Merge pull request #484 from pryv/fix/reuse-deleted-streamIds-auth

sgoumaz · web-flow · commit 3b5fe8c8bc6c · 2023-03-23T12:07:35.000+01:00
Fix/reuse deleted stream ids auth
diff --git a/components/api-server/src/methods/accesses.js b/components/api-server/src/methods/accesses.js
@@ -523,11 +523,9 @@ module.exports = async function produceAccessesApiMethods (api) {
       let permissionStream;
       async.series([
         async function checkId () {
-          // NOT-OPTIMIZED: could return only necessary fields
-          const existingStreamArray = await mall.streams.get(context.user.id, { id: permission.streamId });
-          if (existingStreamArray.length === 1) {
-            permissionStream = existingStreamArray[0];
-            permission.name = permissionStream.name;
+          const existingStream = await mall.streams.getOneWithNoChildren(context.user.id, permission.streamId);
+          if (existingStream != null) {
+            permission.name = existingStream.name;
             delete permission.defaultName;
           }
         },
diff --git a/components/api-server/test/accesses-personal.test.js b/components/api-server/test/accesses-personal.test.js
@@ -205,6 +205,11 @@ describe('accesses (personal)', function () {
             level: 'contribute',
             defaultName: 'Trashed stream to restore (this should be ignored)'
           },
+          {
+            streamId: testData.streams[4].id,
+            level: 'read',
+            defaultName: 'Deleted stream must be recreated'
+          },
           {
             streamId: '*',
             level: 'read',
@@ -230,6 +235,7 @@ describe('accesses (personal)', function () {
               delete expected.permissions[1].defaultName;
               delete expected.permissions[2].defaultName;
               delete expected.permissions[3].defaultName;
+              delete expected.permissions[4].defaultName;
               expected.created = res.body.access.created;
               expected.createdBy = res.body.access.createdBy;
               expected.modified = res.body.access.modified;
@@ -241,13 +247,15 @@ describe('accesses (personal)', function () {
             });
         },
         async function verifyNewStream () {
-          const streams = await mall.streams.get(user.id, {
-            id: data.permissions[1].streamId
-          });
-          should.exist(streams[0]);
-          const stream = streams[0];
-          validation.checkStoredItem(stream, 'stream');
-          stream.name.should.eql(data.permissions[1].defaultName);
+          const newStream = await mall.streams.getOneWithNoChildren(user.id, data.permissions[1].streamId);
+          should.exist(newStream);
+          validation.checkStoredItem(newStream, 'stream');
+          newStream.name.should.eql(data.permissions[1].defaultName);
+
+          const undeletedStream = await mall.streams.getOneWithNoChildren(user.id, data.permissions[3].streamId);
+          should.exist(undeletedStream);
+          validation.checkStoredItem(undeletedStream, 'stream');
+          undeletedStream.name.should.eql(data.permissions[3].defaultName);
         },
         async function verifyRestoredStream () {
           const streams = await mall.streams.get(user.id, {
@@ -649,17 +657,19 @@ describe('accesses (personal)', function () {
             streamId: 'new-stream',
             level: 'manage',
             defaultName: 'The New Stream, Sir.'
+          },
+          {
+            streamId: testData.streams[4].id,
+            level: 'read',
+            defaultName: 'Undeleted stream'
           }
         ]
       };
       req()
         .post(path)
         .send(data)
         .end(function (res) {
-          validation.check(res, {
-            status: 200,
-            schema: methodsSchema.checkApp.result
-          });
+          validation.check(res, { status: 200, schema: methodsSchema.checkApp.result });
           should.exist(res.body.checkedPermissions);
           const expected = _.cloneDeep(data.requestedPermissions);
           expected[0].name = testData.streams[0].name;
diff --git a/components/storage/src/localDataStore/localUserStreams.js b/components/storage/src/localDataStore/localUserStreams.js
@@ -50,16 +50,13 @@ module.exports = ds.createUserStreams({
     }
 
     if (stream == null) return null;
-    if (stream.deleted) return null;
 
     // filtering ---
     if (!query.includeTrashed) {
       if (stream.trashed) return null;
       // i.e. === 'default' (return non-trashed items)
       stream.children = treeUtils.filterTree(stream.children, false /* no orphans */, (stream) => !stream.trashed);
     }
-    // return non-deleted items
-    stream.children = treeUtils.filterTree(stream.children, false /* no orphans */, (stream) => stream.deleted == null);
     return stream;
   },
 
@@ -87,7 +84,7 @@ module.exports = ds.createUserStreams({
   async create (userId, streamData) {
     // as we have mixed deletions and non deleted in the same table
     // remove eventual deleted items matching this id.
-    const deletedStreams = await this.getDeletions(userId, Number.MIN_SAFE_INTEGER);
+    const deletedStreams = await this.getDeletions(userId, { deletedSince: Number.MIN_SAFE_INTEGER });
     const deletedStream = deletedStreams.filter(s => s.id === streamData.id);
     if (deletedStream.length > 0) {
       await bluebird.fromCallback((cb) => this.userStreamsStorage.removeOne({ id: userId }, { id: deletedStream[0].id }, cb));
@@ -121,7 +118,7 @@ module.exports = ds.createUserStreams({
     if (allStreamsForAccount != null) return allStreamsForAccount;
 
     // get from DB
-    allStreamsForAccount = await bluebird.fromCallback((cb) => this.userStreamsStorage.findIncludingDeletionsAndVersions({ id: userId }, {}, null, cb));
+    allStreamsForAccount = await bluebird.fromCallback((cb) => this.userStreamsStorage.find({ id: userId }, {}, null, cb));
     // add system streams
     allStreamsForAccount = allStreamsForAccount.concat(visibleStreamsTree);
     cache.setStreams(userId, 'local', allStreamsForAccount);
