Merge pull request #441 from nik0kin/bug/fix-parent-child-except-over…

…rides Fix: A parent state's "except" permission that is met will override the child "except" permission that is not met
RafaelVidaurre · Jan 20, 2018 · 43be752 · 43be752
2 parents ec48978 + 47356c0
commit 43be752
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 8 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -10,7 +10,7 @@ When creating an issue please include:
 
 Want to submit a Pull Request?
 ============================
-1. Create a branch from the `ng1`/`ng2` branch accordingly to used angular version
+1. Create a branch from the `development` branch
 2. Implement your new feature
-3. Submit a pull request to be merged in the `ng1`/`ng2` branch
+3. Submit a pull request to be merged in the `development` branch
 
diff --git a/src/permission-ui/authorization/StateAuthorization.js b/src/permission-ui/authorization/StateAuthorization.js
@@ -69,12 +69,18 @@ function PermStateAuthorization($q, $state, PermStatePermissionMap) {
   function resolveExceptStatePermissionMap(deferred, map) {
     var exceptPromises = resolveStatePermissionMap(map.except, map);
 
-    $q.all(exceptPromises)
-      .then(function (rejectedPermissions) {
-        deferred.reject(rejectedPermissions[0]);
-      })
-      .catch(function () {
+    // Reverse the promises, so if any "except" privileges are not met, the promise rejects
+    $q.all(reversePromises(exceptPromises))
+      .then(function () {
         resolveOnlyStatePermissionMap(deferred, map);
+      })
+      .catch(function (rejectedPermissions) {
+
+        if (!angular.isArray(rejectedPermissions)) {
+          rejectedPermissions = [rejectedPermissions];
+        }
+
+        deferred.reject(rejectedPermissions[0]);
       });
   }
 
@@ -129,6 +135,23 @@ function PermStateAuthorization($q, $state, PermStatePermissionMap) {
         });
     });
   }
+
+  /**
+   * Creates an Array of Promises that resolve when rejected, and reject when resolved
+   * @methodOf permission.ui.PermStateAuthorization
+   * @private
+   *
+   * @param promises {Array} Array of promises
+   *
+   * @returns {Array<Promise>} Promise collection
+   */
+  function reversePromises (promises) {
+    return promises.map(function (promise) {
+      var d = $q.defer();
+      promise.then(d.reject, d.resolve);
+      return d.promise;
+    });
+  }
 }
 
 angular

diff --git a/test/unit/permission-ui/authorization/StateAuthorization.test.js b/test/unit/permission-ui/authorization/StateAuthorization.test.js
@@ -32,6 +32,14 @@ describe('permission.ui', function () {
           return false;
         });
 
+        PermPermissionStore.definePermission('editTopic', function () {
+          return false;
+        });
+
+        PermPermissionStore.definePermission('deleteUser', function () {
+          return true;
+        });
+
         PermRoleStore.defineRole('USER', ['editPosts']);
         PermRoleStore.defineRole('ADMIN', ['editUsers']);
       });
@@ -44,7 +52,6 @@ describe('permission.ui', function () {
             return {path: [{data: {permissions: {except: ['editUsers']}}}]};
           });
 
-
           // WHEN
           var map = new PermStatePermissionMap(state);
           var authorizationResult = PermStateAuthorization.authorizeByPermissionMap(map);
@@ -117,6 +124,102 @@ describe('permission.ui', function () {
           expect(authorizationResult).toBePromise();
           expect(authorizationResult).toBeRejectedWith('editPosts', jasmine.any(Object));
         });
+
+        it('should return resolved promise when a parent and a child state\'s "except" permissions are met', function () {
+          // GIVEN
+          var state = jasmine.createSpyObj('state', ['$$permissionState']);
+          state.$$permissionState.and.callFake(function () {
+            return {path: [
+              {data: {permissions: {except: ['editUsers']}}},
+              {data: {permissions: {except: ['editTopic']}}}
+            ]};
+          });
+
+          // WHEN
+          var map = new PermStatePermissionMap(state);
+          var authorizationResult = PermStateAuthorization.authorizeByPermissionMap(map);
+
+          // THEN
+          expect(authorizationResult).toBePromise();
+          expect(authorizationResult).toBeResolved();
+        });
+
+        it('should return rejected promise when a parent state\'s "except" permissions are not met', function () {
+          // GIVEN
+          var state = jasmine.createSpyObj('state', ['$$permissionState']);
+          state.$$permissionState.and.callFake(function () {
+            return {path: [
+              {data: {permissions: {except: ['editPosts', 'editUsers']}}},
+              {data: {permissions: {}}}
+            ]};
+          });
+
+          // WHEN
+          var map = new PermStatePermissionMap(state);
+          var authorizationResult = PermStateAuthorization.authorizeByPermissionMap(map);
+
+          // THEN
+          expect(authorizationResult).toBePromise();
+          expect(authorizationResult).toBeRejectedWith('editPosts', jasmine.any(Object));
+        });
+
+        it('should return rejected promise when a parent state\'s "except" permissions are met and child state\'s "except" permissions are not met', function () {
+          // GIVEN
+          var state = jasmine.createSpyObj('state', ['$$permissionState']);
+          state.$$permissionState.and.callFake(function () {
+            return {path: [
+              {data: {permissions: {except: ['editUsers']}}},
+              {data: {permissions: {except: ['editPosts']}}}
+            ]};
+          });
+
+          // WHEN
+          var map = new PermStatePermissionMap(state);
+          var authorizationResult = PermStateAuthorization.authorizeByPermissionMap(map);
+
+          // THEN
+          expect(authorizationResult).toBePromise();
+          expect(authorizationResult).toBeRejectedWith('editPosts', jasmine.any(Object));
+        });
+
+        it('should return rejected promise when a parent state\'s "except" permissions are not met and child state\'s "except" permissions are met', function () {
+          // GIVEN
+          var state = jasmine.createSpyObj('state', ['$$permissionState']);
+          state.$$permissionState.and.callFake(function () {
+            return {path: [
+              {data: {permissions: {except: ['editPosts']}}},
+              {data: {permissions: {except: ['editUsers']}}}
+            ]};
+          });
+
+          // WHEN
+          var map = new PermStatePermissionMap(state);
+          var authorizationResult = PermStateAuthorization.authorizeByPermissionMap(map);
+
+          // THEN
+          expect(authorizationResult).toBePromise();
+          expect(authorizationResult).toBeRejectedWith('editPosts', jasmine.any(Object));
+        });
+
+        it('should return rejected promise when a parent state\'s "except" permissions are not met and child state\'s "except" permissions are not met', function () {
+          // GIVEN
+          var state = jasmine.createSpyObj('state', ['$$permissionState']);
+          state.$$permissionState.and.callFake(function () {
+            return {path: [
+              {data: {permissions: {except: ['editPosts']}}},
+              {data: {permissions: {except: ['deleteUser']}}}
+            ]};
+          });
+
+          // WHEN
+          var map = new PermStatePermissionMap(state);
+          var authorizationResult = PermStateAuthorization.authorizeByPermissionMap(map);
+
+          // THEN
+          expect(authorizationResult).toBePromise();
+          expect(authorizationResult).toBeRejectedWith('editPosts', jasmine.any(Object));
+        });
+
       });
     });
   });