Restrict access to mutation ProgressParticipant

This commit implements role-based restrictions on the ProgressParticipant mutation. This effectively excludes Read-Only participants and non-participating users from using this mutation
equinor · Sep 6, 2021 · d628c44 · d628c44
1 parent 1626641
commit d628c44
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 0 deletions.
diff --git a/backend/api/GQL/Mutation.cs b/backend/api/GQL/Mutation.cs
@@ -104,6 +104,9 @@ public Participant ProgressParticipant(string evaluationId, Progression newProgr
             Evaluation evaluation = _evaluationService.GetEvaluation(evaluationId);
             Participant participant = _participantService.GetParticipant(azureUniqueId, evaluation);
 
+            Role[] canBePerformedBy = { Role.Facilitator, Role.OrganizationLead, Role.Participant };
+            AssertCanPerformMutation(evaluation, canBePerformedBy);
+
             Participant progressedParticipant = _participantService.ProgressParticipant(participant, newProgression);
 
             return progressedParticipant;

diff --git a/backend/tests/GQL/Mutations/ProgressParticipant.cs b/backend/tests/GQL/Mutations/ProgressParticipant.cs
@@ -0,0 +1,82 @@
+using Xunit;
+using System;
+using System.Linq;
+
+using api.Models;
+using api.Services;
+using api.GQL;
+
+
+namespace tests
+{
+    public class ProgressParticipantMutation : MutationTest
+    {
+        private readonly Evaluation _evaluation;
+        private readonly Participant _facilitator;
+        private readonly Participant _organizationLead;
+        private readonly Participant _participant;
+        private readonly Participant _readonly;
+
+        public ProgressParticipantMutation() {
+            _evaluation = CreateEvaluation();
+            _facilitator = _evaluation.Participants.First();
+            _authService.LoginUser(_facilitator);
+
+            _organizationLead = CreateParticipant(_evaluation, role: Role.OrganizationLead);
+            _participant = CreateParticipant(_evaluation, role: Role.Participant);
+            _readonly = CreateParticipant(_evaluation, role: Role.ReadOnly);
+        }
+
+        /* Tests */
+
+        [Fact]
+        public void FacilitatorCanUseMutation()
+        {
+            AssertCanProgress(_facilitator);
+        }
+
+        [Fact]
+        public void OrganizationLeadCanUseMutation()
+        {
+            AssertCanProgress(_organizationLead);
+        }
+
+        [Fact]
+        public void ParticipantCanUseMutation()
+        {
+            AssertCanProgress(_participant);
+        }
+
+        [Fact]
+        public void ReadOnlyIsUnauthorized()
+        {
+            AssertIsNotAuthorized(_readonly);
+        }
+
+        /* Helper methods */
+
+        private void AssertCanProgress(Participant user)
+        {
+            _authService.LoginUser(user);
+            Progression newProgression = Randomize.Progression();
+
+            _mutation.ProgressParticipant(
+                evaluationId: _evaluation.Id,
+                newProgression: newProgression
+            );
+
+            Assert.True(user.Progression == newProgression);
+        }
+
+        private void AssertIsNotAuthorized(Participant user)
+        {
+            _authService.LoginUser(user.AzureUniqueId);
+            Assert.Throws<UnauthorizedAccessException>(() =>
+                _mutation.ProgressParticipant(
+                    evaluationId: _evaluation.Id,
+                    newProgression: Randomize.Progression()
+                )
+            );
+        }
+    }
+}