Does not add permissions when a doc is empty (#23)

makinde · web-flow · commit 8fe43968b313 · 2018-10-29T01:08:13.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,4 +3,5 @@
 - Removing the ability to call Model.remove() and Model.create() since those aren't compatible with how this library works.
 - Muuuuch better tests
 - Embedded permissions object cannot be overwritten
-- When a document has embedded permissions, those permissions will be checks when a save or remove is being done. That way someone cannot write to an object in a way that changes their permssions and then try to save it.
+- When a document has embedded permissions, those permissions will be checks when a save or remove is being done. That way someone cannot write to an object in a way that changes their permssions and then try to save it.
+- Does not add permissions when a doc is empty
diff --git a/__tests__/embedPermissions.test.js b/__tests__/embedPermissions.test.js
@@ -17,29 +17,36 @@ test.before((t) => {
 });
 
 test('No schema', (t) => {
-  const blankDoc = {};
+  const blankDoc = { _id: 'someId' };
   embedPermissions(false, { permissions: true }, ['manager'], blankDoc);
-  t.deepEqual(blankDoc, {}, 'Nothing should have been added to doc');
+  t.deepEqual(blankDoc, { _id: 'someId' }, 'Nothing should have been added to doc');
 });
 
 test('No document', (t) => {
   t.notThrows(() => { embedPermissions(t.context.schema, { permissions: true }, ['manager'], false); });
 });
 
+test('Do not embed permissions if doc is empty', (t) => {
+  const doc = {};
+  embedPermissions(t.context.schema, { permissions: true }, ['manager'], doc);
+
+  t.deepEqual(doc, {}, 'Should not add permissions when doc is empty object');
+});
+
 test('Options say to do nothing', (t) => {
-  const blankDoc = {};
+  const blankDoc = { _id: 'someId' };
   embedPermissions(t.context.schema, false, ['manager'], blankDoc);
-  t.deepEqual(blankDoc, {}, 'Should not add permissions for false options');
+  t.deepEqual(blankDoc, { _id: 'someId' }, 'Should not add permissions for false options');
 
   embedPermissions(t.context.schema, {}, ['manager'], blankDoc);
-  t.deepEqual(blankDoc, {}, 'Should not add permissions for {} options');
+  t.deepEqual(blankDoc, { _id: 'someId' }, 'Should not add permissions for {} options');
 
   embedPermissions(t.context.schema, { permissions: false }, ['manager'], blankDoc);
-  t.deepEqual(blankDoc, {}, 'Should not add permissions for { permissions: false} options');
+  t.deepEqual(blankDoc, { _id: 'someId' }, 'Should not add permissions for { permissions: false} options');
 });
 
 test('Permissions embeded under default key', (t) => {
-  const managerDoc = {};
+  const managerDoc = { _id: 'someId' };
   embedPermissions(t.context.schema, { permissions: true }, ['manager'], managerDoc);
   t.deepEqual(
     managerDoc.permissions,
@@ -51,7 +58,7 @@ test('Permissions embeded under default key', (t) => {
     'Incorrect permissions embedded',
   );
 
-  const defaultDoc = {};
+  const defaultDoc = { _id: 'someId' };
   embedPermissions(t.context.schema, { permissions: true }, [], defaultDoc);
   t.deepEqual(
     defaultDoc.permissions,
@@ -64,7 +71,7 @@ test('Permissions embeded under default key', (t) => {
   );
 });
 test('Permissions embded under custom key', (t) => {
-  const managerDoc = {};
+  const managerDoc = { _id: 'someId' };
   embedPermissions(t.context.schema, { permissions: 'customKey' }, ['manager'], managerDoc);
   t.deepEqual(
     managerDoc.customKey,
@@ -76,7 +83,7 @@ test('Permissions embded under custom key', (t) => {
     'Incorrect permissions embedded',
   );
 
-  const defaultDoc = {};
+  const defaultDoc = { _id: 'someId' };
   embedPermissions(t.context.schema, { permissions: 'customKey' }, [], defaultDoc);
   t.deepEqual(
     defaultDoc.customKey,
@@ -101,7 +108,7 @@ test('If there\'s already a permissions field', (t) => {
 });
 
 test('Verify that the permissions data cannot be changed', (t) => {
-  const doc = {};
+  const doc = { _id: 'foobar' };
   embedPermissions(t.context.schema, { permissions: true }, ['manager'], doc);
 
   t.throws(
diff --git a/package.json b/package.json
@@ -50,6 +50,6 @@
     "nodeunit": "^0.11.2"
   },
   "optionalDependencies": {
-    "mongodb-runner": "3.6.1"
+    "mongodb-runner": "4.3.2"
   }
 }
diff --git a/src/embedPermissions.js b/src/embedPermissions.js
@@ -1,8 +1,9 @@
+const _ = require('lodash');
 const getAuthorizedFields = require('./getAuthorizedFields');
 const hasPermission = require('./hasPermission');
 
 function embedPermissions(schema, options, authLevels, doc) {
-  if (!schema || !options || !options.permissions || !doc) { return; }
+  if (!schema || !options || !options.permissions || _.isEmpty(doc)) { return; }
 
   const permsKey = options.permissions === true ? 'permissions' : options.permissions;
 

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,6 @@`
`50`	`50`	`"nodeunit": "^0.11.2"`
`51`	`51`	`},`
`52`	`52`	`"optionalDependencies": {`
`53`		`- "mongodb-runner": "3.6.1"`
	`53`	`+ "mongodb-runner": "4.3.2"`
`54`	`54`	`}`
`55`	`55`	`}`