/* eslint-disable flowtype/require-valid-file-annotation */ import TestServer from 'fetch-test-server'; import app from '../app'; import { flushdb } from '../test/support'; import { buildUser, buildCollection, buildAttachment, buildDocument, } from '../test/factories'; const server = new TestServer(app.callback()); beforeEach(flushdb); afterAll(server.close); describe('#attachments.redirect', async () => { it('should require authentication', async () => { const res = await server.post('/api/attachments.redirect'); expect(res.status).toEqual(401); }); it('should return a redirect for an attachment belonging to a document user has access to', async () => { const user = await buildUser(); const attachment = await buildAttachment({ teamId: user.teamId, userId: user.id, }); const res = await server.post('/api/attachments.redirect', { body: { token: user.getJwtToken(), id: attachment.id }, redirect: 'manual', }); expect(res.status).toEqual(302); }); it('should always return a redirect for a public attachment', async () => { const user = await buildUser(); const collection = await buildCollection({ teamId: user.teamId, userId: user.id, private: true, }); const document = await buildDocument({ teamId: user.teamId, userId: user.id, collectionId: collection.id, }); const attachment = await buildAttachment({ teamId: user.teamId, userId: user.id, documentId: document.id, }); const res = await server.post('/api/attachments.redirect', { body: { token: user.getJwtToken(), id: attachment.id }, redirect: 'manual', }); expect(res.status).toEqual(302); }); it('should not return a redirect for a private attachment belonging to a document user does not have access to', async () => { const user = await buildUser(); const collection = await buildCollection({ private: true, }); const document = await buildDocument({ teamId: collection.teamId, userId: collection.userId, collectionId: collection.id, }); const attachment = await buildAttachment({ teamId: document.teamId, userId: document.userId, documentId: document.id, acl: 'private', }); const res = await server.post('/api/attachments.redirect', { body: { token: user.getJwtToken(), id: attachment.id }, }); expect(res.status).toEqual(403); }); });