diff --git a/src/accesscontrol.js b/src/accesscontrol.js index b77315d03..06534c744 100644 --- a/src/accesscontrol.js +++ b/src/accesscontrol.js @@ -2,7 +2,7 @@ exports = module.exports = { PERMISSION_ADMIN: 'admin', // not a real permission, but a role - PERMISSION_MANAGE_USERS: 'manange_users', + PERMISSION_MANAGE_USERS: 'manage_users', verifyToken: verifyToken, hasPermission: hasPermission, diff --git a/src/routes/test/users-test.js b/src/routes/test/users-test.js index e0c7a62a5..c3be261e3 100644 --- a/src/routes/test/users-test.js +++ b/src/routes/test/users-test.js @@ -483,7 +483,6 @@ describe('Users API', function () { }); describe('admin status', function () { - it('set second user as admin succeeds', function (done) { superagent.post(SERVER_URL + '/api/v1/users/' + user_1.id) .query({ access_token: token }) @@ -593,45 +592,6 @@ describe('Users API', function () { }); }); - describe('remove', function () { - - it('remove random user fails', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/randomid') - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(404); - done(); - }); - }); - - it('user removes himself is not allowed', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(409); - done(); - }); - }); - - it('admin removes normal user', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id) - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(204); - done(); - }); - }); - - it('admin removes himself should not be allowed', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(409); - done(); - }); - }); - }); - describe('update', function () { // Change email it('change email fails due to missing token', function (done) { @@ -835,5 +795,134 @@ describe('Users API', function () { }); }); }); + + + describe('permissions', function () { + it('can make second user a usermanager', function (done) { + superagent.post(SERVER_URL + '/api/v1/users/' + user_1.id) + .query({ access_token: token }) + .send({ permissions: [ 'manage_users' ] }) + .end(function (err, res) { + expect(res.statusCode).to.equal(204); + done(); + }); + }); + + it('can list users as usermanager', function (done) { + superagent.get(SERVER_URL + '/api/v1/users') + .query({ access_token: token_1 }) + .end(function (error, res) { + expect(res.statusCode).to.equal(200); + done(); + }); + }); + + it('cannot set password of admin', function (done) { + superagent.post(SERVER_URL + '/api/v1/users/' + user_0.id + '/password') + .query({ access_token: token_1 }) + .send({ password: 'bigenough' }) + .end(function (error, result) { + expect(result.statusCode).to.equal(403); + done(); + }); + }); + + it('can set password of another', function (done) { + superagent.post(SERVER_URL + '/api/v1/users/' + user_2.id + '/password') + .query({ access_token: token_1 }) + .send({ password: 'bigenough' }) + .end(function (error, result) { + expect(result.statusCode).to.equal(204); + done(); + }); + }); + + it('cannot create invite for admin', function (done) { + superagent.post(SERVER_URL + '/api/v1/users/' + user_0.id + '/create_invite') + .query({ access_token: token_1 }) + .send({}) + .end(function (err, result) { + expect(result.statusCode).to.equal(403); + done(); + }); + }); + + it('cannot change admin bit of another', function (done) { + superagent.post(SERVER_URL + '/api/v1/users/' + user_2.id) + .query({ access_token: token_1 }) + .send({ admin: true }) + .end(function (err, result) { + expect(result.statusCode).to.equal(403); + done(); + }); + }); + + it('cannot change admin bit of self', function (done) { + superagent.post(SERVER_URL + '/api/v1/users/' + user_1.id) + .query({ access_token: token_1 }) + .send({ admin: true }) + .end(function (err, result) { + expect(result.statusCode).to.equal(403); + done(); + }); + }); + + it('cannot remove admin', function (done) { + superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) + .query({ access_token: token_1 }) + .end(function (err, res) { + expect(res.statusCode).to.equal(403); + done(); + }); + }); + + it('can remove normal user', function (done) { + superagent.del(SERVER_URL + '/api/v1/users/' + user_2.id) + .query({ access_token: token_1 }) + .end(function (err, res) { + expect(res.statusCode).to.equal(204); + done(); + }); + }); + }); + + describe('remove', function () { + + it('remove random user fails', function (done) { + superagent.del(SERVER_URL + '/api/v1/users/randomid') + .query({ access_token: token }) + .end(function (err, res) { + expect(res.statusCode).to.equal(404); + done(); + }); + }); + + it('user removes himself is not allowed', function (done) { + superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) + .query({ access_token: token }) + .end(function (err, res) { + expect(res.statusCode).to.equal(409); + done(); + }); + }); + + it('admin removes normal user', function (done) { + superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id) + .query({ access_token: token }) + .end(function (err, res) { + expect(res.statusCode).to.equal(204); + done(); + }); + }); + + it('admin removes himself should not be allowed', function (done) { + superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) + .query({ access_token: token }) + .end(function (err, res) { + expect(res.statusCode).to.equal(409); + done(); + }); + }); + }); }); diff --git a/src/userdb.js b/src/userdb.js index a92dec211..7bba7e109 100644 --- a/src/userdb.js +++ b/src/userdb.js @@ -251,24 +251,24 @@ function update(userId, user, callback) { assert.strictEqual(typeof user, 'object'); assert.strictEqual(typeof callback, 'function'); + assert(!('username' in user) || (user.username === null || typeof user.username === 'string')); + assert(!('email' in user) || (typeof user.email === 'string')); + assert(!('fallbackEmail' in user) || (typeof user.fallbackEmail === 'string')); + assert(!('twoFactorAuthenticationEnabled' in user) || (typeof user.twoFactorAuthenticationEnabled === 'boolean')); + assert(!('admin' in user) || (typeof user.admin === 'boolean')); + assert(!('active' in user) || (typeof user.active === 'boolean')); + var args = [ ]; var fields = [ ]; for (var k in user) { - fields.push(k + ' = ?'); - - if (k === 'username') { - assert(user.username === null || typeof user.username === 'string'); - args.push(user.username); - } else if (k === 'email' || k === 'fallbackEmail') { - assert.strictEqual(typeof user[k], 'string'); - args.push(user[k]); - } else if (k === 'twoFactorAuthenticationEnabled' || k === 'admin' || k === 'active') { - assert.strictEqual(typeof user[k], 'boolean'); + if (k === 'twoFactorAuthenticationEnabled' || k === 'admin' || k === 'active') { + fields.push(k + ' = ?'); args.push(user[k] ? 1 : 0); } else if (k === 'permissions') { fields.push(`${k}Json = ?`); args.push(JSON.stringify(user[k])); } else { + fields.push(k + ' = ?'); args.push(user[k]); } }