[FIX] Add ENV VAR to enable users create token feature (#15334)

7 years ago · 8bce966d12
parent f2f73afa48
commit 8bce966d12
2 changed files with 1 additions and 124 deletions
--- a/app/lib/server/methods/createToken.js
+++ b/app/lib/server/methods/createToken.js
@ -5,7 +5,7 @@ import { hasPermission } from '../../../authorization';

 Meteor.methods({
 	createToken(userId) {
-		if (Meteor.userId() !== userId && !hasPermission(Meteor.userId(), 'user-generate-access-token')) {
+		if (!['yes', 'true'].includes(process.env.CREATE_TOKENS_FOR_USERS) || (Meteor.userId() !== userId && !hasPermission(Meteor.userId(), 'user-generate-access-token'))) {
 			throw new Meteor.Error('error-not-authorized', 'Not authorized', { method: 'createToken' });
 		}
 		const token = Accounts._generateStampedLoginToken();
--- a/tests/end-to-end/api/01-users.js
+++ b/tests/end-to-end/api/01-users.js
@ -1005,129 +1005,6 @@ describe('[Users]', function() {
 		});
 	});

-	describe('[/users.createToken]', () => {
-		let user;
-		beforeEach((done) => {
-			const username = `user.test.${ Date.now() }`;
-			const email = `${ username }@rocket.chat`;
-			request.post(api('users.create'))
-				.set(credentials)
-				.send({ email, name: username, username, password })
-				.end((err, res) => {
-					user = res.body.user;
-					done();
-				});
-		});
-
-		let userCredentials;
-		beforeEach((done) => {
-			request.post(api('login'))
-				.send({
-					user: user.username,
-					password,
-				})
-				.expect('Content-Type', 'application/json')
-				.expect(200)
-				.expect((res) => {
-					userCredentials = {};
-					userCredentials['X-Auth-Token'] = res.body.data.authToken;
-					userCredentials['X-User-Id'] = res.body.data.userId;
-				})
-				.end(done);
-		});
-		afterEach((done) => {
-			request.post(api('users.delete')).set(credentials).send({
-				userId: user._id,
-			}).end(done);
-			user = undefined;
-		});
-
-		describe('logged as admin:', () => {
-			it('should return the user id and a new token', (done) => {
-				request.post(api('users.createToken'))
-					.set(credentials)
-					.send({
-						username: user.username,
-					})
-					.expect('Content-Type', 'application/json')
-					.expect(200)
-					.expect((res) => {
-						expect(res.body).to.have.property('success', true);
-						expect(res.body).to.have.nested.property('data.userId', user._id);
-						expect(res.body).to.have.nested.property('data.authToken');
-					})
-					.end(done);
-			});
-		});
-
-		describe('logged as itself:', () => {
-			it('should return the user id and a new token', (done) => {
-				request.post(api('users.createToken'))
-					.set(userCredentials)
-					.send({
-						username: user.username,
-					})
-					.expect('Content-Type', 'application/json')
-					.expect(200)
-					.expect((res) => {
-						expect(res.body).to.have.property('success', true);
-						expect(res.body).to.have.nested.property('data.userId', user._id);
-						expect(res.body).to.have.nested.property('data.authToken');
-					})
-					.end(done);
-			});
-		});
-
-		describe('As an user not allowed:', () => {
-			it('should return 401 unauthorized', (done) => {
-				request.post(api('users.createToken'))
-					.set(userCredentials)
-					.send({
-						username: 'rocket.cat',
-					})
-					.expect('Content-Type', 'application/json')
-					.expect(400)
-					.expect((res) => {
-						expect(res.body).to.have.property('errorType');
-						expect(res.body).to.have.property('error');
-					})
-					.end(done);
-			});
-		});
-
-		describe('Not logged in:', () => {
-			it('should return 401 unauthorized', (done) => {
-				request.post(api('users.createToken'))
-					.send({
-						username: user.username,
-					})
-					.expect('Content-Type', 'application/json')
-					.expect(401)
-					.expect((res) => {
-						expect(res.body).to.have.property('message');
-					})
-					.end(done);
-			});
-		});
-
-		describe('Testing if the returned token is valid:', () => {
-			it('should return 200', (done) => request.post(api('users.createToken'))
-				.set(credentials)
-				.send({ username: user.username })
-				.expect('Content-Type', 'application/json')
-				.end((err, res) => (err ? done()
-					: request.get(api('me'))
-						.set({ 'X-Auth-Token': `${ res.body.data.authToken }`, 'X-User-Id': res.body.data.userId })
-						.expect(200)
-						.expect((res) => {
-							expect(res.body).to.have.property('success', true);
-						})
-						.end(done))
-				)
-			);
-		});
-	});
-
 	describe('[/users.setPreferences]', () => {
 		it('should return an error when the user try to update info of another user and does not have the necessary permission', (done) => {
 			const userPreferences = {