user-right: moderator can't manage admins channel
This commit is contained in:
parent
5e7d46e313
commit
2c627c154e
|
@ -1,5 +1,5 @@
|
||||||
import express from 'express'
|
import express from 'express'
|
||||||
import { UserRight } from '../../shared'
|
import { UserRight, UserRole } from '../../shared'
|
||||||
import { HttpStatusCode } from '../../shared/models/http/http-error-codes'
|
import { HttpStatusCode } from '../../shared/models/http/http-error-codes'
|
||||||
import { logger } from '../helpers/logger'
|
import { logger } from '../helpers/logger'
|
||||||
|
|
||||||
|
@ -34,6 +34,14 @@ async function ensureUserCanManageChannel (req: express.Request, res: express.Re
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const onUser = await res.locals.videoChannel.Account.$get('User')
|
||||||
|
if (user.role === UserRole.MODERATOR && onUser.role === UserRole.ADMINISTRATOR) {
|
||||||
|
return res.fail({
|
||||||
|
status: HttpStatusCode.FORBIDDEN_403,
|
||||||
|
message: 'A moderator can\'t manage an admins video channel.'
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
return next()
|
return next()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ import {
|
||||||
wait,
|
wait,
|
||||||
waitJobs
|
waitJobs
|
||||||
} from '@shared/extra-utils'
|
} from '@shared/extra-utils'
|
||||||
import { User, VideoChannel } from '@shared/models'
|
import { HttpStatusCode, User, UserRole, VideoChannel } from '@shared/models'
|
||||||
|
|
||||||
const expect = chai.expect
|
const expect = chai.expect
|
||||||
|
|
||||||
|
@ -407,6 +407,28 @@ describe('Test video channels', function () {
|
||||||
expect(body.data[1].displayName).to.equal('video channel updated')
|
expect(body.data[1].displayName).to.equal('video channel updated')
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('Should not allow moderator to update an admins video channel', async function () {
|
||||||
|
this.timeout(15000)
|
||||||
|
|
||||||
|
const { token: moderatorToken } = await servers[0].users.generate('moderator1', UserRole.MODERATOR)
|
||||||
|
const result = await servers[0].users.generate('admin_user', UserRole.ADMINISTRATOR)
|
||||||
|
|
||||||
|
await servers[0].videos.quickUpload({ name: 'video', token: result.token })
|
||||||
|
|
||||||
|
const videoChannelAttributes = {
|
||||||
|
displayName: 'video channel updated',
|
||||||
|
description: 'video channel description updated',
|
||||||
|
support: 'support updated'
|
||||||
|
}
|
||||||
|
|
||||||
|
await servers[0].channels.update({
|
||||||
|
channelName: result.userChannelName,
|
||||||
|
attributes: videoChannelAttributes,
|
||||||
|
expectedStatus: HttpStatusCode.FORBIDDEN_403,
|
||||||
|
token: moderatorToken
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
it('Should create the main channel with an uuid if there is a conflict', async function () {
|
it('Should create the main channel with an uuid if there is a conflict', async function () {
|
||||||
{
|
{
|
||||||
const videoChannel = { name: 'toto_channel', displayName: 'My toto channel' }
|
const videoChannel = { name: 'toto_channel', displayName: 'My toto channel' }
|
||||||
|
|
Loading…
Reference in New Issue