From fb6238ecbb0588ead962383944928e0a6bae5268 Mon Sep 17 00:00:00 2001
From: mgabor <>
Date: Tue, 23 Apr 2024 11:20:46 +0200
Subject: [PATCH] add new e2e tests for readonly share

---
 e2e/src/api/specs/album.e2e-spec.ts | 41 +++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/e2e/src/api/specs/album.e2e-spec.ts b/e2e/src/api/specs/album.e2e-spec.ts
index 608cf828dd..91e47bf8d4 100644
--- a/e2e/src/api/specs/album.e2e-spec.ts
+++ b/e2e/src/api/specs/album.e2e-spec.ts
@@ -463,6 +463,17 @@ describe('/album', () => {
       expect(status).toBe(200);
       expect(body).toEqual([expect.objectContaining({ id: asset.id, success: true })]);
     });
+
+    it('should not be able to add assets to album as a viewer', async () => {
+      const asset = await utils.createAsset(user2.accessToken);
+      const { status, body } = await request(app)
+        .put(`/album/${user1Albums[3].id}/assets`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ ids: [asset.id] });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.addAsset access'));
+    });
   });
 
   describe('PATCH /album/:id', () => {
@@ -493,6 +504,26 @@ describe('/album', () => {
         description: 'An album description',
       });
     });
+
+    it('should not be able to update as a viewer', async () => {
+      const { status, body } = await request(app)
+        .patch(`/album/${user1Albums[3].id}`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ albumName: 'New album name' });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.update access'));
+    });
+
+    it('should not be able to update as an editor', async () => {
+      const { status, body } = await request(app)
+        .patch(`/album/${user1Albums[0].id}`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ albumName: 'New album name' });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.update access'));
+    });
   });
 
   describe('DELETE /album/:id/assets', () => {
@@ -556,6 +587,16 @@ describe('/album', () => {
       expect(status).toBe(200);
       expect(body).toEqual([expect.objectContaining({ id: user1Asset1.id, success: true })]);
     });
+
+    it('should not be able to remove assets from album as a viewer', async () => {
+      const { status, body } = await request(app)
+        .delete(`/album/${user1Albums[3].id}/assets`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ ids: [user1Asset1.id] });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.removeAsset access'));
+    });
   });
 
   describe('PUT :id/users', () => {