From a95a4cc89155f448e6f9ca0957170f3c72a9d964 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 30 Jul 2019 09:59:19 +0200 Subject: Moderators can only manage users --- server/tests/api/check-params/users.ts | 166 +++++++++++++++++++++++++++------ 1 file changed, 136 insertions(+), 30 deletions(-) (limited to 'server/tests') diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts index 5b788e328..939b919ed 100644 --- a/server/tests/api/check-params/users.ts +++ b/server/tests/api/check-params/users.ts @@ -3,7 +3,7 @@ import { omit } from 'lodash' import 'mocha' import { join } from 'path' -import { UserRole, VideoImport, VideoImportState } from '../../../../shared' +import { User, UserRole, VideoImport, VideoImportState } from '../../../../shared' import { addVideoChannel, @@ -44,35 +44,79 @@ describe('Test users API validators', function () { const path = '/api/v1/users/' let userId: number let rootId: number + let moderatorId: number let videoId: number let server: ServerInfo let serverWithRegistrationDisabled: ServerInfo let userAccessToken = '' + let moderatorAccessToken = '' let channelId: number - const user = { - username: 'user1', - password: 'my super password' - } // --------------------------------------------------------------- before(async function () { this.timeout(30000) - server = await flushAndRunServer(1) - serverWithRegistrationDisabled = await flushAndRunServer(2) + { + const res = await Promise.all([ + flushAndRunServer(1, { signup: { limit: 7 } }), + flushAndRunServer(2) + ]) - await setAccessTokensToServers([ server ]) + server = res[0] + serverWithRegistrationDisabled = res[1] - const videoQuota = 42000000 - await createUser({ - url: server.url, - accessToken: server.accessToken, - username: user.username, - password: user.password, - videoQuota: videoQuota - }) - userAccessToken = await userLogin(server, user) + await setAccessTokensToServers([ server ]) + } + + { + const user = { + username: 'user1', + password: 'my super password' + } + + const videoQuota = 42000000 + await createUser({ + url: server.url, + accessToken: server.accessToken, + username: user.username, + password: user.password, + videoQuota: videoQuota + }) + userAccessToken = await userLogin(server, user) + } + + { + const moderator = { + username: 'moderator1', + password: 'super password' + } + + await createUser({ + url: server.url, + accessToken: server.accessToken, + username: moderator.username, + password: moderator.password, + role: UserRole.MODERATOR + }) + + moderatorAccessToken = await userLogin(server, moderator) + } + + { + const moderator = { + username: 'moderator2', + password: 'super password' + } + + await createUser({ + url: server.url, + accessToken: server.accessToken, + username: moderator.username, + password: moderator.password, + role: UserRole.MODERATOR + }) + } { const res = await getMyUserInformation(server.url, server.accessToken) @@ -83,6 +127,15 @@ describe('Test users API validators', function () { const res = await uploadVideo(server.url, server.accessToken, {}) videoId = res.body.video.id } + + { + const res = await getUsersList(server.url, server.accessToken) + const users: User[] = res.body.data + + userId = users.find(u => u.username === 'user1').id + rootId = users.find(u => u.username === 'root').id + moderatorId = users.find(u => u.username === 'moderator2').id + } }) describe('When listing users', function () { @@ -251,6 +304,32 @@ describe('Test users API validators', function () { }) }) + it('Should fail to create a moderator or an admin with a moderator', async function () { + for (const role of [ UserRole.MODERATOR, UserRole.ADMINISTRATOR ]) { + const fields = immutableAssign(baseCorrectParams, { role }) + + await makePostBodyRequest({ + url: server.url, + path, + token: moderatorAccessToken, + fields, + statusCodeExpected: 403 + }) + } + }) + + it('Should succeed to create a user with a moderator', async function () { + const fields = immutableAssign(baseCorrectParams, { username: 'a4656', email: 'a4656@example.com', role: UserRole.USER }) + + await makePostBodyRequest({ + url: server.url, + path, + token: moderatorAccessToken, + fields, + statusCodeExpected: 200 + }) + }) + it('Should succeed with the correct params', async function () { await makePostBodyRequest({ url: server.url, @@ -468,11 +547,6 @@ describe('Test users API validators', function () { }) describe('When getting a user', function () { - before(async function () { - const res = await getUsersList(server.url, server.accessToken) - - userId = res.body.data[1].id - }) it('Should fail with an non authenticated user', async function () { await makeGetRequest({ url: server.url, path: path + userId, token: 'super token', statusCodeExpected: 401 }) @@ -489,13 +563,6 @@ describe('Test users API validators', function () { describe('When updating a user', function () { - before(async function () { - const res = await getUsersList(server.url, server.accessToken) - - userId = res.body.data[1].id - rootId = res.body.data[2].id - }) - it('Should fail with an invalid email attribute', async function () { const fields = { email: 'blabla' @@ -565,7 +632,35 @@ describe('Test users API validators', function () { it('Should fail with invalid admin flags', async function () { const fields = { adminFlags: 'toto' } - await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields }) + await makePutBodyRequest({ url: server.url, path, token: server.accessToken, fields }) + }) + + it('Should fail to update an admin with a moderator', async function () { + const fields = { + videoQuota: 42 + } + + await makePutBodyRequest({ + url: server.url, + path: path + moderatorId, + token: moderatorAccessToken, + fields, + statusCodeExpected: 403 + }) + }) + + it('Should succeed to update a user with a moderator', async function () { + const fields = { + videoQuota: 42 + } + + await makePutBodyRequest({ + url: server.url, + path: path + userId, + token: moderatorAccessToken, + fields, + statusCodeExpected: 204 + }) }) it('Should succeed with the correct params', async function () { @@ -664,6 +759,17 @@ describe('Test users API validators', function () { await blockUser(server.url, userId, userAccessToken, 403) await unblockUser(server.url, userId, userAccessToken, 403) }) + + it('Should fail on a moderator with a moderator', async function () { + await removeUser(server.url, moderatorId, moderatorAccessToken, 403) + await blockUser(server.url, moderatorId, moderatorAccessToken, 403) + await unblockUser(server.url, moderatorId, moderatorAccessToken, 403) + }) + + it('Should succeed on a user with a moderator', async function () { + await blockUser(server.url, userId, moderatorAccessToken) + await unblockUser(server.url, userId, moderatorAccessToken) + }) }) describe('When deleting our account', function () { -- cgit v1.2.3