From 86d13ec2aa94ec10810ddf9c8b33314bd4968791 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 29 Nov 2017 13:18:05 +0100 Subject: [PATCH] Users list only available when use is authenticated And has a special right --- server.ts | 2 +- server/controllers/api/users.ts | 2 ++ server/tests/api/check-params/users.ts | 20 +++++++++++++++++++- server/tests/api/users.ts | 14 +++++++++----- server/tests/utils/users.ts | 6 ++++-- 5 files changed, 35 insertions(+), 9 deletions(-) diff --git a/server.ts b/server.ts index 0e963c3d3..3221c1790 100644 --- a/server.ts +++ b/server.ts @@ -77,7 +77,7 @@ app.use(morgan('combined', { })) // For body requests app.use(bodyParser.json({ - type: 'application/*+json', + type: [ 'application/json', 'application/*+json' ], limit: '500kb' })) app.use(bodyParser.urlencoded({ extended: false })) diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts index 721b23301..f9b871724 100644 --- a/server/controllers/api/users.ts +++ b/server/controllers/api/users.ts @@ -48,6 +48,8 @@ usersRouter.get('/me/videos/:videoId/rating', ) usersRouter.get('/', + authenticate, + ensureUserHasRight(UserRight.MANAGE_USERS), paginationValidator, usersSortValidator, setUsersSort, diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts index 578fece49..1e3533bf3 100644 --- a/server/tests/api/check-params/users.ts +++ b/server/tests/api/check-params/users.ts @@ -67,6 +67,7 @@ describe('Test users API validators', function () { .get(path) .query({ start: 'hello' }) .set('Accept', 'application/json') + .set('Authorization', 'Bearer ' + server.accessToken) .expect(400) }) @@ -75,6 +76,7 @@ describe('Test users API validators', function () { .get(path) .query({ count: 'hello' }) .set('Accept', 'application/json') + .set('Authorization', 'Bearer ' + server.accessToken) .expect(400) }) @@ -83,8 +85,24 @@ describe('Test users API validators', function () { .get(path) .query({ sort: 'hello' }) .set('Accept', 'application/json') + .set('Authorization', 'Bearer ' + server.accessToken) .expect(400) }) + + it('Should fail with a non authenticated user', async function () { + await request(server.url) + .get(path) + .set('Accept', 'application/json') + .expect(401) + }) + + it('Should fail with a non admin user', async function () { + await request(server.url) + .get(path) + .set('Accept', 'application/json') + .set('Authorization', 'Bearer ' + userAccessToken) + .expect(403) + }) }) describe('When adding a new user', function () { @@ -354,7 +372,7 @@ describe('Test users API validators', function () { describe('When updating a user', function () { before(async function () { - const res = await getUsersList(server.url) + const res = await getUsersList(server.url, server.accessToken) userId = res.body.data[1].id rootId = res.body.data[2].id diff --git a/server/tests/api/users.ts b/server/tests/api/users.ts index 5c0531571..33646e84f 100644 --- a/server/tests/api/users.ts +++ b/server/tests/api/users.ts @@ -1,4 +1,5 @@ /* tslint:disable:no-unused-expression */ + import * as chai from 'chai' import 'mocha' import { UserRole } from '../../../shared' @@ -28,6 +29,7 @@ import { } from '../utils' import { follow } from '../utils/follows' import { getMyVideos } from '../utils/videos' +import { setAccessTokensToServers } from '../utils/login' const expect = chai.expect @@ -43,6 +45,8 @@ describe('Test users', function () { await flushTests() server = await runServer(1) + + await setAccessTokensToServers([ server ]) }) it('Should create a new client') @@ -242,7 +246,7 @@ describe('Test users', function () { }) it('Should list all the users', async function () { - const res = await getUsersList(server.url) + const res = await getUsersList(server.url, server.accessToken) const result = res.body const total = result.total const users = result.data @@ -280,7 +284,7 @@ describe('Test users', function () { }) it('Should list only the first user by username asc', async function () { - const res = await getUsersListPaginationAndSort(server.url, 0, 1, 'username') + const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, 'username') const result = res.body const total = result.total @@ -307,7 +311,7 @@ describe('Test users', function () { }) it('Should list only the first user by username desc', async function () { - const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-username') + const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-username') const result = res.body const total = result.total const users = result.data @@ -330,7 +334,7 @@ describe('Test users', function () { }) it('Should list only the second user by createdAt desc', async function () { - const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-createdAt') + const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-createdAt') const result = res.body const total = result.total const users = result.data @@ -353,7 +357,7 @@ describe('Test users', function () { }) it('Should list all the users by createdAt asc', async function () { - const res = await getUsersListPaginationAndSort(server.url, 0, 2, 'createdAt') + const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 2, 'createdAt') const result = res.body const total = result.total const users = result.data diff --git a/server/tests/utils/users.ts b/server/tests/utils/users.ts index 12569dd42..ce04b9d96 100644 --- a/server/tests/utils/users.ts +++ b/server/tests/utils/users.ts @@ -76,17 +76,18 @@ function getUserVideoRating (url: string, accessToken: string, videoId: number) .expect('Content-Type', /json/) } -function getUsersList (url: string) { +function getUsersList (url: string, accessToken: string) { const path = '/api/v1/users' return request(url) .get(path) .set('Accept', 'application/json') + .set('Authorization', 'Bearer ' + accessToken) .expect(200) .expect('Content-Type', /json/) } -function getUsersListPaginationAndSort (url: string, start: number, count: number, sort: string) { +function getUsersListPaginationAndSort (url: string, accessToken: string, start: number, count: number, sort: string) { const path = '/api/v1/users' return request(url) @@ -95,6 +96,7 @@ function getUsersListPaginationAndSort (url: string, start: number, count: numbe .query({ count }) .query({ sort }) .set('Accept', 'application/json') + .set('Authorization', 'Bearer ' + accessToken) .expect(200) .expect('Content-Type', /json/) }