joachim/location-mqtt-tracker-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d3b6d599709f85900821011dce23e3ab690c887
location-mqtt-tracker-app/scripts/test-device-access.js
Joachim Hummel 843e93a274 first commit
2025-11-24 16:30:37 +00:00

90 lines
2.9 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
/**
* Test device access control after security fix
* Tests that users can only see devices they own
*/
const Database = require('better-sqlite3');
const path = require('path');
const dbPath = path.join(__dirname, '..', 'data', 'database.sqlite');
const db = new Database(dbPath);
// Import the getAllowedDeviceIds logic
function getAllowedDeviceIds(userId, role, username) {
try {
// Super admin (username === "admin") can see ALL devices
if (username === 'admin') {
const allDevices = db.prepare('SELECT id FROM Device WHERE isActive = 1').all();
return allDevices.map(d => d.id);
}
// VIEWER users see their parent user's devices
if (role === 'VIEWER') {
const user = db.prepare('SELECT parent_user_id FROM User WHERE id = ?').get(userId);
if (user?.parent_user_id) {
const devices = db.prepare('SELECT id FROM Device WHERE ownerId = ? AND isActive = 1').all(user.parent_user_id);
return devices.map(d => d.id);
}
// If VIEWER has no parent, return empty array
return [];
}
// Regular ADMIN users see only their own devices
if (role === 'ADMIN') {
const devices = db.prepare('SELECT id FROM Device WHERE ownerId = ? AND isActive = 1').all(userId);
return devices.map(d => d.id);
}
// Default: no access
return [];
} catch (error) {
console.error('Error in getAllowedDeviceIds:', error);
return [];
}
}
console.log('=== Device Access Control Test ===\n');
// Get all users
const users = db.prepare('SELECT id, username, role, parent_user_id FROM User').all();
// Get all devices
const allDevices = db.prepare('SELECT id, name, ownerId FROM Device WHERE isActive = 1').all();
console.log('All devices in system:');
allDevices.forEach(d => {
console.log(` - Device ${d.id} (${d.name}) owned by: ${d.ownerId}`);
});
console.log('');
// Test each user
users.forEach(user => {
const allowedDevices = getAllowedDeviceIds(user.id, user.role, user.username);
console.log(`User: ${user.username} (${user.role})`);
console.log(` ID: ${user.id}`);
if (user.parent_user_id) {
const parent = users.find(u => u.id === user.parent_user_id);
console.log(` Parent: ${parent?.username || 'unknown'}`);
}
console.log(` Can see devices: ${allowedDevices.length > 0 ? allowedDevices.join(', ') : 'NONE'}`);
// Show device names
if (allowedDevices.length > 0) {
allowedDevices.forEach(deviceId => {
const device = allDevices.find(d => d.id === deviceId);
console.log(` - ${deviceId}: ${device?.name || 'unknown'}`);
});
}
console.log('');
});
console.log('=== Expected Results ===');
console.log('✓ admin: Should see ALL devices (10, 11, 12, 15)');
console.log('✓ joachim: Should see only devices 12, 15 (owned by joachim)');
console.log('✓ hummel: Should see devices 12, 15 (parent joachim\'s devices)');
console.log('✓ joachiminfo: Should see NO devices (doesn\'t own any)');
db.close();
Reference in New Issue View Git Blame Copy Permalink