diff options
author | Chocobozzz <me@florianbigard.com> | 2018-01-23 09:15:36 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-01-23 09:49:57 +0100 |
commit | f8b8c36b2a92bfee435747ab5a0283924be76281 (patch) | |
tree | 99e17a5c9413614071ae63d72e9b9557fc8cef43 /server | |
parent | 59c48d49c5f06a46c342b4e7f86fbd1ed9894bd6 (diff) | |
download | PeerTube-f8b8c36b2a92bfee435747ab5a0283924be76281.tar.gz PeerTube-f8b8c36b2a92bfee435747ab5a0283924be76281.tar.zst PeerTube-f8b8c36b2a92bfee435747ab5a0283924be76281.zip |
Destroy user token when changing its role
Diffstat (limited to 'server')
-rw-r--r-- | server/controllers/api/users.ts | 7 | ||||
-rw-r--r-- | server/middlewares/validators/users.ts | 7 | ||||
-rw-r--r-- | server/models/oauth/oauth-token.ts | 10 | ||||
-rw-r--r-- | server/tests/api/check-params/users.ts | 17 | ||||
-rw-r--r-- | server/tests/api/users/users.ts | 37 | ||||
-rw-r--r-- | server/tests/utils/users/login.ts | 4 |
6 files changed, 59 insertions, 23 deletions
diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts index aced4639e..79bb2665d 100644 --- a/server/controllers/api/users.ts +++ b/server/controllers/api/users.ts | |||
@@ -19,6 +19,7 @@ import { | |||
19 | import { usersUpdateMyAvatarValidator, videosSortValidator } from '../../middlewares/validators' | 19 | import { usersUpdateMyAvatarValidator, videosSortValidator } from '../../middlewares/validators' |
20 | import { AccountVideoRateModel } from '../../models/account/account-video-rate' | 20 | import { AccountVideoRateModel } from '../../models/account/account-video-rate' |
21 | import { UserModel } from '../../models/account/user' | 21 | import { UserModel } from '../../models/account/user' |
22 | import { OAuthTokenModel } from '../../models/oauth/oauth-token' | ||
22 | import { VideoModel } from '../../models/video/video' | 23 | import { VideoModel } from '../../models/video/video' |
23 | 24 | ||
24 | const reqAvatarFile = createReqFiles('avatarfile', CONFIG.STORAGE.AVATARS_DIR, AVATAR_MIMETYPE_EXT) | 25 | const reqAvatarFile = createReqFiles('avatarfile', CONFIG.STORAGE.AVATARS_DIR, AVATAR_MIMETYPE_EXT) |
@@ -288,6 +289,7 @@ async function updateMyAvatar (req: express.Request, res: express.Response, next | |||
288 | async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) { | 289 | async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) { |
289 | const body: UserUpdate = req.body | 290 | const body: UserUpdate = req.body |
290 | const user = res.locals.user as UserModel | 291 | const user = res.locals.user as UserModel |
292 | const roleChanged = body.role !== undefined && body.role !== user.role | ||
291 | 293 | ||
292 | if (body.email !== undefined) user.email = body.email | 294 | if (body.email !== undefined) user.email = body.email |
293 | if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota | 295 | if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota |
@@ -295,6 +297,11 @@ async function updateUser (req: express.Request, res: express.Response, next: ex | |||
295 | 297 | ||
296 | await user.save() | 298 | await user.save() |
297 | 299 | ||
300 | // Destroy user token to refresh rights | ||
301 | if (roleChanged) { | ||
302 | await OAuthTokenModel.deleteUserToken(user.id) | ||
303 | } | ||
304 | |||
298 | // Don't need to send this update to followers, these attributes are not propagated | 305 | // Don't need to send this update to followers, these attributes are not propagated |
299 | 306 | ||
300 | return res.sendStatus(204) | 307 | return res.sendStatus(204) |
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index d22a745b4..990311d6f 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -77,6 +77,13 @@ const usersUpdateValidator = [ | |||
77 | if (areValidationErrors(req, res)) return | 77 | if (areValidationErrors(req, res)) return |
78 | if (!await checkUserIdExist(req.params.id, res)) return | 78 | if (!await checkUserIdExist(req.params.id, res)) return |
79 | 79 | ||
80 | const user = res.locals.user | ||
81 | if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) { | ||
82 | return res.status(400) | ||
83 | .send({ error: 'Cannot change root role.' }) | ||
84 | .end() | ||
85 | } | ||
86 | |||
80 | return next() | 87 | return next() |
81 | } | 88 | } |
82 | ] | 89 | ] |
diff --git a/server/models/oauth/oauth-token.ts b/server/models/oauth/oauth-token.ts index 9d1b63813..528bb9587 100644 --- a/server/models/oauth/oauth-token.ts +++ b/server/models/oauth/oauth-token.ts | |||
@@ -159,4 +159,14 @@ export class OAuthTokenModel extends Model<OAuthTokenModel> { | |||
159 | return token | 159 | return token |
160 | }) | 160 | }) |
161 | } | 161 | } |
162 | |||
163 | static deleteUserToken (userId: number) { | ||
164 | const query = { | ||
165 | where: { | ||
166 | userId | ||
167 | } | ||
168 | } | ||
169 | |||
170 | return OAuthTokenModel.destroy(query) | ||
171 | } | ||
162 | } | 172 | } |
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts index b0f35b9f7..9938fe3a2 100644 --- a/server/tests/api/check-params/users.ts +++ b/server/tests/api/check-params/users.ts | |||
@@ -20,6 +20,10 @@ describe('Test users API validators', function () { | |||
20 | let server: ServerInfo | 20 | let server: ServerInfo |
21 | let serverWithRegistrationDisabled: ServerInfo | 21 | let serverWithRegistrationDisabled: ServerInfo |
22 | let userAccessToken = '' | 22 | let userAccessToken = '' |
23 | const user = { | ||
24 | username: 'user1', | ||
25 | password: 'my super password' | ||
26 | } | ||
23 | 27 | ||
24 | // --------------------------------------------------------------- | 28 | // --------------------------------------------------------------- |
25 | 29 | ||
@@ -33,10 +37,6 @@ describe('Test users API validators', function () { | |||
33 | 37 | ||
34 | await setAccessTokensToServers([ server ]) | 38 | await setAccessTokensToServers([ server ]) |
35 | 39 | ||
36 | const user = { | ||
37 | username: 'user1', | ||
38 | password: 'my super password' | ||
39 | } | ||
40 | const videoQuota = 42000000 | 40 | const videoQuota = 42000000 |
41 | await createUser(server.url, server.accessToken, user.username, user.password, videoQuota) | 41 | await createUser(server.url, server.accessToken, user.username, user.password, videoQuota) |
42 | userAccessToken = await userLogin(server, user) | 42 | userAccessToken = await userLogin(server, user) |
@@ -341,6 +341,14 @@ describe('Test users API validators', function () { | |||
341 | await makePutBodyRequest({ url: server.url, path: path + userId, token: 'super token', fields, statusCodeExpected: 401 }) | 341 | await makePutBodyRequest({ url: server.url, path: path + userId, token: 'super token', fields, statusCodeExpected: 401 }) |
342 | }) | 342 | }) |
343 | 343 | ||
344 | it('Should fail when updating root role', async function () { | ||
345 | const fields = { | ||
346 | role: UserRole.MODERATOR | ||
347 | } | ||
348 | |||
349 | await makePutBodyRequest({ url: server.url, path: path + rootId, token: server.accessToken, fields }) | ||
350 | }) | ||
351 | |||
344 | it('Should succeed with the correct params', async function () { | 352 | it('Should succeed with the correct params', async function () { |
345 | const fields = { | 353 | const fields = { |
346 | email: 'email@example.com', | 354 | email: 'email@example.com', |
@@ -349,6 +357,7 @@ describe('Test users API validators', function () { | |||
349 | } | 357 | } |
350 | 358 | ||
351 | await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields, statusCodeExpected: 204 }) | 359 | await makePutBodyRequest({ url: server.url, path: path + userId, token: server.accessToken, fields, statusCodeExpected: 204 }) |
360 | userAccessToken = await userLogin(server, user) | ||
352 | }) | 361 | }) |
353 | }) | 362 | }) |
354 | 363 | ||
diff --git a/server/tests/api/users/users.ts b/server/tests/api/users/users.ts index 6bb5fd698..c23b58089 100644 --- a/server/tests/api/users/users.ts +++ b/server/tests/api/users/users.ts | |||
@@ -4,10 +4,9 @@ import * as chai from 'chai' | |||
4 | import 'mocha' | 4 | import 'mocha' |
5 | import { UserRole } from '../../../../shared/index' | 5 | import { UserRole } from '../../../../shared/index' |
6 | import { | 6 | import { |
7 | createUser, flushTests, getBlacklistedVideosList, getMyUserInformation, getMyUserVideoQuotaUsed, getMyUserVideoRating, getUserInformation, | 7 | createUser, flushTests, getBlacklistedVideosList, getMyUserInformation, getMyUserVideoQuotaUsed, getMyUserVideoRating, |
8 | getUsersList, | 8 | getUserInformation, getUsersList, getUsersListPaginationAndSort, getVideosList, killallServers, login, makePutBodyRequest, rateVideo, |
9 | getUsersListPaginationAndSort, getVideosList, killallServers, login, makePutBodyRequest, rateVideo, registerUser, removeUser, removeVideo, | 9 | registerUser, removeUser, removeVideo, runServer, ServerInfo, testImage, updateMyAvatar, updateMyUser, updateUser, uploadVideo, userLogin |
10 | runServer, ServerInfo, serverLogin, testImage, updateMyAvatar, updateMyUser, updateUser, uploadVideo | ||
11 | } from '../../utils/index' | 10 | } from '../../utils/index' |
12 | import { follow } from '../../utils/server/follows' | 11 | import { follow } from '../../utils/server/follows' |
13 | import { setAccessTokensToServers } from '../../utils/users/login' | 12 | import { setAccessTokensToServers } from '../../utils/users/login' |
@@ -21,6 +20,10 @@ describe('Test users', function () { | |||
21 | let accessTokenUser: string | 20 | let accessTokenUser: string |
22 | let videoId: number | 21 | let videoId: number |
23 | let userId: number | 22 | let userId: number |
23 | const user = { | ||
24 | username: 'user_1', | ||
25 | password: 'super password' | ||
26 | } | ||
24 | 27 | ||
25 | before(async function () { | 28 | before(async function () { |
26 | this.timeout(30000) | 29 | this.timeout(30000) |
@@ -152,16 +155,11 @@ describe('Test users', function () { | |||
152 | it('Should be able to upload a video again') | 155 | it('Should be able to upload a video again') |
153 | 156 | ||
154 | it('Should be able to create a new user', async function () { | 157 | it('Should be able to create a new user', async function () { |
155 | await createUser(server.url, accessToken, 'user_1', 'super password', 2 * 1024 * 1024) | 158 | await createUser(server.url, accessToken, user.username,user.password, 2 * 1024 * 1024) |
156 | }) | 159 | }) |
157 | 160 | ||
158 | it('Should be able to login with this user', async function () { | 161 | it('Should be able to login with this user', async function () { |
159 | server.user = { | 162 | accessTokenUser = await userLogin(server, user) |
160 | username: 'user_1', | ||
161 | password: 'super password' | ||
162 | } | ||
163 | |||
164 | accessTokenUser = await serverLogin(server) | ||
165 | }) | 163 | }) |
166 | 164 | ||
167 | it('Should be able to get the user information', async function () { | 165 | it('Should be able to get the user information', async function () { |
@@ -297,9 +295,9 @@ describe('Test users', function () { | |||
297 | accessToken: accessTokenUser, | 295 | accessToken: accessTokenUser, |
298 | newPassword: 'new password' | 296 | newPassword: 'new password' |
299 | }) | 297 | }) |
300 | server.user.password = 'new password' | 298 | user.password = 'new password' |
301 | 299 | ||
302 | await login(server.url, server.client, server.user, 200) | 300 | await userLogin(server, user, 200) |
303 | }) | 301 | }) |
304 | 302 | ||
305 | it('Should be able to change the NSFW display attribute', async function () { | 303 | it('Should be able to change the NSFW display attribute', async function () { |
@@ -386,6 +384,12 @@ describe('Test users', function () { | |||
386 | expect(user.id).to.be.a('number') | 384 | expect(user.id).to.be.a('number') |
387 | }) | 385 | }) |
388 | 386 | ||
387 | it('Should have removed the user token', async function () { | ||
388 | await getMyUserVideoQuotaUsed(server.url, accessTokenUser, 401) | ||
389 | |||
390 | accessTokenUser = await userLogin(server, user) | ||
391 | }) | ||
392 | |||
389 | it('Should not be able to delete a user by a moderator', async function () { | 393 | it('Should not be able to delete a user by a moderator', async function () { |
390 | await removeUser(server.url, 2, accessTokenUser, 403) | 394 | await removeUser(server.url, 2, accessTokenUser, 403) |
391 | }) | 395 | }) |
@@ -399,8 +403,7 @@ describe('Test users', function () { | |||
399 | }) | 403 | }) |
400 | 404 | ||
401 | it('Should not be able to login with this user', async function () { | 405 | it('Should not be able to login with this user', async function () { |
402 | // server.user is already set to user 1 | 406 | await userLogin(server, user, 400) |
403 | await login(server.url, server.client, server.user, 400) | ||
404 | }) | 407 | }) |
405 | 408 | ||
406 | it('Should not have videos of this user', async function () { | 409 | it('Should not have videos of this user', async function () { |
@@ -417,12 +420,12 @@ describe('Test users', function () { | |||
417 | }) | 420 | }) |
418 | 421 | ||
419 | it('Should be able to login with this registered user', async function () { | 422 | it('Should be able to login with this registered user', async function () { |
420 | server.user = { | 423 | const user15 = { |
421 | username: 'user_15', | 424 | username: 'user_15', |
422 | password: 'my super password' | 425 | password: 'my super password' |
423 | } | 426 | } |
424 | 427 | ||
425 | accessToken = await serverLogin(server) | 428 | accessToken = await userLogin(server, user15) |
426 | }) | 429 | }) |
427 | 430 | ||
428 | it('Should have the correct video quota', async function () { | 431 | it('Should have the correct video quota', async function () { |
diff --git a/server/tests/utils/users/login.ts b/server/tests/utils/users/login.ts index 04444e2f1..338ae1c00 100644 --- a/server/tests/utils/users/login.ts +++ b/server/tests/utils/users/login.ts | |||
@@ -32,8 +32,8 @@ async function serverLogin (server: Server) { | |||
32 | return res.body.access_token as string | 32 | return res.body.access_token as string |
33 | } | 33 | } |
34 | 34 | ||
35 | async function userLogin (server: Server, user: User) { | 35 | async function userLogin (server: Server, user: User, expectedStatus = 200) { |
36 | const res = await login(server.url, server.client, user, 200) | 36 | const res = await login(server.url, server.client, user, expectedStatus) |
37 | 37 | ||
38 | return res.body.access_token as string | 38 | return res.body.access_token as string |
39 | } | 39 | } |