Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sagemathinc
GitHub Repository: sagemathinc/cocalc
Path: blob/master/src/packages/database/postgres/project/user-set-query-project-users.test.ts
5598 views
1
/*
2
* This file is part of CoCalc: Copyright © 2025 Sagemath, Inc.
3
* License: MS-RSL – see LICENSE.md for details
4
*/
5
6
import { uuid } from "@cocalc/util/misc";
7
import { sanitizeUserSetQueryProjectUsers } from "./user-set-query-project-users";
8
9
describe("_user_set_query_project_users sanitizer", () => {
10
const accountId = uuid();
11
const otherId = uuid();
12
13
test("returns undefined when users is not provided", () => {
14
const value = sanitizeUserSetQueryProjectUsers({}, accountId);
15
expect(value).toBeUndefined();
16
});
17
18
test("allows updating own hide and upgrades", () => {
19
const value = sanitizeUserSetQueryProjectUsers(
20
{
21
users: {
22
[accountId]: { hide: true, upgrades: { memory: 1024 } },
23
},
24
},
25
accountId,
26
);
27
expect(value).toEqual({
28
[accountId]: { hide: true, upgrades: { memory: 1024 } },
29
});
30
});
31
32
test("rejects modifying another account", () => {
33
expect(() =>
34
sanitizeUserSetQueryProjectUsers(
35
{
36
users: {
37
[otherId]: { upgrades: { memory: 1024 } },
38
},
39
},
40
accountId,
41
),
42
).toThrow(
43
"users set queries may only change upgrades for the requesting account",
44
);
45
});
46
47
test("allows system-style updates when no account_id is provided", () => {
48
const value = sanitizeUserSetQueryProjectUsers({
49
users: {
50
[accountId]: { hide: false, ssh_keys: {} },
51
},
52
});
53
expect(value).toEqual({
54
[accountId]: { hide: false, ssh_keys: {} },
55
});
56
});
57
58
test("allows system operations to set group to owner", () => {
59
const value = sanitizeUserSetQueryProjectUsers({
60
users: {
61
[accountId]: { group: "owner", hide: false },
62
},
63
});
64
expect(value).toEqual({
65
[accountId]: { group: "owner", hide: false },
66
});
67
});
68
69
test("allows system operations to set group to collaborator", () => {
70
const value = sanitizeUserSetQueryProjectUsers({
71
users: {
72
[accountId]: { group: "collaborator" },
73
},
74
});
75
expect(value).toEqual({
76
[accountId]: { group: "collaborator" },
77
});
78
});
79
80
test("rejects group changes", () => {
81
expect(() =>
82
sanitizeUserSetQueryProjectUsers(
83
{
84
users: {
85
[accountId]: { group: "owner" },
86
},
87
},
88
accountId,
89
),
90
).toThrow("changing collaborator group via user_set_query is not allowed");
91
});
92
93
test("rejects invalid group values in system operations", () => {
94
expect(() =>
95
sanitizeUserSetQueryProjectUsers({
96
users: {
97
[accountId]: { group: "admin" },
98
},
99
}),
100
).toThrow(
101
"invalid group value 'admin' - must be 'owner' or 'collaborator'",
102
);
103
});
104
105
test("allows hiding another collaborator", () => {
106
const value = sanitizeUserSetQueryProjectUsers(
107
{
108
users: {
109
[otherId]: { hide: true },
110
},
111
},
112
accountId,
113
);
114
expect(value).toEqual({
115
[otherId]: { hide: true },
116
});
117
});
118
119
test("rejects invalid upgrade field", () => {
120
expect(() =>
121
sanitizeUserSetQueryProjectUsers(
122
{
123
users: {
124
[accountId]: { upgrades: { invalidQuota: 1 } },
125
},
126
},
127
accountId,
128
),
129
).toThrow("invalid upgrades field 'invalidQuota'");
130
});
131
});
132
133