aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-01-23 09:15:36 +0100
committerChocobozzz <me@florianbigard.com>2018-01-23 09:49:57 +0100
commitf8b8c36b2a92bfee435747ab5a0283924be76281 (patch)
tree99e17a5c9413614071ae63d72e9b9557fc8cef43 /server
parent59c48d49c5f06a46c342b4e7f86fbd1ed9894bd6 (diff)
downloadPeerTube-f8b8c36b2a92bfee435747ab5a0283924be76281.tar.gz
PeerTube-f8b8c36b2a92bfee435747ab5a0283924be76281.tar.zst
PeerTube-f8b8c36b2a92bfee435747ab5a0283924be76281.zip
Destroy user token when changing its role
Diffstat (limited to 'server')
-rw-r--r--server/controllers/api/users.ts7
-rw-r--r--server/middlewares/validators/users.ts7
-rw-r--r--server/models/oauth/oauth-token.ts10
-rw-r--r--server/tests/api/check-params/users.ts17
-rw-r--r--server/tests/api/users/users.ts37
-rw-r--r--server/tests/utils/users/login.ts4
6 files changed, 59 insertions, 23 deletions
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index aced4639e..79bb2665d 100644
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -19,6 +19,7 @@ import {
19import { usersUpdateMyAvatarValidator, videosSortValidator } from '../../middlewares/validators' 19import { usersUpdateMyAvatarValidator, videosSortValidator } from '../../middlewares/validators'
20import { AccountVideoRateModel } from '../../models/account/account-video-rate' 20import { AccountVideoRateModel } from '../../models/account/account-video-rate'
21import { UserModel } from '../../models/account/user' 21import { UserModel } from '../../models/account/user'
22import { OAuthTokenModel } from '../../models/oauth/oauth-token'
22import { VideoModel } from '../../models/video/video' 23import { VideoModel } from '../../models/video/video'
23 24
24const reqAvatarFile = createReqFiles('avatarfile', CONFIG.STORAGE.AVATARS_DIR, AVATAR_MIMETYPE_EXT) 25const reqAvatarFile = createReqFiles('avatarfile', CONFIG.STORAGE.AVATARS_DIR, AVATAR_MIMETYPE_EXT)
@@ -288,6 +289,7 @@ async function updateMyAvatar (req: express.Request, res: express.Response, next
288async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) { 289async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) {
289 const body: UserUpdate = req.body 290 const body: UserUpdate = req.body
290 const user = res.locals.user as UserModel 291 const user = res.locals.user as UserModel
292 const roleChanged = body.role !== undefined && body.role !== user.role
291 293
292 if (body.email !== undefined) user.email = body.email 294 if (body.email !== undefined) user.email = body.email
293 if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota 295 if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota
@@ -295,6 +297,11 @@ async function updateUser (req: express.Request, res: express.Response, next: ex
295 297
296 await user.save() 298 await user.save()
297 299
300 // Destroy user token to refresh rights
301 if (roleChanged) {
302 await OAuthTokenModel.deleteUserToken(user.id)
303 }
304
298 // Don't need to send this update to followers, these attributes are not propagated 305 // Don't need to send this update to followers, these attributes are not propagated
299 306
300 return res.sendStatus(204) 307 return res.sendStatus(204)
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index d22a745b4..990311d6f 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -77,6 +77,13 @@ const usersUpdateValidator = [
77 if (areValidationErrors(req, res)) return 77 if (areValidationErrors(req, res)) return
78 if (!await checkUserIdExist(req.params.id, res)) return 78 if (!await checkUserIdExist(req.params.id, res)) return
79 79
80 const user = res.locals.user
81 if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
82 return res.status(400)
83 .send({ error: 'Cannot change root role.' })
84 .end()
85 }
86
80 return next() 87 return next()
81 } 88 }
82] 89]
diff --git a/server/models/oauth/oauth-token.ts b/server/models/oauth/oauth-token.ts
index 9d1b63813..528bb9587 100644
--- a/server/models/oauth/oauth-token.ts
+++ b/server/models/oauth/oauth-token.ts
@@ -159,4 +159,14 @@ export class OAuthTokenModel extends Model<OAuthTokenModel> {
159 return token 159 return token
160 }) 160 })
161 } 161 }
162
163 static deleteUserToken (userId: number) {
164 const query = {
165 where: {
166 userId
167 }
168 }
169
170 return OAuthTokenModel.destroy(query)
171 }
162} 172}
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts
index b0f35b9f7..9938fe3a2 100644
--- a/server/tests/api/check-params/users.ts
+++ b/server/tests/api/check-params/users.ts
@@ -20,6 +20,10 @@ describe('Test users API validators', function () {
20 let server: ServerInfo 20 let server: ServerInfo
21 let serverWithRegistrationDisabled: ServerInfo 21 let serverWithRegistrationDisabled: ServerInfo
22 let userAccessToken = '' 22 let userAccessToken = ''
23 const user = {
24 username: 'user1',
25 password: 'my super password'
26 }
23 27
24 // --------------------------------------------------------------- 28 // ---------------------------------------------------------------
25 29
@@ -33,10 +37,6 @@ describe('Test users API validators', function () {
33 37
34 await setAccessTokensToServers([ server ]) 38 await setAccessTokensToServers([ server ])
35 39
36 const user = {
37 username: 'user1',
38 password: 'my super password'
39 }
40 const videoQuota = 42000000 40 const videoQuota = 42000000
41 await createUser(server.url, server.accessToken, user.username, user.password, videoQuota) 41 await createUser(server.url, server.accessToken, user.username, user.password, videoQuota)
42 userAccessToken = await userLogin(server, user) 42 userAccessToken = await userLogin(server, user)
@@ -341,6 +341,14 @@ describe('Test users API validators', function () {
341 await makePutBodyRequest({ url: server.url, path: path + userId, token: 'super token', fields, statusCodeExpected: 401 }) 341 await makePutBodyRequest({ url: server.url, path: path + userId, token: 'super token', fields, statusCodeExpected: 401 })
342 }) 342 })
343 343
344 it('Should fail when updating root role', async function () {
345 const fields = {
346 role: UserRole.MODERATOR
347 }
348
349 await makePutBodyRequest({ url: server.url, path: path + rootId, token: server.accessToken, fields })
350 })
351
344 it('Should succeed with the correct params', async function () { 352 it('Should succeed with the correct params', async function () {
345 const fields = { 353 const fields = {
346 email: 'email@example.com', 354 email: 'email@example.com',
@@ -349,6 +357,7 @@ describe('Test users API validators', function () {
349 } 357 }
350 358
351 await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields, statusCodeExpected: 204 }) 359 await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields, statusCodeExpected: 204 })
360 userAccessToken = await userLogin(server, user)
352 }) 361 })
353 }) 362 })
354 363
diff --git a/server/tests/api/users/users.ts b/server/tests/api/users/users.ts
index 6bb5fd698..c23b58089 100644
--- a/server/tests/api/users/users.ts
+++ b/server/tests/api/users/users.ts
@@ -4,10 +4,9 @@ import * as chai from 'chai'
4import 'mocha' 4import 'mocha'
5import { UserRole } from '../../../../shared/index' 5import { UserRole } from '../../../../shared/index'
6import { 6import {
7 createUser, flushTests, getBlacklistedVideosList, getMyUserInformation, getMyUserVideoQuotaUsed, getMyUserVideoRating, getUserInformation, 7 createUser, flushTests, getBlacklistedVideosList, getMyUserInformation, getMyUserVideoQuotaUsed, getMyUserVideoRating,
8 getUsersList, 8 getUserInformation, getUsersList, getUsersListPaginationAndSort, getVideosList, killallServers, login, makePutBodyRequest, rateVideo,
9 getUsersListPaginationAndSort, getVideosList, killallServers, login, makePutBodyRequest, rateVideo, registerUser, removeUser, removeVideo, 9 registerUser, removeUser, removeVideo, runServer, ServerInfo, testImage, updateMyAvatar, updateMyUser, updateUser, uploadVideo, userLogin
10 runServer, ServerInfo, serverLogin, testImage, updateMyAvatar, updateMyUser, updateUser, uploadVideo
11} from '../../utils/index' 10} from '../../utils/index'
12import { follow } from '../../utils/server/follows' 11import { follow } from '../../utils/server/follows'
13import { setAccessTokensToServers } from '../../utils/users/login' 12import { setAccessTokensToServers } from '../../utils/users/login'
@@ -21,6 +20,10 @@ describe('Test users', function () {
21 let accessTokenUser: string 20 let accessTokenUser: string
22 let videoId: number 21 let videoId: number
23 let userId: number 22 let userId: number
23 const user = {
24 username: 'user_1',
25 password: 'super password'
26 }
24 27
25 before(async function () { 28 before(async function () {
26 this.timeout(30000) 29 this.timeout(30000)
@@ -152,16 +155,11 @@ describe('Test users', function () {
152 it('Should be able to upload a video again') 155 it('Should be able to upload a video again')
153 156
154 it('Should be able to create a new user', async function () { 157 it('Should be able to create a new user', async function () {
155 await createUser(server.url, accessToken, 'user_1', 'super password', 2 * 1024 * 1024) 158 await createUser(server.url, accessToken, user.username,user.password, 2 * 1024 * 1024)
156 }) 159 })
157 160
158 it('Should be able to login with this user', async function () { 161 it('Should be able to login with this user', async function () {
159 server.user = { 162 accessTokenUser = await userLogin(server, user)
160 username: 'user_1',
161 password: 'super password'
162 }
163
164 accessTokenUser = await serverLogin(server)
165 }) 163 })
166 164
167 it('Should be able to get the user information', async function () { 165 it('Should be able to get the user information', async function () {
@@ -297,9 +295,9 @@ describe('Test users', function () {
297 accessToken: accessTokenUser, 295 accessToken: accessTokenUser,
298 newPassword: 'new password' 296 newPassword: 'new password'
299 }) 297 })
300 server.user.password = 'new password' 298 user.password = 'new password'
301 299
302 await login(server.url, server.client, server.user, 200) 300 await userLogin(server, user, 200)
303 }) 301 })
304 302
305 it('Should be able to change the NSFW display attribute', async function () { 303 it('Should be able to change the NSFW display attribute', async function () {
@@ -386,6 +384,12 @@ describe('Test users', function () {
386 expect(user.id).to.be.a('number') 384 expect(user.id).to.be.a('number')
387 }) 385 })
388 386
387 it('Should have removed the user token', async function () {
388 await getMyUserVideoQuotaUsed(server.url, accessTokenUser, 401)
389
390 accessTokenUser = await userLogin(server, user)
391 })
392
389 it('Should not be able to delete a user by a moderator', async function () { 393 it('Should not be able to delete a user by a moderator', async function () {
390 await removeUser(server.url, 2, accessTokenUser, 403) 394 await removeUser(server.url, 2, accessTokenUser, 403)
391 }) 395 })
@@ -399,8 +403,7 @@ describe('Test users', function () {
399 }) 403 })
400 404
401 it('Should not be able to login with this user', async function () { 405 it('Should not be able to login with this user', async function () {
402 // server.user is already set to user 1 406 await userLogin(server, user, 400)
403 await login(server.url, server.client, server.user, 400)
404 }) 407 })
405 408
406 it('Should not have videos of this user', async function () { 409 it('Should not have videos of this user', async function () {
@@ -417,12 +420,12 @@ describe('Test users', function () {
417 }) 420 })
418 421
419 it('Should be able to login with this registered user', async function () { 422 it('Should be able to login with this registered user', async function () {
420 server.user = { 423 const user15 = {
421 username: 'user_15', 424 username: 'user_15',
422 password: 'my super password' 425 password: 'my super password'
423 } 426 }
424 427
425 accessToken = await serverLogin(server) 428 accessToken = await userLogin(server, user15)
426 }) 429 })
427 430
428 it('Should have the correct video quota', async function () { 431 it('Should have the correct video quota', async function () {
diff --git a/server/tests/utils/users/login.ts b/server/tests/utils/users/login.ts
index 04444e2f1..338ae1c00 100644
--- a/server/tests/utils/users/login.ts
+++ b/server/tests/utils/users/login.ts
@@ -32,8 +32,8 @@ async function serverLogin (server: Server) {
32 return res.body.access_token as string 32 return res.body.access_token as string
33} 33}
34 34
35async function userLogin (server: Server, user: User) { 35async function userLogin (server: Server, user: User, expectedStatus = 200) {
36 const res = await login(server.url, server.client, user, 200) 36 const res = await login(server.url, server.client, user, expectedStatus)
37 37
38 return res.body.access_token as string 38 return res.body.access_token as string
39} 39}