aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <florian.bigard@gmail.com>2017-11-29 13:18:05 +0100
committerChocobozzz <florian.bigard@gmail.com>2017-11-29 13:18:05 +0100
commit86d13ec2aa94ec10810ddf9c8b33314bd4968791 (patch)
tree5c4175325362df2a92e367dc4077e53a700bfbad
parent165cdc75bf1942ed687f78094c2bd366839a7c99 (diff)
downloadPeerTube-86d13ec2aa94ec10810ddf9c8b33314bd4968791.tar.gz
PeerTube-86d13ec2aa94ec10810ddf9c8b33314bd4968791.tar.zst
PeerTube-86d13ec2aa94ec10810ddf9c8b33314bd4968791.zip
Users list only available when use is authenticated
And has a special right
-rw-r--r--server.ts2
-rw-r--r--server/controllers/api/users.ts2
-rw-r--r--server/tests/api/check-params/users.ts20
-rw-r--r--server/tests/api/users.ts14
-rw-r--r--server/tests/utils/users.ts6
5 files changed, 35 insertions, 9 deletions
diff --git a/server.ts b/server.ts
index 0e963c3d3..3221c1790 100644
--- a/server.ts
+++ b/server.ts
@@ -77,7 +77,7 @@ app.use(morgan('combined', {
77})) 77}))
78// For body requests 78// For body requests
79app.use(bodyParser.json({ 79app.use(bodyParser.json({
80 type: 'application/*+json', 80 type: [ 'application/json', 'application/*+json' ],
81 limit: '500kb' 81 limit: '500kb'
82})) 82}))
83app.use(bodyParser.urlencoded({ extended: false })) 83app.use(bodyParser.urlencoded({ extended: false }))
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index 721b23301..f9b871724 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -48,6 +48,8 @@ usersRouter.get('/me/videos/:videoId/rating',
48) 48)
49 49
50usersRouter.get('/', 50usersRouter.get('/',
51 authenticate,
52 ensureUserHasRight(UserRight.MANAGE_USERS),
51 paginationValidator, 53 paginationValidator,
52 usersSortValidator, 54 usersSortValidator,
53 setUsersSort, 55 setUsersSort,
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts
index 578fece49..1e3533bf3 100644
--- a/server/tests/api/check-params/users.ts
+++ b/server/tests/api/check-params/users.ts
@@ -67,6 +67,7 @@ describe('Test users API validators', function () {
67 .get(path) 67 .get(path)
68 .query({ start: 'hello' }) 68 .query({ start: 'hello' })
69 .set('Accept', 'application/json') 69 .set('Accept', 'application/json')
70 .set('Authorization', 'Bearer ' + server.accessToken)
70 .expect(400) 71 .expect(400)
71 }) 72 })
72 73
@@ -75,6 +76,7 @@ describe('Test users API validators', function () {
75 .get(path) 76 .get(path)
76 .query({ count: 'hello' }) 77 .query({ count: 'hello' })
77 .set('Accept', 'application/json') 78 .set('Accept', 'application/json')
79 .set('Authorization', 'Bearer ' + server.accessToken)
78 .expect(400) 80 .expect(400)
79 }) 81 })
80 82
@@ -83,8 +85,24 @@ describe('Test users API validators', function () {
83 .get(path) 85 .get(path)
84 .query({ sort: 'hello' }) 86 .query({ sort: 'hello' })
85 .set('Accept', 'application/json') 87 .set('Accept', 'application/json')
88 .set('Authorization', 'Bearer ' + server.accessToken)
86 .expect(400) 89 .expect(400)
87 }) 90 })
91
92 it('Should fail with a non authenticated user', async function () {
93 await request(server.url)
94 .get(path)
95 .set('Accept', 'application/json')
96 .expect(401)
97 })
98
99 it('Should fail with a non admin user', async function () {
100 await request(server.url)
101 .get(path)
102 .set('Accept', 'application/json')
103 .set('Authorization', 'Bearer ' + userAccessToken)
104 .expect(403)
105 })
88 }) 106 })
89 107
90 describe('When adding a new user', function () { 108 describe('When adding a new user', function () {
@@ -354,7 +372,7 @@ describe('Test users API validators', function () {
354 describe('When updating a user', function () { 372 describe('When updating a user', function () {
355 373
356 before(async function () { 374 before(async function () {
357 const res = await getUsersList(server.url) 375 const res = await getUsersList(server.url, server.accessToken)
358 376
359 userId = res.body.data[1].id 377 userId = res.body.data[1].id
360 rootId = res.body.data[2].id 378 rootId = res.body.data[2].id
diff --git a/server/tests/api/users.ts b/server/tests/api/users.ts
index 5c0531571..33646e84f 100644
--- a/server/tests/api/users.ts
+++ b/server/tests/api/users.ts
@@ -1,4 +1,5 @@
1/* tslint:disable:no-unused-expression */ 1/* tslint:disable:no-unused-expression */
2
2import * as chai from 'chai' 3import * as chai from 'chai'
3import 'mocha' 4import 'mocha'
4import { UserRole } from '../../../shared' 5import { UserRole } from '../../../shared'
@@ -28,6 +29,7 @@ import {
28} from '../utils' 29} from '../utils'
29import { follow } from '../utils/follows' 30import { follow } from '../utils/follows'
30import { getMyVideos } from '../utils/videos' 31import { getMyVideos } from '../utils/videos'
32import { setAccessTokensToServers } from '../utils/login'
31 33
32const expect = chai.expect 34const expect = chai.expect
33 35
@@ -43,6 +45,8 @@ describe('Test users', function () {
43 45
44 await flushTests() 46 await flushTests()
45 server = await runServer(1) 47 server = await runServer(1)
48
49 await setAccessTokensToServers([ server ])
46 }) 50 })
47 51
48 it('Should create a new client') 52 it('Should create a new client')
@@ -242,7 +246,7 @@ describe('Test users', function () {
242 }) 246 })
243 247
244 it('Should list all the users', async function () { 248 it('Should list all the users', async function () {
245 const res = await getUsersList(server.url) 249 const res = await getUsersList(server.url, server.accessToken)
246 const result = res.body 250 const result = res.body
247 const total = result.total 251 const total = result.total
248 const users = result.data 252 const users = result.data
@@ -280,7 +284,7 @@ describe('Test users', function () {
280 }) 284 })
281 285
282 it('Should list only the first user by username asc', async function () { 286 it('Should list only the first user by username asc', async function () {
283 const res = await getUsersListPaginationAndSort(server.url, 0, 1, 'username') 287 const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, 'username')
284 288
285 const result = res.body 289 const result = res.body
286 const total = result.total 290 const total = result.total
@@ -307,7 +311,7 @@ describe('Test users', function () {
307 }) 311 })
308 312
309 it('Should list only the first user by username desc', async function () { 313 it('Should list only the first user by username desc', async function () {
310 const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-username') 314 const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-username')
311 const result = res.body 315 const result = res.body
312 const total = result.total 316 const total = result.total
313 const users = result.data 317 const users = result.data
@@ -330,7 +334,7 @@ describe('Test users', function () {
330 }) 334 })
331 335
332 it('Should list only the second user by createdAt desc', async function () { 336 it('Should list only the second user by createdAt desc', async function () {
333 const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-createdAt') 337 const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-createdAt')
334 const result = res.body 338 const result = res.body
335 const total = result.total 339 const total = result.total
336 const users = result.data 340 const users = result.data
@@ -353,7 +357,7 @@ describe('Test users', function () {
353 }) 357 })
354 358
355 it('Should list all the users by createdAt asc', async function () { 359 it('Should list all the users by createdAt asc', async function () {
356 const res = await getUsersListPaginationAndSort(server.url, 0, 2, 'createdAt') 360 const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 2, 'createdAt')
357 const result = res.body 361 const result = res.body
358 const total = result.total 362 const total = result.total
359 const users = result.data 363 const users = result.data
diff --git a/server/tests/utils/users.ts b/server/tests/utils/users.ts
index 12569dd42..ce04b9d96 100644
--- a/server/tests/utils/users.ts
+++ b/server/tests/utils/users.ts
@@ -76,17 +76,18 @@ function getUserVideoRating (url: string, accessToken: string, videoId: number)
76 .expect('Content-Type', /json/) 76 .expect('Content-Type', /json/)
77} 77}
78 78
79function getUsersList (url: string) { 79function getUsersList (url: string, accessToken: string) {
80 const path = '/api/v1/users' 80 const path = '/api/v1/users'
81 81
82 return request(url) 82 return request(url)
83 .get(path) 83 .get(path)
84 .set('Accept', 'application/json') 84 .set('Accept', 'application/json')
85 .set('Authorization', 'Bearer ' + accessToken)
85 .expect(200) 86 .expect(200)
86 .expect('Content-Type', /json/) 87 .expect('Content-Type', /json/)
87} 88}
88 89
89function getUsersListPaginationAndSort (url: string, start: number, count: number, sort: string) { 90function getUsersListPaginationAndSort (url: string, accessToken: string, start: number, count: number, sort: string) {
90 const path = '/api/v1/users' 91 const path = '/api/v1/users'
91 92
92 return request(url) 93 return request(url)
@@ -95,6 +96,7 @@ function getUsersListPaginationAndSort (url: string, start: number, count: numbe
95 .query({ count }) 96 .query({ count })
96 .query({ sort }) 97 .query({ sort })
97 .set('Accept', 'application/json') 98 .set('Accept', 'application/json')
99 .set('Authorization', 'Bearer ' + accessToken)
98 .expect(200) 100 .expect(200)
99 .expect('Content-Type', /json/) 101 .expect('Content-Type', /json/)
100} 102}