
+  );
+});
+
+test('Model.remove should not be callable', (t) => {
+  const { MyModel } = t.context;
+  t.throws(
+    () => MyModel.remove({}),
+    IncompatibleMethodError,
+  );
+});
+

index.js

@@ -9,6 +9,7 @@ const {
 } = require('./lib/helpers');
 
 const PermissionDeniedError = require('./lib/PermissionDeniedError');
+const IncompatibleMethodError = require('./lib/IncompatibleMethodError');
 
 module.exports = (schema) => {
   async function save(doc, options) {
@@ -143,4 +144,12 @@ module.exports = (schema) => {
     const authLevels = await resolveAuthLevel(schema, options, {});
     return hasPermission(this.schema, authLevels, 'create');
   };
+
+  schema.statics.create = function cannotCreate() {
+    throw new IncompatibleMethodError('Model.create');
+  };
+
+  schema.statics.remove = function cannotRemove() {
+    throw new IncompatibleMethodError('Model.remove');
+  };
 };

lib/IncompatibleMethodError.js

@@ -0,0 +1,9 @@
+module.exports = class IncompatibleMethodError extends Error {
+  constructor(method) {
+    const message = `[${method}] is not compatable with mongoose-authz. ` +
+    `Please see https://www.npmjs.com/package/mongoose-authz#${method} for more details.`;
+
+    super(message);
+    this.name = 'IncompatibleMethod';
+  }
+};