Add new tests and update schema.sql and account permissions

New test files for database functionalities like transfer of ownership, schema conditions, and updating roles have been added. Changes have also been made in the schema.sql file for checking the role hierarchy levels and updating rules for permissions. Modifications in account permissions test have also been performed for more accuracy.
2024-04-20 19:37:39 +08:00
parent bf0d2e1c87
commit 4195697b54
12 changed files with 300 additions and 11 deletions
--- a/apps/web/supabase/tests/database/00000-makerkit-helpers.sql
+++ b/apps/web/supabase/tests/database/00000-makerkit-helpers.sql
@@ -10,6 +10,22 @@ alter default PRIVILEGES in schema makerkit revoke execute on FUNCTIONS from pub
 alter default PRIVILEGES in schema makerkit grant execute on FUNCTIONS to anon,
  authenticated, service_role;

+create or replace function makerkit.set_identifier(
+  identifier text,
+  user_email text
+)
+  returns text
+  as $$
+begin
+ update auth.users set raw_user_meta_data = jsonb_build_object('test_identifier', identifier)
+ where email = user_email;
+
+ return identifier;
+
+end;
+
+$$ language PLPGSQL;
+
 create or replace function makerkit.get_account_by_slug(
  account_slug text
 )
--- a/apps/web/supabase/tests/database/account-permissions.test.sql
+++ b/apps/web/supabase/tests/database/account-permissions.test.sql
@@ -77,6 +77,11 @@ update public.accounts_memberships
    where account_id = makerkit.get_account_id_by_slug('test')
        and user_id = makerkit.get_user_id('test1@test.com');

+set local role postgres;
+
+-- insert permissions for the custom role
+insert into public.role_permissions (role, permission) values ('custom-role', 'members.manage');
+
 select tests.authenticate_as('test1');

 -- the custom role does not have permissions to manage billing
--- a/apps/web/supabase/tests/database/billing-orders.test.sql
+++ b/apps/web/supabase/tests/database/billing-orders.test.sql
@@ -0,0 +1,10 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+-- test
+
+select * from finish();
+
+rollback;
--- a/apps/web/supabase/tests/database/billing-subscriptions.test.sql
+++ b/apps/web/supabase/tests/database/billing-subscriptions.test.sql
@@ -0,0 +1,10 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+-- test
+
+select * from finish();
+
+rollback;
--- a/apps/web/supabase/tests/database/invitations.test.sql
+++ b/apps/web/supabase/tests/database/invitations.test.sql
@@ -0,0 +1,63 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+-- test
+
+select makerkit.set_identifier('test', 'test@makerkit.dev');
+select makerkit.set_identifier('member', 'member@makerkit.dev');
+select makerkit.set_identifier('custom', 'custom@makerkit.dev');
+
+select tests.authenticate_as('test');
+
+select lives_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite1@makerkit.dev', auth.uid(),  makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()); $$,
+'owner should be able to create invitations'
+);
+
+-- check two invitations to the same email/account are not allowed
+select throws_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite1@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
+    'duplicate key value violates unique constraint "invitations_email_account_id_key"'
+);
+
+select tests.authenticate_as('member');
+
+-- check a member cannot invite members with higher roles
+select throws_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite2@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'owner', gen_random_uuid()) $$,
+    'new row violates row-level security policy for table "invitations"'
+);
+
+-- check a member can invite members with the same or lower roles
+select lives_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite2@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
+    'member should be able to create invitations for members or lower roles'
+);
+
+-- authenticate_as the custom role
+select tests.authenticate_as('custom');
+
+-- it will fail because the custom role does not have the invites.manage permission
+select throws_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
+    'new row violates row-level security policy for table "invitations"'
+);
+
+set local role postgres;
+
+-- add permissions to invite members to the custom role
+insert into public.role_permissions (role, permission) values ('custom-role', 'invites.manage');
+
+-- authenticate_as the custom role
+select tests.authenticate_as('custom');
+
+select lives_ok(
+    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
+    'custom role should be able to create invitations'
+);
+
+select * from finish();
+
+rollback;
--- a/apps/web/supabase/tests/database/remove-membership.test.sql
+++ b/apps/web/supabase/tests/database/remove-membership.test.sql
@@ -0,0 +1,10 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+-- test
+
+select * from finish();
+
+rollback;
--- a/apps/web/supabase/tests/database/schema-conditions.test.sql
+++ b/apps/web/supabase/tests/database/schema-conditions.test.sql
@@ -0,0 +1,57 @@
+begin;
+
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select
+  no_plan();
+
+CREATE OR REPLACE FUNCTION check_schema_conditions()
+RETURNS void AS
+$$
+DECLARE
+  _table RECORD;
+  _column RECORD;
+  columnCheckCount INTEGER;
+BEGIN
+  FOR _table IN (SELECT tablename FROM pg_tables WHERE schemaname = 'public')
+  LOOP
+    -- 1. Check if every table has RLS enabled
+    IF (
+      SELECT relrowsecurity FROM pg_class
+      INNER JOIN pg_namespace n ON n.oid = pg_class.relnamespace
+      WHERE n.nspname = 'public' AND relname = _table.tablename
+    ) IS FALSE THEN
+      RAISE EXCEPTION 'Table "%" does not have RLS enabled.', _table.tablename;
+    END IF;
+
+    -- 2. Check that every text column in the current table has a constraint
+    FOR _column IN (SELECT column_name FROM information_schema.columns WHERE table_schema = 'public' AND table_name = _table.tablename AND data_type = 'text')
+    LOOP
+      SELECT COUNT(*)
+      INTO columnCheckCount
+      FROM information_schema.constraint_column_usage
+      WHERE table_schema = 'public' AND table_name = _table.tablename AND column_name = _column.column_name;
+
+      IF columnCheckCount = 0 THEN
+        RAISE NOTICE 'Text column "%.%" does not have a constraint
+        .',
+        _table.tablename, _column.column_name;
+      END IF;
+    END LOOP;
+  END LOOP;
+
+  RAISE NOTICE 'Schema check completed.';
+END
+$$ LANGUAGE plpgsql;
+
+select lives_ok($$
+  select
+    check_schema_conditions();
+$$, 'check_schema_conditions()');
+
+select
+  *
+from
+  finish();
+
+rollback;
--- a/apps/web/supabase/tests/database/schema.test.sql
+++ b/apps/web/supabase/tests/database/schema.test.sql
@@ -8,9 +8,25 @@ select has_table('public', 'accounts', 'Makerkit accounts table should exist');
 select has_table('public', 'accounts_memberships', 'Makerkit account_users table should exist');
 select has_table('public', 'invitations', 'Makerkit invitations table should exist');
 select has_table('public', 'billing_customers', 'Makerkit billing_customers table should exist');
-select has_table('public', 'subscriptions', 'Makerkit billing_subscriptions table should exist');
+select has_table('public', 'subscriptions', 'Makerkit subscriptions table should exist');
+select has_table('public', 'subscription_items', 'Makerkit subscription_items table should exist');
+select has_table('public', 'orders', 'Makerkit orders table should exist');
+select has_table('public', 'order_items', 'Makerkit order_items table should exist');
+select has_table('public', 'roles', 'Makerkit roles table should exist');
 select has_table('public', 'role_permissions', 'Makerkit roles_permissions table should exist');

+select tests.rls_enabled('public', 'config');
+select tests.rls_enabled('public', 'accounts');
+select tests.rls_enabled('public', 'accounts_memberships');
+select tests.rls_enabled('public', 'invitations');
+select tests.rls_enabled('public', 'billing_customers');
+select tests.rls_enabled('public', 'subscriptions');
+select tests.rls_enabled('public', 'subscription_items');
+select tests.rls_enabled('public', 'orders');
+select tests.rls_enabled('public', 'order_items');
+select tests.rls_enabled('public', 'roles');
+select tests.rls_enabled('public', 'role_permissions');
+
 SELECT schema_privs_are('public', 'anon', Array [NULL], 'Anon should not have access to public schema');

 -- set the role to anonymous for verifying access tests
--- a/apps/web/supabase/tests/database/transfer-ownership.test.sql
+++ b/apps/web/supabase/tests/database/transfer-ownership.test.sql
@@ -0,0 +1,10 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+-- test
+
+select * from finish();
+
+rollback;
--- a/apps/web/supabase/tests/database/update-role.test.sql
+++ b/apps/web/supabase/tests/database/update-role.test.sql
@@ -0,0 +1,10 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+-- test
+
+select * from finish();
+
+rollback;