apitech
/
wekan
mirror of https://github.com/wekan/wekan
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The Open Source kanban (built with Meteor). Keep variable/table/field names camelCase. For translations, only add Pull Request changes to wekan/i18n/en.i18n.json , other translations are done at https://transifex.com/wekan/wekan only.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12809 Commits
2 Branches
844 Tags
86 MiB
 
 
 
 
 
 
Tag: Branch: Tree: main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
wekan/server/lib/tests/users.security.tests.js

43 lines
2.1 KiB
Raw Permalink Blame History

/* eslint-env mocha */
import { expect } from 'chai';
import { isUserUpdateAllowed, hasForbiddenUserUpdateField } from '/models/users';
describe('users security', function() {
describe('isUserUpdateAllowed', function() {
it('allows username update', function() {
expect(isUserUpdateAllowed(['username'])).to.equal(true);
});
it('allows profile updates', function() {
expect(isUserUpdateAllowed(['profile.fullname'])).to.equal(true);
expect(isUserUpdateAllowed(['profile.avatarUrl', 'profile.language'])).to.equal(true);
});
it('denies other top-level fields', function() {
expect(isUserUpdateAllowed(['orgs'])).to.equal(false);
expect(isUserUpdateAllowed(['teams'])).to.equal(false);
expect(isUserUpdateAllowed(['loginDisabled'])).to.equal(false);
expect(isUserUpdateAllowed(['authenticationMethod'])).to.equal(false);
expect(isUserUpdateAllowed(['services'])).to.equal(false);
expect(isUserUpdateAllowed(['emails'])).to.equal(false);
expect(isUserUpdateAllowed(['isAdmin'])).to.equal(false);
});
});
describe('hasForbiddenUserUpdateField', function() {
it('flags forbidden sensitive fields', function() {
expect(hasForbiddenUserUpdateField(['orgs'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['teams'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['loginDisabled'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['authenticationMethod'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['services.facebook'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['emails.0.verified'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['roles'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['isAdmin'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['createdThroughApi'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['sessionData.totalHits'])).to.equal(true);
});
it('does not flag allowed fields', function() {
expect(hasForbiddenUserUpdateField(['username'])).to.equal(false);
expect(hasForbiddenUserUpdateField(['profile.fullname'])).to.equal(false);
});
});
});