access: grant / revoke / ls-collaborators unscoped

Asssuming all the privileges line up, allow these requests through to the registry. Credit: @othiym23 PR-URL: #126
npm · Nov 19, 2015 · f43d368 · f43d368
1 parent 32273ff
commit f43d368
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 8 deletions.
diff --git a/lib/access.js b/lib/access.js
@@ -102,20 +102,20 @@ function accessAssertions (subcommand, uri, params, cb) {
     'callback': [cb, 'function']
   })
   if (contains([
-    'public', 'restricted', 'grant', 'revoke', 'ls-collaborators'
+    'public', 'restricted'
   ], subcommand)) {
-    typeChecks({ 'package': [params.package, 'string']})
+    typeChecks({ 'package': [params.package, 'string'] })
     assert(!!npa(params.package).scope,
            'access commands are only accessible for scoped packages')
   }
   if (contains(['grant', 'revoke', 'ls-packages'], subcommand)) {
-    typeChecks({ 'scope': [params.scope, 'string']})
+    typeChecks({ 'scope': [params.scope, 'string'] })
   }
   if (contains(['grant', 'revoke'], subcommand)) {
-    typeChecks({ 'team': [params.team, 'string']})
+    typeChecks({ 'team': [params.team, 'string'] })
   }
   if (subcommand === 'grant') {
-    typeChecks({ 'permissions': [params.permissions, 'string']})
+    typeChecks({ 'permissions': [params.permissions, 'string'] })
     assert(params.permissions === 'read-only' ||
            params.permissions === 'read-write',
            'permissions must be either read-only or read-write')

diff --git a/test/access.js b/test/access.js
@@ -14,6 +14,13 @@ var PARAMS = {
   package: '@foo/bar',
   permissions: 'read-write'
 }
+var UNSCOPED = {
+  auth: { token: 'foo' },
+  scope: 'myorg',
+  team: 'myteam',
+  package: 'bar',
+  permissions: 'read-write'
+}
 
 var commands = [
   'public', 'restricted', 'grant', 'revoke', 'ls-packages', 'ls-collaborators'
@@ -72,6 +79,25 @@ test('access grant basic', function (t) {
   })
 })
 
+test('access grant basic unscoped', function (t) {
+  server.expect('PUT', '/-/team/myorg/myteam/package', function (req, res) {
+    t.equal(req.method, 'PUT')
+    onJsonReq(req, function (json) {
+      t.deepEqual(json, {
+        permissions: UNSCOPED.permissions,
+        package: UNSCOPED.package
+      })
+      res.statusCode = 201
+      res.json({ accessChanged: true })
+    })
+  })
+  client.access('grant', URI, UNSCOPED, function (error, data) {
+    t.ifError(error, 'no errors')
+    t.ok(data.accessChanged, 'access level set')
+    t.end()
+  })
+})
+
 test('access revoke basic', function (t) {
   server.expect('DELETE', '/-/team/myorg/myteam/package', function (req, res) {
     t.equal(req.method, 'DELETE')
@@ -90,6 +116,24 @@ test('access revoke basic', function (t) {
   })
 })
 
+test('access revoke basic unscoped', function (t) {
+  server.expect('DELETE', '/-/team/myorg/myteam/package', function (req, res) {
+    t.equal(req.method, 'DELETE')
+    onJsonReq(req, function (json) {
+      t.deepEqual(json, {
+        package: UNSCOPED.package
+      })
+      res.statusCode = 200
+      res.json({ accessChanged: true })
+    })
+  })
+  client.access('revoke', URI, UNSCOPED, function (error, data) {
+    t.ifError(error, 'no errors')
+    t.ok(data.accessChanged, 'access level set')
+    t.end()
+  })
+})
+
 test('ls-packages on team', function (t) {
   var serverPackages = {
     '@foo/bar': 'write',
@@ -188,7 +232,7 @@ test('ls-collaborators', function (t) {
   })
 })
 
-test('ls-collaborators w/ scope', function (t) {
+test('ls-collaborators w/scope', function (t) {
   var serverCollaborators = {
     'myorg:myteam': 'write',
     'myorg:anotherteam': 'read'
@@ -212,6 +256,30 @@ test('ls-collaborators w/ scope', function (t) {
   })
 })
 
+test('ls-collaborators w/o scope', function (t) {
+  var serverCollaborators = {
+    'myorg:myteam': 'write',
+    'myorg:anotherteam': 'read'
+  }
+  var clientCollaborators = {
+    'myorg:myteam': 'read-write',
+    'myorg:anotherteam': 'read-only'
+  }
+  var uri = '/-/package/bar/collaborators?format=cli&user=zkat'
+  server.expect('GET', uri, function (req, res) {
+    t.equal(req.method, 'GET')
+    res.statusCode = 200
+    res.json(serverCollaborators)
+  })
+  var params = Object.create(UNSCOPED)
+  params.user = 'zkat'
+  client.access('ls-collaborators', URI, params, function (error, data) {
+    t.ifError(error, 'no errors')
+    t.same(data, clientCollaborators)
+    t.end()
+  })
+})
+
 test('access command base validation', function (t) {
   t.throws(function () {
     client.access(undefined, URI, PARAMS, nop)
@@ -242,7 +310,7 @@ test('access command base validation', function (t) {
       client.access(cmd, URI, PARAMS, undefined)
     }, 'callback is required')
     if (contains([
-      'public', 'restricted', 'grant', 'revoke', 'ls-collaborators'
+      'public', 'restricted'
     ], cmd)) {
       t.throws(function () {
         var params = Object.create(PARAMS)
@@ -253,7 +321,7 @@ test('access command base validation', function (t) {
         var params = Object.create(PARAMS)
         params.package = 'underscore'
         client.access(cmd, URI, params, nop)
-      }, 'only scopes packages are allowed')
+      }, 'only scoped packages are allowed')
     }
     if (contains(['grant', 'revoke', 'ls-packages'], cmd)) {
       t.throws(function () {