energylink/pkg/api/dashboard_test.go

package api

import (
	"encoding/json"
	"testing"

	"github.com/grafana/grafana/pkg/api/dtos"
	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/models"

	. "github.com/smartystreets/goconvey/convey"
)

func TestDashboardApiEndpoint(t *testing.T) {
	Convey("Given a dashboard with a parent folder which does not have an acl", t, func() {
		fakeDash := models.NewDashboard("Child dash")
		fakeDash.ParentId = 1
		fakeDash.HasAcl = false

		bus.AddHandler("test", func(query *models.GetDashboardQuery) error {
			query.Result = fakeDash
			return nil
		})

		Convey("When user is an Org Viewer", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_VIEWER, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
				So(sc.resp.Code, ShouldEqual, 200)

				dash := dtos.DashboardFullWithMeta{}
				err := json.NewDecoder(sc.resp.Body).Decode(&dash)
				So(err, ShouldBeNil)

				Convey("Should not be able to edit or save dashboard", func() {
					So(dash.Meta.CanEdit, ShouldBeFalse)
					So(dash.Meta.CanSave, ShouldBeFalse)
				})
			})
		})

		Convey("When user is an Org Read Only Editor", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_READ_ONLY_EDITOR, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
				So(sc.resp.Code, ShouldEqual, 200)

				dash := dtos.DashboardFullWithMeta{}
				err := json.NewDecoder(sc.resp.Body).Decode(&dash)
				So(err, ShouldBeNil)

				Convey("Should be able to edit but not save the dashboard", func() {
					So(dash.Meta.CanEdit, ShouldBeTrue)
					So(dash.Meta.CanSave, ShouldBeFalse)
				})
			})
		})

		Convey("When user is an Org Editor", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_EDITOR, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

				So(sc.resp.Code, ShouldEqual, 200)

				dash := dtos.DashboardFullWithMeta{}
				err := json.NewDecoder(sc.resp.Body).Decode(&dash)
				So(err, ShouldBeNil)

				Convey("Should be able to edit or save dashboard", func() {
					So(dash.Meta.CanEdit, ShouldBeTrue)
					So(dash.Meta.CanSave, ShouldBeTrue)
				})
			})
		})
	})

	Convey("Given a dashboard with a parent folder which has an acl", t, func() {
		fakeDash := models.NewDashboard("Child dash")
		fakeDash.ParentId = 1
		fakeDash.HasAcl = true

		bus.AddHandler("test", func(query *models.GetDashboardQuery) error {
			query.Result = fakeDash
			return nil
		})

		bus.AddHandler("test", func(query *models.GetUserGroupsByUserQuery) error {
			query.Result = []*models.UserGroup{}
			return nil
		})

		Convey("When user is an Org Viewer and has no permissions for this dashboard", func() {
			bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
				query.Result = []*models.DashboardAclInfoDTO{}
				return nil
			})

			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_VIEWER, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

				Convey("Should be denied access", func() {
					So(sc.resp.Code, ShouldEqual, 403)
				})
			})
		})

		Convey("When user is an Org Editor and has no permissions for this dashboard", func() {
			bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
				query.Result = []*models.DashboardAclInfoDTO{}
				return nil
			})

			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_EDITOR, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

				Convey("Should be denied access", func() {
					So(sc.resp.Code, ShouldEqual, 403)
				})
			})
		})

		Convey("When user is an Org Viewer but has an edit permission", func() {
			mockResult := []*models.DashboardAclInfoDTO{
				{Id: 1, OrgId: 1, DashboardId: 2, UserId: 1, PermissionType: models.PERMISSION_EDIT},
			}

			bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
				query.Result = mockResult
				return nil
			})

			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_VIEWER, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

				So(sc.resp.Code, ShouldEqual, 200)

				dash := dtos.DashboardFullWithMeta{}
				err := json.NewDecoder(sc.resp.Body).Decode(&dash)
				So(err, ShouldBeNil)

				Convey("Should be able to get dashboard with edit rights", func() {
					So(dash.Meta.CanEdit, ShouldBeTrue)
					So(dash.Meta.CanSave, ShouldBeTrue)
				})
			})
		})

		Convey("When user is an Org Editor but has a view permission", func() {
			mockResult := []*models.DashboardAclInfoDTO{
				{Id: 1, OrgId: 1, DashboardId: 2, UserId: 1, PermissionType: models.PERMISSION_VIEW},
			}

			bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
				query.Result = mockResult
				return nil
			})

			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", models.ROLE_VIEWER, func(sc *scenarioContext) {
				sc.handlerFunc = GetDashboard
				sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

				So(sc.resp.Code, ShouldEqual, 200)

				dash := dtos.DashboardFullWithMeta{}
				err := json.NewDecoder(sc.resp.Body).Decode(&dash)
				So(err, ShouldBeNil)

				Convey("Should not be able to edit or save dashboard", func() {
					So(dash.Meta.CanEdit, ShouldBeFalse)
					So(dash.Meta.CanSave, ShouldBeFalse)
				})
			})
		})
	})
}