Avoid testing permissions when testing API endpoints
The current situation is that permissions for each endpoint/action are defined in other modules: permissions for a blog are defined in authsome and permissions for Editoria are defined in authsome-editoria.
This makes it impossible to write tests of the pubsweet-backend
API where a certain user may or may not be able to perform a particular action, as those permissions aren't defined in pubsweet-backend
.
Given that an admin
user always bypasses permissions and is allowed to do anything, part of the solution could be to run all API endpoint tests in pubsweet-backend
as an admin
user - this allows testing that the endpoints work as expected, without testing the permissions layer.
At the same time, each "authsome-*" module could be the place to write tests that make calls to the backend using those permissions. There may be a need to tie together everything needed (i.e. schema, permissions, endpoints, tests) for a particular type of app (e.g. "blog") into a single module.