add test for non org manager/owner updates to org team

Author: kamicut

app/tests/permissions/initialization.js

@@ -52,6 +52,11 @@ async function initializeContext (t) {
     sub: '101'
   })
 
+  introspectStub.withArgs('user102').returns({
+    active: true,
+    sub: '102'
+  })
+
   introspectStub.withArgs('invalidToken').returns({ active: false })
 
   // Initialize context objects

app/tests/permissions/update-team.test.js

@@ -39,6 +39,32 @@ test('a non-team moderator cannot update a team', async t => {
   t.is(res2.status, 401)
 })
 
+test('an org team cannot be updated by non-org user', async t => {
+  // Let's create an organization, user100 is the owner
+  const res = await t.context.agent.post('/api/organizations')
+    .send({ name: 'org team cannot be updated by non-org user' })
+    .set('Authorization', 'Bearer user100')
+    .expect(200)
+
+  // Let's set user101 to be a manager of this organization and create a
+  // team in the organization
+  await t.context.agent.put(`/api/organizations/${res.body.id}/addManager/101`)
+    .set('Authorization', 'Bearer user100')
+    .expect(200)
+
+  const res2 = await t.context.agent.post(`/api/organizations/${res.body.id}/teams`)
+    .send({ name: 'org team cannot be updated by non-org user - team' })
+    .set('Authorization', 'Bearer user101')
+    .expect(200)
+
+  // Use a different user from 101 or 100 to update the team
+  const res3 = await t.context.agent.put(`/api/teams/${res2.body.id}`)
+    .send({ name: 'org team cannot be updated by non-org user - team2' })
+    .set('Authorization', 'Bearer user102')
+
+  t.is(res3.status, 401)
+})
+
 test('an org team can be updated by the the org manager', async t => {
   // Let's create an organization, user100 is the owner
   const res = await t.context.agent.post('/api/organizations')