apitech
/
Rocket.Chat
mirror of https://github.com/RocketChat/Rocket.Chat
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[FIX] Update user information not possible by admin if disabled to users (#11955)

Browse Source
pull/12044/head
Kai 7 years ago committed by Diego Sampaio
parent 7763d0b2f8
commit 6b0213b18f
2 changed files with 221 additions and 90 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 10
      packages/rocketchat-lib/server/functions/saveUser.js
  2. 301
      tests/end-to-end/api/01-users.js

10
packages/rocketchat-lib/server/functions/saveUser.js
Unescape View File

@ -179,35 +179,35 @@ RocketChat.saveUser = function(userId, userData) {
return _id; return _id;
} else { } else {
if (!RocketChat.settings.get('Accounts_AllowUserProfileChange')) { if (!RocketChat.settings.get('Accounts_AllowUserProfileChange') && !RocketChat.authz.hasPermission(userId, 'edit-other-user-info') && !RocketChat.authz.hasPermission(userId, 'edit-other-user-password')) {
throw new Meteor.Error('error-action-not-allowed', 'Edit user profile is not allowed', { throw new Meteor.Error('error-action-not-allowed', 'Edit user profile is not allowed', {
method: 'insertOrUpdateUser', method: 'insertOrUpdateUser',
action: 'Update_user', action: 'Update_user',
}); });
} }
if (userData.username && !RocketChat.settings.get('Accounts_AllowUsernameChange')) { if (userData.username && !RocketChat.settings.get('Accounts_AllowUsernameChange') && !RocketChat.authz.hasPermission(userId, 'edit-other-user-info')) {
throw new Meteor.Error('error-action-not-allowed', 'Edit username is not allowed', { throw new Meteor.Error('error-action-not-allowed', 'Edit username is not allowed', {
method: 'insertOrUpdateUser', method: 'insertOrUpdateUser',
action: 'Update_user', action: 'Update_user',
}); });
} }
if (userData.name && !RocketChat.settings.get('Accounts_AllowRealNameChange')) { if (userData.name && !RocketChat.settings.get('Accounts_AllowRealNameChange') && !RocketChat.authz.hasPermission(userId, 'edit-other-user-info')) {
throw new Meteor.Error('error-action-not-allowed', 'Edit user real name is not allowed', { throw new Meteor.Error('error-action-not-allowed', 'Edit user real name is not allowed', {
method: 'insertOrUpdateUser', method: 'insertOrUpdateUser',
action: 'Update_user', action: 'Update_user',
}); });
} }
if (userData.email && !RocketChat.settings.get('Accounts_AllowEmailChange')) { if (userData.email && !RocketChat.settings.get('Accounts_AllowEmailChange') && !RocketChat.authz.hasPermission(userId, 'edit-other-user-info')) {
throw new Meteor.Error('error-action-not-allowed', 'Edit user email is not allowed', { throw new Meteor.Error('error-action-not-allowed', 'Edit user email is not allowed', {
method: 'insertOrUpdateUser', method: 'insertOrUpdateUser',
action: 'Update_user', action: 'Update_user',
}); });
} }
if (userData.password && !RocketChat.settings.get('Accounts_AllowPasswordChange')) { if (userData.password && !RocketChat.settings.get('Accounts_AllowPasswordChange') && !RocketChat.authz.hasPermission(userId, 'edit-other-user-password')) {
throw new Meteor.Error('error-action-not-allowed', 'Edit user password is not allowed', { throw new Meteor.Error('error-action-not-allowed', 'Edit user password is not allowed', {
method: 'insertOrUpdateUser', method: 'insertOrUpdateUser',
action: 'Update_user', action: 'Update_user',

301
tests/end-to-end/api/01-users.js
Unescape View File

@ -234,6 +234,17 @@ describe('[Users]', function() {
}) })
.end(resolve); .end(resolve);
}); });
const updatePermission = (permission, roles) => new Promise((resolve) => {
request.post(api('permissions.update'))
.set(credentials)
.send({ permissions: [{ _id: permission, roles }] })
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(resolve);
});
before((done) => { before((done) => {
updateSetting('Accounts_AllowUserProfileChange', true) updateSetting('Accounts_AllowUserProfileChange', true)
.then(() => updateSetting('Accounts_AllowUsernameChange', true)) .then(() => updateSetting('Accounts_AllowUsernameChange', true))
@ -315,103 +326,223 @@ describe('[Users]', function() {
}); });
it('should return an error when trying update username and it is not allowed', (done) => { it('should return an error when trying update username and it is not allowed', (done) => {
updateSetting('Accounts_AllowUsernameChange', false) updatePermission('edit-other-user-info', ['user']).then(() => {
.then(() => { updateSetting('Accounts_AllowUsernameChange', false)
request.post(api('users.update')) .then(() => {
.set(credentials) request.post(api('users.update'))
.send({ .set(credentials)
userId: targetUser._id, .send({
data: { userId: targetUser._id,
username: 'fake.name', data: {
}, username: 'fake.name',
}) },
.expect('Content-Type', 'application/json') })
.expect(400) .expect('Content-Type', 'application/json')
.expect((res) => { .expect(400)
expect(res.body).to.have.property('success', false); .expect((res) => {
}) expect(res.body).to.have.property('success', false);
.end(done); })
}); .end(done);
});
});
});
it('should update the user name when the required permission is applied', (done) => {
updatePermission('edit-other-user-info', ['admin']).then(() => {
updateSetting('Accounts_AllowUsernameChange', false)
.then(() => {
request.post(api('users.update'))
.set(credentials)
.send({
userId: targetUser._id,
data: {
username: 'fake.name',
},
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(done);
});
});
}); });
it('should return an error when trying update user real name and it is not allowed', (done) => { it('should return an error when trying update user real name and it is not allowed', (done) => {
updateSetting('Accounts_AllowRealNameChange', false) updatePermission('edit-other-user-info', ['user']).then(() => {
.then(() => { updateSetting('Accounts_AllowRealNameChange', false)
request.post(api('users.update')) .then(() => {
.set(credentials) request.post(api('users.update'))
.send({ .set(credentials)
userId: targetUser._id, .send({
data: { userId: targetUser._id,
name: 'Fake name', data: {
}, name: 'Fake name',
}) },
.expect('Content-Type', 'application/json') })
.expect(400) .expect('Content-Type', 'application/json')
.expect((res) => { .expect(400)
expect(res.body).to.have.property('success', false); .expect((res) => {
}) expect(res.body).to.have.property('success', false);
.end(done); })
}); .end(done);
});
});
});
it('should update user real name when the required permission is applied', (done) => {
updatePermission('edit-other-user-info', ['admin']).then(() => {
updateSetting('Accounts_AllowRealNameChange', false)
.then(() => {
request.post(api('users.update'))
.set(credentials)
.send({
userId: targetUser._id,
data: {
name: 'Fake name',
},
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(done);
});
});
}); });
it('should return an error when trying update user email and it is not allowed', (done) => { it('should return an error when trying update user email and it is not allowed', (done) => {
updateSetting('Accounts_AllowEmailChange', false) updatePermission('edit-other-user-info', ['user']).then(() => {
.then(() => { updateSetting('Accounts_AllowEmailChange', false)
request.post(api('users.update')) .then(() => {
.set(credentials) request.post(api('users.update'))
.send({ .set(credentials)
userId: targetUser._id, .send({
data: { userId: targetUser._id,
email: 'itsnotworking@email.com', data: {
}, email: 'itsnotworking@email.com',
}) },
.expect('Content-Type', 'application/json') })
.expect(400) .expect('Content-Type', 'application/json')
.expect((res) => { .expect(400)
expect(res.body).to.have.property('success', false); .expect((res) => {
}) expect(res.body).to.have.property('success', false);
.end(done); })
}); .end(done);
});
});
});
it('should update user email when the required permission is applied', (done) => {
updatePermission('edit-other-user-info', ['admin']).then(() => {
updateSetting('Accounts_AllowEmailChange', false)
.then(() => {
request.post(api('users.update'))
.set(credentials)
.send({
userId: targetUser._id,
data: {
email: apiEmail,
},
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(done);
});
});
}); });
it('should return an error when trying update user password and it is not allowed', (done) => { it('should return an error when trying update user password and it is not allowed', (done) => {
updateSetting('Accounts_AllowPasswordChange', false) updatePermission('edit-other-user-password', ['user']).then(() => {
.then(() => { updateSetting('Accounts_AllowPasswordChange', false)
request.post(api('users.update')) .then(() => {
.set(credentials) request.post(api('users.update'))
.send({ .set(credentials)
userId: targetUser._id, .send({
data: { userId: targetUser._id,
password: 'itsnotworking', data: {
}, password: 'itsnotworking',
}) },
.expect('Content-Type', 'application/json') })
.expect(400) .expect('Content-Type', 'application/json')
.expect((res) => { .expect(400)
expect(res.body).to.have.property('success', false); .expect((res) => {
}) expect(res.body).to.have.property('success', false);
.end(done); })
}); .end(done);
});
});
});
it('should update user password when the required permission is applied', (done) => {
updatePermission('edit-other-user-password', ['admin']).then(() => {
updateSetting('Accounts_AllowPasswordChange', false)
.then(() => {
request.post(api('users.update'))
.set(credentials)
.send({
userId: targetUser._id,
data: {
password: 'itsnotworking',
},
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(done);
});
});
}); });
it('should return an error when trying update profile and it is not allowed', (done) => { it('should return an error when trying update profile and it is not allowed', (done) => {
updateSetting('Accounts_AllowUserProfileChange', false) updatePermission('edit-other-user-info', ['user']).then(() => {
.then(() => { updateSetting('Accounts_AllowUserProfileChange', false)
request.post(api('users.update')) .then(() => {
.set(credentials) request.post(api('users.update'))
.send({ .set(credentials)
userId: targetUser._id, .send({
data: { userId: targetUser._id,
verified: true, data: {
}, verified: true,
}) },
.expect('Content-Type', 'application/json') })
.expect(400) .expect('Content-Type', 'application/json')
.expect((res) => { .expect(400)
expect(res.body).to.have.property('success', false); .expect((res) => {
}) expect(res.body).to.have.property('success', false);
.end(done); })
}); .end(done);
});
});
});
it('should update profile when the required permission is applied', (done) => {
updatePermission('edit-other-user-info', ['admin']).then(() => {
updateSetting('Accounts_AllowUserProfileChange', false)
.then(() => {
request.post(api('users.update'))
.set(credentials)
.send({
userId: targetUser._id,
data: {
verified: true,
},
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect((res) => {
expect(res.body).to.have.property('success', true);
})
.end(done);
});
});
}); });
}); });

Write Preview
Loading…
Cancel
Save