Moderators can only manage users

author: Chocobozzz <me@florianbigard.com> 2019-07-30 09:59:19 +0200
committer: Chocobozzz <me@florianbigard.com> 2019-07-30 09:59:19 +0200
commit: a95a4cc89155f448e6f9ca0957170f3c72a9d964 (patch)
tree: f390fa3eccef0991db5694ef58d6716228a7f67a /server/tests/api/check-params/users.ts
parent: dc8902634864841be7ca483b8e1c0f5afa609c32 (diff)
download: PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.tar.gz
PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.tar.zst
PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.zip
1 files changed, 136 insertions, 30 deletions
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts
index 5b788e328..939b919ed 100644
--- a/server/tests/api/check-params/users.ts
+++ b/server/tests/api/check-params/users.ts
@@ -3,7 +3,7 @@
 import { omit } from 'lodash'
 import 'mocha'
 import { join } from 'path'
-import { UserRole, VideoImport, VideoImportState } from '../../../../shared'
+import { User, UserRole, VideoImport, VideoImportState } from '../../../../shared'
 import {
  addVideoChannel,
@@ -44,35 +44,79 @@ describe('Test users API validators', function () {
  const path = '/api/v1/users/'
  let userId: number
  let rootId: number
+  let moderatorId: number
  let videoId: number
  let server: ServerInfo
  let serverWithRegistrationDisabled: ServerInfo
  let userAccessToken = ''
+  let moderatorAccessToken = ''
  let channelId: number
-  const user = {
-    username: 'user1',
-    password: 'my super password'
-  }
  // ---------------------------------------------------------------
  before(async function () {
    this.timeout(30000)
-    server = await flushAndRunServer(1)
+    {
-    serverWithRegistrationDisabled = await flushAndRunServer(2)
+      const res = await Promise.all([
+        flushAndRunServer(1, { signup: { limit: 7 } }),
+        flushAndRunServer(2)
+      ])
-    await setAccessTokensToServers([ server ])
+      server = res[0]
+      serverWithRegistrationDisabled = res[1]
-    const videoQuota = 42000000
+      await setAccessTokensToServers([ server ])
-    await createUser({
+    }
-      url: server.url,
-      accessToken: server.accessToken,
+    {
-      username: user.username,
+      const user = {
-      password: user.password,
+        username: 'user1',
-      videoQuota: videoQuota
+        password: 'my super password'
-    })
+      }
-    userAccessToken = await userLogin(server, user)
+      const videoQuota = 42000000
+      await createUser({
+        url: server.url,
+        accessToken: server.accessToken,
+        username: user.username,
+        password: user.password,
+        videoQuota: videoQuota
+      })
+      userAccessToken = await userLogin(server, user)
+    }
+    {
+      const moderator = {
+        username: 'moderator1',
+        password: 'super password'
+      }
+      await createUser({
+        url: server.url,
+        accessToken: server.accessToken,
+        username: moderator.username,
+        password: moderator.password,
+        role: UserRole.MODERATOR
+      })
+      moderatorAccessToken = await userLogin(server, moderator)
+    }
+    {
+      const moderator = {
+        username: 'moderator2',
+        password: 'super password'
+      }
+      await createUser({
+        url: server.url,
+        accessToken: server.accessToken,
+        username: moderator.username,
+        password: moderator.password,
+        role: UserRole.MODERATOR
+      })
+    }
    {
      const res = await getMyUserInformation(server.url, server.accessToken)
@@ -83,6 +127,15 @@ describe('Test users API validators', function () {
      const res = await uploadVideo(server.url, server.accessToken, {})
      videoId = res.body.video.id
    }
+    {
+      const res = await getUsersList(server.url, server.accessToken)
+      const users: User[] = res.body.data
+      userId = users.find(u => u.username === 'user1').id
+      rootId = users.find(u => u.username === 'root').id
+      moderatorId = users.find(u => u.username === 'moderator2').id
+    }
  })
  describe('When listing users', function () {
@@ -251,6 +304,32 @@ describe('Test users API validators', function () {
      })
    })
+    it('Should fail to create a moderator or an admin with a moderator', async function () {
+      for (const role of [ UserRole.MODERATOR, UserRole.ADMINISTRATOR ]) {
+        const fields = immutableAssign(baseCorrectParams, { role })
+        await makePostBodyRequest({
+          url: server.url,
+          path,
+          token: moderatorAccessToken,
+          fields,
+          statusCodeExpected: 403
+        })
+      }
+    })
+    it('Should succeed to create a user with a moderator', async function () {
+      const fields = immutableAssign(baseCorrectParams, { username: 'a4656', email: 'a4656@example.com', role: UserRole.USER })
+      await makePostBodyRequest({
+        url: server.url,
+        path,
+        token: moderatorAccessToken,
+        fields,
+        statusCodeExpected: 200
+      })
+    })
    it('Should succeed with the correct params', async function () {
      await makePostBodyRequest({
        url: server.url,
@@ -468,11 +547,6 @@ describe('Test users API validators', function () {
  })
  describe('When getting a user', function () {
-    before(async function () {
-      const res = await getUsersList(server.url, server.accessToken)
-      userId = res.body.data[1].id
-    })
    it('Should fail with an non authenticated user', async function () {
      await makeGetRequest({ url: server.url, path: path + userId, token: 'super token', statusCodeExpected: 401 })
@@ -489,13 +563,6 @@ describe('Test users API validators', function () {
  describe('When updating a user', function () {
-    before(async function () {
-      const res = await getUsersList(server.url, server.accessToken)
-      userId = res.body.data[1].id
-      rootId = res.body.data[2].id
-    })
    it('Should fail with an invalid email attribute', async function () {
      const fields = {
        email: 'blabla'
@@ -565,7 +632,35 @@ describe('Test users API validators', function () {
    it('Should fail with invalid admin flags', async function () {
      const fields = { adminFlags: 'toto' }
-      await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
+      await makePutBodyRequest({ url: server.url, path, token: server.accessToken, fields })
+    })
+    it('Should fail to update an admin with a moderator', async function () {
+      const fields = {
+        videoQuota: 42
+      }
+      await makePutBodyRequest({
+        url: server.url,
+        path: path + moderatorId,
+        token: moderatorAccessToken,
+        fields,
+        statusCodeExpected: 403
+      })
+    })
+    it('Should succeed to update a user with a moderator', async function () {
+      const fields = {
+        videoQuota: 42
+      }
+      await makePutBodyRequest({
+        url: server.url,
+        path: path + userId,
+        token: moderatorAccessToken,
+        fields,
+        statusCodeExpected: 204
+      })
    })
    it('Should succeed with the correct params', async function () {
@@ -664,6 +759,17 @@ describe('Test users API validators', function () {
      await blockUser(server.url, userId, userAccessToken, 403)
      await unblockUser(server.url, userId, userAccessToken, 403)
    })
+    it('Should fail on a moderator with a moderator', async function () {
+      await removeUser(server.url, moderatorId, moderatorAccessToken, 403)
+      await blockUser(server.url, moderatorId, moderatorAccessToken, 403)
+      await unblockUser(server.url, moderatorId, moderatorAccessToken, 403)
+    })
+    it('Should succeed on a user with a moderator', async function () {
+      await blockUser(server.url, userId, moderatorAccessToken)
+      await unblockUser(server.url, userId, moderatorAccessToken)
+    })
  })
  describe('When deleting our account', function () {
author	Chocobozzz <me@florianbigard.com>	2019-07-30 09:59:19 +0200
committer	Chocobozzz <me@florianbigard.com>	2019-07-30 09:59:19 +0200
commit	a95a4cc89155f448e6f9ca0957170f3c72a9d964 (patch)
tree	f390fa3eccef0991db5694ef58d6716228a7f67a /server/tests/api/check-params/users.ts
parent	dc8902634864841be7ca483b8e1c0f5afa609c32 (diff)
download	PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.tar.gz PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.tar.zst PeerTube-a95a4cc89155f448e6f9ca0957170f3c72a9d964.zip

diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts index 5b788e328..939b919ed 100644 --- a/server/tests/api/check-params/users.ts +++ b/server/tests/api/check-params/users.ts
@@ -3,7 +3,7 @@
3	import { omit } from 'lodash'	3	import { omit } from 'lodash'
4	import 'mocha'	4	import 'mocha'
5	import { join } from 'path'	5	import { join } from 'path'
6	import { UserRole, VideoImport, VideoImportState } from '../../../../shared'	6	import { User, UserRole, VideoImport, VideoImportState } from '../../../../shared'
7		7
8	import {	8	import {
9	addVideoChannel,	9	addVideoChannel,
@@ -44,35 +44,79 @@ describe('Test users API validators', function () {
44	const path = '/api/v1/users/'	44	const path = '/api/v1/users/'
45	let userId: number	45	let userId: number
46	let rootId: number	46	let rootId: number
		47	let moderatorId: number
47	let videoId: number	48	let videoId: number
48	let server: ServerInfo	49	let server: ServerInfo
49	let serverWithRegistrationDisabled: ServerInfo	50	let serverWithRegistrationDisabled: ServerInfo
50	let userAccessToken = ''	51	let userAccessToken = ''
		52	let moderatorAccessToken = ''
51	let channelId: number	53	let channelId: number
52	const user = {
53	username: 'user1',
54	password: 'my super password'
55	}
56		54
57	// ---------------------------------------------------------------	55	// ---------------------------------------------------------------
58		56
59	before(async function () {	57	before(async function () {
60	this.timeout(30000)	58	this.timeout(30000)
61		59
62	server = await flushAndRunServer(1)	60	{
63	serverWithRegistrationDisabled = await flushAndRunServer(2)	61	const res = await Promise.all([
		62	flushAndRunServer(1, { signup: { limit: 7 } }),
		63	flushAndRunServer(2)
		64	])
64		65
65	await setAccessTokensToServers([ server ])	66	server = res[0]
		67	serverWithRegistrationDisabled = res[1]
66		68
67	const videoQuota = 42000000	69	await setAccessTokensToServers([ server ])
68	await createUser({	70	}
69	url: server.url,	71
70	accessToken: server.accessToken,	72	{
71	username: user.username,	73	const user = {
72	password: user.password,	74	username: 'user1',
73	videoQuota: videoQuota	75	password: 'my super password'
74	})	76	}
75	userAccessToken = await userLogin(server, user)	77
		78	const videoQuota = 42000000
		79	await createUser({
		80	url: server.url,
		81	accessToken: server.accessToken,
		82	username: user.username,
		83	password: user.password,
		84	videoQuota: videoQuota
		85	})
		86	userAccessToken = await userLogin(server, user)
		87	}
		88
		89	{
		90	const moderator = {
		91	username: 'moderator1',
		92	password: 'super password'
		93	}
		94
		95	await createUser({
		96	url: server.url,
		97	accessToken: server.accessToken,
		98	username: moderator.username,
		99	password: moderator.password,
		100	role: UserRole.MODERATOR
		101	})
		102
		103	moderatorAccessToken = await userLogin(server, moderator)
		104	}
		105
		106	{
		107	const moderator = {
		108	username: 'moderator2',
		109	password: 'super password'
		110	}
		111
		112	await createUser({
		113	url: server.url,
		114	accessToken: server.accessToken,
		115	username: moderator.username,
		116	password: moderator.password,
		117	role: UserRole.MODERATOR
		118	})
		119	}
76		120
77	{	121	{
78	const res = await getMyUserInformation(server.url, server.accessToken)	122	const res = await getMyUserInformation(server.url, server.accessToken)
@@ -83,6 +127,15 @@ describe('Test users API validators', function () {
83	const res = await uploadVideo(server.url, server.accessToken, {})	127	const res = await uploadVideo(server.url, server.accessToken, {})
84	videoId = res.body.video.id	128	videoId = res.body.video.id
85	}	129	}
		130
		131	{
		132	const res = await getUsersList(server.url, server.accessToken)
		133	const users: User[] = res.body.data
		134
		135	userId = users.find(u => u.username === 'user1').id
		136	rootId = users.find(u => u.username === 'root').id
		137	moderatorId = users.find(u => u.username === 'moderator2').id
		138	}
86	})	139	})
87		140
88	describe('When listing users', function () {	141	describe('When listing users', function () {
@@ -251,6 +304,32 @@ describe('Test users API validators', function () {
251	})	304	})
252	})	305	})
253		306
		307	it('Should fail to create a moderator or an admin with a moderator', async function () {
		308	for (const role of [ UserRole.MODERATOR, UserRole.ADMINISTRATOR ]) {
		309	const fields = immutableAssign(baseCorrectParams, { role })
		310
		311	await makePostBodyRequest({
		312	url: server.url,
		313	path,
		314	token: moderatorAccessToken,
		315	fields,
		316	statusCodeExpected: 403
		317	})
		318	}
		319	})
		320
		321	it('Should succeed to create a user with a moderator', async function () {
		322	const fields = immutableAssign(baseCorrectParams, { username: 'a4656', email: 'a4656@example.com', role: UserRole.USER })
		323
		324	await makePostBodyRequest({
		325	url: server.url,
		326	path,
		327	token: moderatorAccessToken,
		328	fields,
		329	statusCodeExpected: 200
		330	})
		331	})
		332
254	it('Should succeed with the correct params', async function () {	333	it('Should succeed with the correct params', async function () {
255	await makePostBodyRequest({	334	await makePostBodyRequest({
256	url: server.url,	335	url: server.url,
@@ -468,11 +547,6 @@ describe('Test users API validators', function () {
468	})	547	})
469		548
470	describe('When getting a user', function () {	549	describe('When getting a user', function () {
471	before(async function () {
472	const res = await getUsersList(server.url, server.accessToken)
473
474	userId = res.body.data[1].id
475	})
476		550
477	it('Should fail with an non authenticated user', async function () {	551	it('Should fail with an non authenticated user', async function () {
478	await makeGetRequest({ url: server.url, path: path + userId, token: 'super token', statusCodeExpected: 401 })	552	await makeGetRequest({ url: server.url, path: path + userId, token: 'super token', statusCodeExpected: 401 })
@@ -489,13 +563,6 @@ describe('Test users API validators', function () {
489		563
490	describe('When updating a user', function () {	564	describe('When updating a user', function () {
491		565
492	before(async function () {
493	const res = await getUsersList(server.url, server.accessToken)
494
495	userId = res.body.data[1].id
496	rootId = res.body.data[2].id
497	})
498
499	it('Should fail with an invalid email attribute', async function () {	566	it('Should fail with an invalid email attribute', async function () {
500	const fields = {	567	const fields = {
501	email: 'blabla'	568	email: 'blabla'
@@ -565,7 +632,35 @@ describe('Test users API validators', function () {
565	it('Should fail with invalid admin flags', async function () {	632	it('Should fail with invalid admin flags', async function () {
566	const fields = { adminFlags: 'toto' }	633	const fields = { adminFlags: 'toto' }
567		634
568	await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })	635	await makePutBodyRequest({ url: server.url, path, token: server.accessToken, fields })
		636	})
		637
		638	it('Should fail to update an admin with a moderator', async function () {
		639	const fields = {
		640	videoQuota: 42
		641	}
		642
		643	await makePutBodyRequest({
		644	url: server.url,
		645	path: path + moderatorId,
		646	token: moderatorAccessToken,
		647	fields,
		648	statusCodeExpected: 403
		649	})
		650	})
		651
		652	it('Should succeed to update a user with a moderator', async function () {
		653	const fields = {
		654	videoQuota: 42
		655	}
		656
		657	await makePutBodyRequest({
		658	url: server.url,
		659	path: path + userId,
		660	token: moderatorAccessToken,
		661	fields,
		662	statusCodeExpected: 204
		663	})
569	})	664	})
570		665
571	it('Should succeed with the correct params', async function () {	666	it('Should succeed with the correct params', async function () {
@@ -664,6 +759,17 @@ describe('Test users API validators', function () {
664	await blockUser(server.url, userId, userAccessToken, 403)	759	await blockUser(server.url, userId, userAccessToken, 403)
665	await unblockUser(server.url, userId, userAccessToken, 403)	760	await unblockUser(server.url, userId, userAccessToken, 403)
666	})	761	})
		762
		763	it('Should fail on a moderator with a moderator', async function () {
		764	await removeUser(server.url, moderatorId, moderatorAccessToken, 403)
		765	await blockUser(server.url, moderatorId, moderatorAccessToken, 403)
		766	await unblockUser(server.url, moderatorId, moderatorAccessToken, 403)
		767	})
		768
		769	it('Should succeed on a user with a moderator', async function () {
		770	await blockUser(server.url, userId, moderatorAccessToken)
		771	await unblockUser(server.url, userId, moderatorAccessToken)
		772	})
667	})	773	})
668		774
669	describe('When deleting our account', function () {	775	describe('When deleting our account', function () {