added unit tests for phase and products for validating the add/update/delete access updates. Customers should not be able to do that.

Author: Vikas Agarwal

package-lock.json

@@ -50,6 +50,7 @@
     "express-validation": "^0.6.0",
     "http-aws-es": "^1.1.3",
     "joi": "^8.0.5",
+    "jsonwebtoken": "^8.3.0",
     "lodash": "^4.16.4",
     "method-override": "^2.3.9",
     "pg": "^4.5.5",

package.json

@@ -21,6 +21,20 @@ const body = {
 describe('Phase Products', () => {
   let projectId;
   let phaseId;
+  const memberUser = {
+    handle: testUtil.getDecodedToken(testUtil.jwts.member).handle,
+    userId: testUtil.getDecodedToken(testUtil.jwts.member).userId,
+    firstName: 'fname',
+    lastName: 'lName',
+    email: 'some@abc.com',
+  };
+  const copilotUser = {
+    handle: testUtil.getDecodedToken(testUtil.jwts.copilot).handle,
+    userId: testUtil.getDecodedToken(testUtil.jwts.copilot).userId,
+    firstName: 'fname',
+    lastName: 'lName',
+    email: 'some@abc.com',
+  };
   before((done) => {
     // mocks
     testUtil.clearDb()
@@ -37,14 +51,23 @@ describe('Phase Products', () => {
           }).then((p) => {
             projectId = p.id;
             // create members
-            models.ProjectMember.create({
-              userId: 40051332,
+            models.ProjectMember.bulkCreate([{
+              id: 1,
+              userId: copilotUser.userId,
               projectId,
               role: 'copilot',
+              isPrimary: false,
+              createdBy: 1,
+              updatedBy: 1,
+            }, {
+              id: 2,
+              userId: memberUser.userId,
+              projectId,
+              role: 'customer',
               isPrimary: true,
               createdBy: 1,
               updatedBy: 1,
-            }).then(() => {
+            }]).then(() => {
               models.ProjectPhase.create({
                 name: 'test project phase',
                 status: 'active',
@@ -72,7 +95,18 @@ describe('Phase Products', () => {
   });
 
   describe('POST /projects/{projectId}/phases/{phaseId}/products', () => {
-    it('should return 403 if user does not have permissions', (done) => {
+    it('should return 403 if user does not have permissions (non team member)', (done) => {
+      request(server)
+        .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member2}`,
+        })
+        .send({ param: body })
+        .expect('Content-Type', /json/)
+        .expect(403, done);
+    });
+
+    it('should return 403 if user does not have permissions (customer)', (done) => {
       request(server)
         .post(`/v4/projects/${projectId}/phases/${phaseId}/products`)
         .set({

src/routes/phaseProducts/create.spec.js

@@ -21,6 +21,20 @@ describe('Phase Products', () => {
   let projectId;
   let phaseId;
   let productId;
+  const memberUser = {
+    handle: testUtil.getDecodedToken(testUtil.jwts.member).handle,
+    userId: testUtil.getDecodedToken(testUtil.jwts.member).userId,
+    firstName: 'fname',
+    lastName: 'lName',
+    email: 'some@abc.com',
+  };
+  const copilotUser = {
+    handle: testUtil.getDecodedToken(testUtil.jwts.copilot).handle,
+    userId: testUtil.getDecodedToken(testUtil.jwts.copilot).userId,
+    firstName: 'fname',
+    lastName: 'lName',
+    email: 'some@abc.com',
+  };
   before((done) => {
     // mocks
     testUtil.clearDb()
@@ -37,14 +51,23 @@ describe('Phase Products', () => {
           }).then((p) => {
             projectId = p.id;
             // create members
-            models.ProjectMember.create({
-              userId: 40051332,
+            models.ProjectMember.bulkCreate([{
+              id: 1,
+              userId: copilotUser.userId,
               projectId,
               role: 'copilot',
+              isPrimary: false,
+              createdBy: 1,
+              updatedBy: 1,
+            }, {
+              id: 2,
+              userId: memberUser.userId,
+              projectId,
+              role: 'customer',
               isPrimary: true,
               createdBy: 1,
               updatedBy: 1,
-            }).then(() => {
+            }]).then(() => {
               models.ProjectPhase.create({
                 name: 'test project phase',
                 status: 'active',
@@ -77,7 +100,17 @@ describe('Phase Products', () => {
   });
 
   describe('DELETE /projects/{id}/phases/{phaseId}/products/{productId}', () => {
-    it('should return 403 when user have no permission', (done) => {
+    it('should return 403 when user have no permission (non team member)', (done) => {
+      request(server)
+        .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member2}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(403, done);
+    });
+
+    it('should return 403 when user have no permission (customer)', (done) => {
       request(server)
         .delete(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
         .set({

src/routes/phaseProducts/delete.spec.js

@@ -24,6 +24,20 @@ describe('Phase Products', () => {
   let projectId;
   let phaseId;
   let productId;
+  const memberUser = {
+    handle: testUtil.getDecodedToken(testUtil.jwts.member).handle,
+    userId: testUtil.getDecodedToken(testUtil.jwts.member).userId,
+    firstName: 'fname',
+    lastName: 'lName',
+    email: 'some@abc.com',
+  };
+  const copilotUser = {
+    handle: testUtil.getDecodedToken(testUtil.jwts.copilot).handle,
+    userId: testUtil.getDecodedToken(testUtil.jwts.copilot).userId,
+    firstName: 'fname',
+    lastName: 'lName',
+    email: 'some@abc.com',
+  };
   before((done) => {
     // mocks
     testUtil.clearDb()
@@ -40,14 +54,23 @@ describe('Phase Products', () => {
           }).then((p) => {
             projectId = p.id;
             // create members
-            models.ProjectMember.create({
-              userId: 40051332,
+            models.ProjectMember.bulkCreate([{
+              id: 1,
+              userId: copilotUser.userId,
               projectId,
               role: 'copilot',
+              isPrimary: false,
+              createdBy: 1,
+              updatedBy: 1,
+            }, {
+              id: 2,
+              userId: memberUser.userId,
+              projectId,
+              role: 'customer',
               isPrimary: true,
               createdBy: 1,
               updatedBy: 1,
-            }).then(() => {
+            }]).then(() => {
               models.ProjectPhase.create({
                 name: 'test project phase',
                 status: 'active',
@@ -80,11 +103,11 @@ describe('Phase Products', () => {
   });
 
   describe('GET /projects/{id}/phases/{phaseId}/products/{productId}', () => {
-    it('should return 403 when user have no permission', (done) => {
+    it('should return 403 when user have no permission (non team member)', (done) => {
       request(server)
         .get(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
         .set({
-          Authorization: `Bearer ${testUtil.jwts.member}`,
+          Authorization: `Bearer ${testUtil.jwts.member2}`,
         })
         .expect('Content-Type', /json/)
         .expect(403, done);
@@ -120,7 +143,31 @@ describe('Phase Products', () => {
         .expect(404, done);
     });
 
-    it('should return 1 phase when user have project permission', (done) => {
+    it('should return 1 phase when user have project permission (customer)', (done) => {
+      request(server)
+        .get(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
+        .set({
+          Authorization: `Bearer ${testUtil.jwts.member}`,
+        })
+        .expect('Content-Type', /json/)
+        .expect(200)
+        .end((err, res) => {
+          if (err) {
+            done(err);
+          } else {
+            const resJson = res.body.result.content;
+            should.exist(resJson);
+            resJson.name.should.be.eql(body.name);
+            resJson.type.should.be.eql(body.type);
+            resJson.estimatedPrice.should.be.eql(body.estimatedPrice);
+            resJson.actualPrice.should.be.eql(body.actualPrice);
+            resJson.details.should.be.eql(body.details);
+            done();
+          }
+        });
+    });
+
+    it('should return 1 phase when user have project permission (copilot)', (done) => {
       request(server)
         .get(`/v4/projects/${projectId}/phases/${phaseId}/products/${productId}`)
         .set({