add dataset.create verb

getodk · Mar 14, 2024 · 5005e0a · 5005e0a
1 parent 705dcbb
commit 5005e0a
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 2 deletions.
diff --git a/lib/model/migrations/20240312-01-add-dataset-create-verb.js b/lib/model/migrations/20240312-01-add-dataset-create-verb.js
@@ -0,0 +1,23 @@
+// Copyright 2023 ODK Central Developers
+// See the NOTICE file at the top-level directory of this distribution and at
+// https://github.com/getodk/central-backend/blob/master/NOTICE.
+// This file is part of ODK Central. It is subject to the license terms in
+// the LICENSE file found in the top-level directory of this distribution and at
+// https://www.apache.org/licenses/LICENSE-2.0. No part of ODK Central,
+// including this file, may be copied, modified, propagated, or distributed
+// except according to the terms contained in the LICENSE file.
+
+const up = (db) => db.raw(`
+UPDATE roles
+SET verbs = verbs || '["dataset.create"]'::jsonb
+WHERE system in ('admin', 'manager')
+`);
+
+const down = (db) => db.raw(`
+UPDATE roles
+SET verbs = (verbs - 'dataset.create')
+WHERE system in ('admin', 'manager')
+`);
+
+module.exports = { up, down };
+
diff --git a/lib/resources/datasets.js b/lib/resources/datasets.js
@@ -54,8 +54,7 @@ module.exports = (service, endpoint) => {
 
   service.post('/projects/:id/datasets', endpoint(async ({ Projects, Datasets }, { auth, body, params }) => {
     const project = await Projects.getById(params.id).then(getOrNotFound);
-    // todo: add dataset.create verb
-    await auth.canOrReject('dataset.update', project);
+    await auth.canOrReject('dataset.create', project);
 
     const { name } = body;
     if (!validateDatasetName(name))

diff --git a/test/integration/api/datasets.js b/test/integration/api/datasets.js
@@ -2874,6 +2874,17 @@ describe('datasets and entities', () => {
 
   describe('parsing datasets on form upload', () => {
     describe('parsing datasets at /projects/:id/forms POST', () => {
+      it('should allow someone without dataset.create to create a dataset through posting a form', testService(async (service, { run }) => {
+        await run(sql`UPDATE roles SET verbs = (verbs - 'dataset.create') WHERE system in ('manager')`);
+
+        const asBob = await service.login('bob');
+
+        await asBob.post('/v1/projects/1/forms')
+          .send(testData.forms.simpleEntity)
+          .set('Content-Type', 'text/xml')
+          .expect(200);
+      }));
+
       it('should return a Problem if the entity xml has the wrong version', testService((service) =>
         service.login('alice', (asAlice) =>
           asAlice.post('/v1/projects/1/forms')