From ea7337cfdee00894792762660fa3c3412aeccccb Mon Sep 17 00:00:00 2001
From: Rigel Kent <sendmemail@rigelk.eu>
Date: Fri, 3 Jul 2020 10:28:19 +0200
Subject: add check-params test for user list

fixes #2918
---
 server/controllers/api/users/index.ts  |  2 +-
 server/middlewares/validators/users.ts |  3 +--
 server/tests/api/check-params/users.ts | 12 ++++++++++++
 3 files changed, 14 insertions(+), 3 deletions(-)

(limited to 'server')

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 839431afb..fcd828ae3 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -86,7 +86,7 @@ usersRouter.get('/',
   usersSortValidator,
   setDefaultSort,
   setDefaultPagination,
-  asyncMiddleware(usersListValidator),
+  usersListValidator,
   asyncMiddleware(listUsers)
 )
 
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 6860a3bed..423da9bc0 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -41,10 +41,9 @@ import { Hooks } from '@server/lib/plugins/hooks'
 const usersListValidator = [
   query('blocked')
     .optional()
-    .customSanitizer(toBooleanOrNull)
     .isBoolean().withMessage('Should be a valid boolean banned state'),
 
-  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+  (req: express.Request, res: express.Response, next: express.NextFunction) => {
     logger.debug('Checking usersList parameters', { parameters: req.query })
 
     if (areValidationErrors(req, res)) return
diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts
index 74f0a2d3f..2fea2cbd5 100644
--- a/server/tests/api/check-params/users.ts
+++ b/server/tests/api/check-params/users.ts
@@ -155,6 +155,18 @@ describe('Test users API validators', function () {
       await checkBadSortPagination(server.url, path, server.accessToken)
     })
 
+    it('Should fail with a bad blocked/banned user filter', async function () {
+      await makeGetRequest({
+        url: server.url,
+        path,
+        query: {
+          blocked: 42
+        },
+        token: server.accessToken,
+        statusCodeExpected: 400
+      })
+    })
+
     it('Should fail with a non authenticated user', async function () {
       await makeGetRequest({
         url: server.url,
-- 
cgit v1.2.3