From 4279ba13e97d96be8dfe78f295af7d81fbc4b408 Mon Sep 17 00:00:00 2001
From: Michael Shamoon <4887959+shamoon@users.noreply.github.com>
Date: Fri, 25 Nov 2022 00:10:34 -0800
Subject: [PATCH] Redirect and notify for perms guard, add frontend tests

---
 src-ui/cypress/e2e/auth/auth.cy.ts            | 68 +++++++++++++++
 .../ui_settings/settings_restricted.json      | 85 +++++++++++++++++++
 src-ui/src/app/guards/permissions.guard.ts    | 22 ++++-
 3 files changed, 172 insertions(+), 3 deletions(-)
 create mode 100644 src-ui/cypress/e2e/auth/auth.cy.ts
 create mode 100644 src-ui/cypress/fixtures/ui_settings/settings_restricted.json

diff --git a/src-ui/cypress/e2e/auth/auth.cy.ts b/src-ui/cypress/e2e/auth/auth.cy.ts
new file mode 100644
index 000000000..717113c76
--- /dev/null
+++ b/src-ui/cypress/e2e/auth/auth.cy.ts
@@ -0,0 +1,68 @@
+describe('settings', () => {
+  beforeEach(() => {
+    // also uses global fixtures from cypress/support/e2e.ts
+
+    // mock restricted permissions
+    cy.intercept('http://localhost:8000/api/ui_settings/', {
+      fixture: 'ui_settings/settings_restricted.json',
+    })
+  })
+
+  it('should not allow user to edit settings', () => {
+    cy.visit('/dashboard')
+    cy.contains('Settings').should('not.exist')
+    cy.visit('/settings').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view documents', () => {
+    cy.visit('/dashboard')
+    cy.contains('Documents').should('not.exist')
+    cy.visit('/documents').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+    cy.visit('/documents/1').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view correspondents', () => {
+    cy.visit('/dashboard')
+    cy.contains('Correspondents').should('not.exist')
+    cy.visit('/correspondents').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view tags', () => {
+    cy.visit('/dashboard')
+    cy.contains('Tags').should('not.exist')
+    cy.visit('/tags').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view document types', () => {
+    cy.visit('/dashboard')
+    cy.contains('Document Types').should('not.exist')
+    cy.visit('/documenttypes').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view storage paths', () => {
+    cy.visit('/dashboard')
+    cy.contains('Storage Paths').should('not.exist')
+    cy.visit('/storagepaths').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view logs', () => {
+    cy.visit('/dashboard')
+    cy.contains('Logs').should('not.exist')
+    cy.visit('/logs').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+
+  it('should not allow user to view tasks', () => {
+    cy.visit('/dashboard')
+    cy.contains('Tasks').should('not.exist')
+    cy.visit('/tasks').wait(2000)
+    cy.contains("You don't have permissions to do that").should('exist')
+  })
+})
diff --git a/src-ui/cypress/fixtures/ui_settings/settings_restricted.json b/src-ui/cypress/fixtures/ui_settings/settings_restricted.json
new file mode 100644
index 000000000..f722ef25c
--- /dev/null
+++ b/src-ui/cypress/fixtures/ui_settings/settings_restricted.json
@@ -0,0 +1,85 @@
+{
+    "user_id": 1,
+    "username": "admin",
+    "display_name": "Admin",
+    "settings": {
+        "language": "",
+        "bulk_edit": {
+            "confirmation_dialogs": true,
+            "apply_on_close": false
+        },
+        "documentListSize": 50,
+        "dark_mode": {
+            "use_system": true,
+            "enabled": "false",
+            "thumb_inverted": "true"
+        },
+        "theme": {
+            "color": "#b198e5"
+        },
+        "document_details": {
+            "native_pdf_viewer": false
+        },
+        "date_display": {
+            "date_locale": "",
+            "date_format": "mediumDate"
+        },
+        "notifications": {
+            "consumer_new_documents": true,
+            "consumer_success": true,
+            "consumer_failed": true,
+            "consumer_suppress_on_dashboard": true
+        }
+    },
+    "permissions": [
+        "add_token",
+        "change_token",
+        "delete_token",
+        "view_token",
+        "add_tokenproxy",
+        "change_tokenproxy",
+        "delete_tokenproxy",
+        "view_tokenproxy",
+        "add_contenttype",
+        "change_contenttype",
+        "delete_contenttype",
+        "view_contenttype",
+        "add_chordcounter",
+        "change_chordcounter",
+        "delete_chordcounter",
+        "view_chordcounter",
+        "add_groupresult",
+        "change_groupresult",
+        "delete_groupresult",
+        "view_groupresult",
+        "add_failure",
+        "change_failure",
+        "delete_failure",
+        "view_failure",
+        "add_ormq",
+        "change_ormq",
+        "delete_ormq",
+        "view_ormq",
+        "add_schedule",
+        "change_schedule",
+        "delete_schedule",
+        "view_schedule",
+        "add_success",
+        "change_success",
+        "delete_success",
+        "view_success",
+        "add_task",
+        "change_task",
+        "delete_task",
+        "view_task",
+        "add_comment",
+        "add_frontendsettings",
+        "change_frontendsettings",
+        "delete_frontendsettings",
+        "view_frontendsettings",
+        "add_session",
+        "change_session",
+        "delete_session",
+        "view_session"
+    ]
+}
diff --git a/src-ui/src/app/guards/permissions.guard.ts b/src-ui/src/app/guards/permissions.guard.ts
index 7b9625344..39536ed55 100644
--- a/src-ui/src/app/guards/permissions.guard.ts
+++ b/src-ui/src/app/guards/permissions.guard.ts
@@ -2,18 +2,34 @@ import {
   CanActivate,
   ActivatedRouteSnapshot,
   RouterStateSnapshot,
+  UrlTree,
+  Router,
 } from '@angular/router'
 import { Injectable } from '@angular/core'
 import { PermissionsService } from '../services/permissions.service'
+import { ToastService } from '../services/toast.service'
 
 @Injectable()
 export class PermissionsGuard implements CanActivate {
-  constructor(private permissionsService: PermissionsService) {}
+  constructor(
+    private permissionsService: PermissionsService,
+    private router: Router,
+    private toastService: ToastService
+  ) {}
 
   canActivate(
     route: ActivatedRouteSnapshot,
     state: RouterStateSnapshot
-  ): boolean {
-    return this.permissionsService.currentUserCan(route.data.requiredPermission)
+  ): boolean | UrlTree {
+    if (
+      !this.permissionsService.currentUserCan(route.data.requiredPermission)
+    ) {
+      this.toastService.showError(
+        $localize`You don't have permissions to do that`
+      )
+      return this.router.parseUrl('/dashboard')
+    } else {
+      return true
+    }
   }
 }