Logo: Relish

  1. Sign in

Project: Edison

Sharing

The backend provides sharing management based on Public/Private/Role-based/ACL access control

Background
Given
client accepts JSON
Scenarios
Bob can grant read access to everyone (public object)
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as Bob
When
client requests POST /api/buildings/541816f042e7d8204d000001/share with JSON:
[ { "_targets": ["public"],
    "_permissions": [ {"_read":true} ] } ]
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as John
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 200
And
response body should be JSON:
{ "_id" : "541816f042e7d8204d000001",
  "label" : "Town Hall",
  "level" : 3,
  "_owner" : "[email protected]",
  "_tags": [{ "_targets": ["public"], "_permissions": [{"_read": true}]}] }
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000002", "label" : "Army Camp", "level" : 3, "_owner" : "[email protected]" }, 
  { "_id" : "541816f042e7d8204d000001", "label" : "Town Hall", "level" : 3, "_owner" : "[email protected]", "_tags": [{ "_targets": ["public"], "_permissions": [{"_read": true}]}] } ]
When
client is authenticated as Tom
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 200
And
response body should be JSON:
{ "_id" : "541816f042e7d8204d000001",
  "label" : "Town Hall",
  "level" : 3,
  "_owner" : "[email protected]",
  "_tags": [{ "_targets": ["public"], "_permissions": [{"_read": true}]}] }
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]"},
  { "_id" : "541816f042e7d8204d000001", "label" : "Town Hall", "level" : 3, "_owner" : "[email protected]", "_tags": [{ "_targets": ["public"], "_permissions": [{"_read": true}]}] } ]
When
client is authenticated as Nobody
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 200
And
response body should be JSON:
{ "_id" : "541816f042e7d8204d000001",
  "label" : "Town Hall",
   "level" : 3,
   "_owner" : "[email protected]",
   "_tags": [{ "_targets": ["public"], "_permissions": [{"_read": true}]}] }
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000001", "label" : "Town Hall", "level" : 3, "_owner" : "[email protected]", "_tags": [{ "_targets": ["public"], "_permissions": [{"_read": true}]}] } ]
Bob can grant read/write access to everyone (public object)
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as Bob
When
client requests POST /api/buildings/541816f042e7d8204d000001/share with JSON:
[ { "_targets": ["public"],
    "_permissions": [ {"_read":true}, {"_write":true} ] } ]
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as John
And
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as Tom
And
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "Tom's Town Hall",
  "level": 999 }
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as Bob
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 200
And
response body should be JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "Tom's Town Hall",
  "level": 999,
  "_owner": "[email protected]",
  "_tags": [ { "_targets": ["public"],
               "_permissions": [ {"_read":true}, {"_write":true} ] } ] }
Bob can grant read access to John only
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as Bob
When
client requests POST /api/buildings/541816f042e7d8204d000001/share with JSON:
[ { "_targets": ["[email protected]"],
    "_permissions": [ {"_read":true} ] } ]
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as John
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 200
And
response body should be JSON:
{ "_id" : "541816f042e7d8204d000001",
  "label" : "Town Hall",
  "level" : 3,
  "_owner" : "[email protected]",
  "_tags": [{ "_targets": ["[email protected]"], "_permissions": [{"_read": true}]}] }
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000002", "label" : "Army Camp", "level" : 3, "_owner" : "[email protected]" }, 
  { "_id" : "541816f042e7d8204d000001", "label" : "Town Hall", "level" : 3, "_owner" : "[email protected]", "_tags": [{ "_targets": ["[email protected]"], "_permissions": [{"_read": true}]}] } ]
When
client is authenticated as Tom
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 422
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]" } ]
Bob can grant read/write access to John only
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as Bob
When
client requests POST /api/buildings/541816f042e7d8204d000001/share with JSON:
[ { "_targets": ["[email protected]"],
    "_permissions": [ {"_read":true}, {"_write":true} ] } ]
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as John
And
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as Tom
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "Tom's Town Hall",
  "level": 999 }
Then
response status should be 422
John must not be able to see accesses granted by Bob to other users
Given
the system only knows those Buildings:
_id label level _owner _tags
541816f042e7d8204d000001 Town Hall 3 [email protected] [{ "_targets": ["public"], "_permissions": [{"_read": true}]}]
541816f042e7d8204d000002 Army Camp 3 [email protected] []
541816f042e7d8204d000003 Gold Mine 3 [email protected] []
And
client is authenticated as Bob
When
client requests POST /api/buildings/541816f042e7d8204d000001/share with JSON:
[ { "_targets": ["[email protected]"],
    "_permissions": [ {"_read":true}, {"_write":true} ] },
  { "_targets": ["[email protected]"],
    "_permissions": [ {"_read":true}, {"_write":true} ] },
  { "_targets": ["public"],
    "_permissions": [ {"_read":true} ] } ]
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
When
client is authenticated as John
And
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 200
And
response body should be JSON:
{ "_id" : "541816f042e7d8204d000001",
  "label" : "Town Hall",
  "level" : 3,
  "_owner" : "[email protected]",
  "_tags": [{ "_targets": ["[email protected]"], "_permissions": [{"_read": true},{"_write":true}]}, { "_targets": ["public"], "_permissions": [{"_read": true}]}] }
John must not be able to grant access to objects it does not own
Given
the system only knows those Buildings:
_id label level _owner _tags
541816f042e7d8204d000001 Town Hall 3 [email protected] [{ "_targets": ["public"], "_permissions": [{"_read": true}]}]
541816f042e7d8204d000002 Army Camp 3 [email protected] []
541816f042e7d8204d000003 Gold Mine 3 [email protected] []
And
client is authenticated as John
When
client requests POST /api/buildings/541816f042e7d8204d000003/share with JSON:
[ { "_targets": ["public"],
    "_permissions": [ {"_read":true} ] } ]
Then
response status should be 422
When
client requests POST /api/buildings/541816f042e7d8204d000001/share with JSON:
[ { "_targets": ["[email protected]"],
    "_permissions": [ {"_read": true}, {"_write":true} ] } ]
Then
response status should be 422

Last published over 4 years ago by Bruno Le Hyaric.