diff --git a/src/groups.js b/src/groups.js index 39f1c25c9..8d966c760 100644 --- a/src/groups.js +++ b/src/groups.js @@ -160,6 +160,12 @@ async function setMembership(user, groupIds) { assert.strictEqual(typeof user, 'object'); assert(Array.isArray(groupIds)); + for (const groupId of groupIds) { + const group = await get(groupId); + if (!group) throw new BoxError(BoxError.NOT_FOUND, `Group ${groupId} not found`); + if (group.source) throw new BoxError(BoxError.BAD_STATE, 'Cannot set members of external group'); + } + if (user.source === 'ldap') { const config = await externalLdap.getConfig(); if (config.syncGroups) throw new BoxError(BoxError.BAD_STATE, 'Cannot set groups of external user when syncing groups'); diff --git a/src/test/groups-test.js b/src/test/groups-test.js index 6280d242b..7e550d746 100644 --- a/src/test/groups-test.js +++ b/src/test/groups-test.js @@ -57,7 +57,7 @@ describe('Groups', function () { expect(error).to.be(null); group0Object = result; - [error, result] = await safe(groups.add({ name: group1Name, source: 'ldap' })); + [error, result] = await safe(groups.add({ name: group1Name})); expect(error).to.be(null); group1Object = result; }); @@ -69,7 +69,7 @@ describe('Groups', function () { }); it('cannot add existing group', async function () { - const [error] = await safe(groups.add({name: group0Name, source: 'ldap' })); + const [error] = await safe(groups.add({name: group0Name })); expect(error.reason).to.be(BoxError.ALREADY_EXISTS); }); }); @@ -222,5 +222,10 @@ describe('Groups', function () { const [error] = await safe(groups.setMembers(ldapGroup, [ admin.id ], { skipSourceSkip: false })); expect(error.reason).to.be(BoxError.BAD_STATE); }); + + it('cannot set membership', async function () { + const [error] = await safe(groups.setMembership(admin, [ ldapGroup.id ])); + expect(error.reason).to.be(BoxError.BAD_STATE); + }); }); });