User can create Invoices for different groups #35
Description
Love the idea of this library, thanks for making it available.
I hope I'm missing something but it looks like you can PUT and POST invoices within your own team using the storeMemberA user if you send the id and invoiceId properties?
it('should not create a teams invoice with id props', function() {
return logInAs(user.username)
.then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
.send({ storeId: 'A', name: 'A invoice', invoiceNumber: 123, id: 123 })
.expect(401))
})
returns 200
Even worse it looks like you can do the same across teams if you include the same properties.
it('should not create another teams invoice with id props', function() {
return logInAs(user.username)
.then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
.send({ storeId: 'B', name: 'A invoice', invoiceNumber: 223, id: 223 })
.expect(401))
})
it('should not create another teams invoice with id prop', function() {
return logInAs(user.username)
.then(res => json('put', `/api/invoices?access_token=${res.body.id}`)
.send({
id: 21234,
storeId: 'B',
invoiceNumber: 21234,
})
.expect(401))
})
both return 200
I've updated the rest-test.js file in this branch which highlight the issue here https://github.com/hbbh/loopback-component-access-groups/tree/test-create-upsert-permissions
It's probably my phat-hands, but it would be good to get another pair of eyes on it.