TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-03 03:55:26 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #4831 from jaswilli/edit-user

Browse Source 
Fix up users API so admin role can edit owner
This commit is contained in:
Hannah Wolfe 2015-01-23 22:55:08 +01:00
commit 3c86f67fca
2 changed files with 49 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
core/server/api/users.js
View File

@ -150,35 +150,40 @@ users = {
// Check permissions // Check permissions
return canThis(options.context).edit.user(options.id).then(function () { return canThis(options.context).edit.user(options.id).then(function () {
if (data.users[0].roles && data.users[0].roles[0]) { // if roles aren't in the payload, proceed with the edit
var role = data.users[0].roles[0], if (!(data.users[0].roles && data.users[0].roles[0])) {
roleId = parseInt(role.id || role, 10); return editOperation();
}
return dataProvider.User.findOne( var role = data.users[0].roles[0],
{id: options.context.user, status: 'all'}, {include: ['roles']} roleId = parseInt(role.id || role, 10),
).then(function (contextUser) { editedUserId = parseInt(options.id, 10);
var contextRoleId = contextUser.related('roles').toJSON()[0].id;
if (roleId !== contextRoleId && return dataProvider.User.findOne(
parseInt(options.id, 10) === parseInt(options.context.user, 10)) { {id: options.context.user, status: 'all'}, {include: ['roles']}
return Promise.reject(new errors.NoPermissionError('You cannot change your own role.')); ).then(function (contextUser) {
} else if (roleId !== contextRoleId) { var contextRoleId = contextUser.related('roles').toJSON()[0].id;
return dataProvider.User.findOne({role: 'Owner'}).then(function (result) {
if (parseInt(result.id, 10) !== parseInt(options.id, 10)) { if (roleId !== contextRoleId && editedUserId === contextUser.id) {
return canThis(options.context).assign.role(role).then(function () { return Promise.reject(new errors.NoPermissionError('You cannot change your own role.'));
return editOperation(); }
});
} else { return dataProvider.User.findOne({role: 'Owner'}).then(function (owner) {
return Promise.reject(new errors.NoPermissionError('There has to be one owner.')); if (contextUser.id !== owner.id) {
if (editedUserId === owner.id) {
if (owner.related('roles').at(0).id !== roleId) {
return Promise.reject(new errors.NoPermissionError('Cannot change Owner\'s role.'));
} }
}); } else if (roleId !== contextRoleId) {
return canThis(options.context).assign.role(role).then(function () {
return editOperation();
});
}
} }
return editOperation(); return editOperation();
}); });
} });
return editOperation();
}); });
}).catch(function (error) { }).catch(function (error) {
return errors.handleAPIError(error, 'You do not have permission to edit this user'); return errors.handleAPIError(error, 'You do not have permission to edit this user');

24
core/test/integration/api/api_users_spec.js
View File

@ -219,7 +219,7 @@ describe('Users API', function () {
}).catch(done); }).catch(done);
}); });
it('Admin can edit all roles', function (done) { it('Admin can edit all users in all roles', function (done) {
UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.owner})) UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
.then(function (response) { .then(function (response) {
checkEditResponse(response); checkEditResponse(response);
@ -239,6 +239,26 @@ describe('Users API', function () {
}).catch(done); }).catch(done);
}); });
it('Admin can edit all users in all roles with roles in payload', function (done) {
UserAPI.edit({users: [{name: newName, roles: [roleIdFor.owner]}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
.then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.admin]}]}, _.extend({}, context.admin, {id: userIdFor.admin}));
}).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.editor]}]}, _.extend({}, context.admin, {id: userIdFor.editor}));
}).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.author]}]}, _.extend({}, context.admin, {id: userIdFor.author}));
}).then(function (response) {
checkEditResponse(response);
done();
}).catch(done);
});
it('Editor CANNOT edit Owner, Admin or Editor roles', function (done) { it('Editor CANNOT edit Owner, Admin or Editor roles', function (done) {
// Cannot edit Owner // Cannot edit Owner
UserAPI.edit( UserAPI.edit(
@ -889,7 +909,7 @@ describe('Users API', function () {
}).catch(function (error) { }).catch(function (error) {
error.type.should.eql('NoPermissionError'); error.type.should.eql('NoPermissionError');
done(); done();
}); }).catch(done);
}); });
}); });
}); });