Skip to content

test: Add _Installation non-master access control regression tests#10578

Open
mtrezza wants to merge 2 commits into
parse-community:alphafrom
mtrezza:tests/installation-access-control
Open

test: Add _Installation non-master access control regression tests#10578
mtrezza wants to merge 2 commits into
parse-community:alphafrom
mtrezza:tests/installation-access-control

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Tests
    • Added coverage confirming that unauthenticated and non-master requests cannot access installation records.
    • Verified that unauthorized deletion attempts are rejected and do not remove installation data.
    • Confirmed authenticated non-master sessions receive the expected permission-denied error for both listing and deletion.

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4589c0a3-54f6-41a5-af9c-50919a903849

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Added four tests verifying that unauthenticated and authenticated non-master clients receive forbidden errors for installation queries and deletion, with deletion confirmed not to remove the installation record.

Changes

Installation access control

Layer / File(s) Summary
Non-master authorization tests
spec/ParseInstallation.spec.js
Adds tests for forbidden installation find and delete requests from unauthenticated and authenticated non-master clients, including master-key count checks confirming denied deletions leave the installation row intact.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: coratgerl, dblythy, flovilmart, dplewis


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Description check ❌ Error The description is missing the required Issue, Approach, and Tasks sections from the repository template. Add the template sections with the linked issue, a brief approach summary, and the required task checklist items.
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The title uses an allowed prefix and clearly matches the added _Installation access control regression tests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed Only tests changed; no production code or security-sensitive logic was modified, and the new assertions only verify access is denied.
Engage In Review Feedback ✅ Passed Implemented the review feedback in commit 04b0a59 (returns after fail() + auth delete test) and followed up with '@coderabbitai review'.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
spec/ParseInstallation.spec.js (1)

1301-1375: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Coverage gap: no test for authenticated non-master delete.

The suite covers unauthenticated find, unauthenticated delete, and authenticated non-master find — but not authenticated non-master delete. Given the PR's goal is comprehensive non-master installation access-control regression coverage, consider adding a fourth test mirroring "blocks the find operation for an authenticated non-master user" but for the delete endpoint, following the same row-preservation check used in the unauthenticated delete test.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/ParseInstallation.spec.js` around lines 1301 - 1375, Add a test in the
access-control describe block covering DELETE on _Installation for an
authenticated non-master user, mirroring the setup and session-token headers
from “blocks the find operation for an authenticated non-master user.” Assert
the request returns OPERATION_FORBIDDEN with “Permission denied,” then verify
via a master-key query that the installation row remains present.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/ParseInstallation.spec.js`:
- Around line 1307-1325: Update the three rejection tests around the request
try/catch blocks so each fail('... should have been rejected') immediately
returns (or throws), preventing execution from dereferencing an undefined error
when the request unexpectedly succeeds.

---

Nitpick comments:
In `@spec/ParseInstallation.spec.js`:
- Around line 1301-1375: Add a test in the access-control describe block
covering DELETE on _Installation for an authenticated non-master user, mirroring
the setup and session-token headers from “blocks the find operation for an
authenticated non-master user.” Assert the request returns OPERATION_FORBIDDEN
with “Permission denied,” then verify via a master-key query that the
installation row remains present.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea810e75-461c-4062-8d6e-5cd4ec24dbad

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4d135 and 5f02b5f.

📒 Files selected for processing (1)
  • spec/ParseInstallation.spec.js

Comment thread spec/ParseInstallation.spec.js
@mtrezza

mtrezza commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.72%. Comparing base (0d260ff) to head (04b0a59).
⚠️ Report is 10 commits behind head on alpha.

❗ There is a different number of reports uploaded between BASE (0d260ff) and HEAD (04b0a59). Click for more details.

HEAD has 3 uploads less than BASE
Flag BASE (0d260ff) HEAD (04b0a59)
9 6
Additional details and impacted files
@@            Coverage Diff             @@
##            alpha   #10578      +/-   ##
==========================================
- Coverage   92.68%   84.72%   -7.96%     
==========================================
  Files         193      193              
  Lines       17025    17025              
  Branches      248      248              
==========================================
- Hits        15779    14425    -1354     
- Misses       1225     2579    +1354     
  Partials       21       21              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant