Users list only available when use is authenticated

And has a special right
This commit is contained in:
Chocobozzz 2017-11-29 13:18:05 +01:00
parent 165cdc75bf
commit 86d13ec2aa
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
5 changed files with 35 additions and 9 deletions

View File

@ -77,7 +77,7 @@ app.use(morgan('combined', {
})) }))
// For body requests // For body requests
app.use(bodyParser.json({ app.use(bodyParser.json({
type: 'application/*+json', type: [ 'application/json', 'application/*+json' ],
limit: '500kb' limit: '500kb'
})) }))
app.use(bodyParser.urlencoded({ extended: false })) app.use(bodyParser.urlencoded({ extended: false }))

View File

@ -48,6 +48,8 @@ usersRouter.get('/me/videos/:videoId/rating',
) )
usersRouter.get('/', usersRouter.get('/',
authenticate,
ensureUserHasRight(UserRight.MANAGE_USERS),
paginationValidator, paginationValidator,
usersSortValidator, usersSortValidator,
setUsersSort, setUsersSort,

View File

@ -67,6 +67,7 @@ describe('Test users API validators', function () {
.get(path) .get(path)
.query({ start: 'hello' }) .query({ start: 'hello' })
.set('Accept', 'application/json') .set('Accept', 'application/json')
.set('Authorization', 'Bearer ' + server.accessToken)
.expect(400) .expect(400)
}) })
@ -75,6 +76,7 @@ describe('Test users API validators', function () {
.get(path) .get(path)
.query({ count: 'hello' }) .query({ count: 'hello' })
.set('Accept', 'application/json') .set('Accept', 'application/json')
.set('Authorization', 'Bearer ' + server.accessToken)
.expect(400) .expect(400)
}) })
@ -83,8 +85,24 @@ describe('Test users API validators', function () {
.get(path) .get(path)
.query({ sort: 'hello' }) .query({ sort: 'hello' })
.set('Accept', 'application/json') .set('Accept', 'application/json')
.set('Authorization', 'Bearer ' + server.accessToken)
.expect(400) .expect(400)
}) })
it('Should fail with a non authenticated user', async function () {
await request(server.url)
.get(path)
.set('Accept', 'application/json')
.expect(401)
})
it('Should fail with a non admin user', async function () {
await request(server.url)
.get(path)
.set('Accept', 'application/json')
.set('Authorization', 'Bearer ' + userAccessToken)
.expect(403)
})
}) })
describe('When adding a new user', function () { describe('When adding a new user', function () {
@ -354,7 +372,7 @@ describe('Test users API validators', function () {
describe('When updating a user', function () { describe('When updating a user', function () {
before(async function () { before(async function () {
const res = await getUsersList(server.url) const res = await getUsersList(server.url, server.accessToken)
userId = res.body.data[1].id userId = res.body.data[1].id
rootId = res.body.data[2].id rootId = res.body.data[2].id

View File

@ -1,4 +1,5 @@
/* tslint:disable:no-unused-expression */ /* tslint:disable:no-unused-expression */
import * as chai from 'chai' import * as chai from 'chai'
import 'mocha' import 'mocha'
import { UserRole } from '../../../shared' import { UserRole } from '../../../shared'
@ -28,6 +29,7 @@ import {
} from '../utils' } from '../utils'
import { follow } from '../utils/follows' import { follow } from '../utils/follows'
import { getMyVideos } from '../utils/videos' import { getMyVideos } from '../utils/videos'
import { setAccessTokensToServers } from '../utils/login'
const expect = chai.expect const expect = chai.expect
@ -43,6 +45,8 @@ describe('Test users', function () {
await flushTests() await flushTests()
server = await runServer(1) server = await runServer(1)
await setAccessTokensToServers([ server ])
}) })
it('Should create a new client') it('Should create a new client')
@ -242,7 +246,7 @@ describe('Test users', function () {
}) })
it('Should list all the users', async function () { it('Should list all the users', async function () {
const res = await getUsersList(server.url) const res = await getUsersList(server.url, server.accessToken)
const result = res.body const result = res.body
const total = result.total const total = result.total
const users = result.data const users = result.data
@ -280,7 +284,7 @@ describe('Test users', function () {
}) })
it('Should list only the first user by username asc', async function () { it('Should list only the first user by username asc', async function () {
const res = await getUsersListPaginationAndSort(server.url, 0, 1, 'username') const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, 'username')
const result = res.body const result = res.body
const total = result.total const total = result.total
@ -307,7 +311,7 @@ describe('Test users', function () {
}) })
it('Should list only the first user by username desc', async function () { it('Should list only the first user by username desc', async function () {
const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-username') const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-username')
const result = res.body const result = res.body
const total = result.total const total = result.total
const users = result.data const users = result.data
@ -330,7 +334,7 @@ describe('Test users', function () {
}) })
it('Should list only the second user by createdAt desc', async function () { it('Should list only the second user by createdAt desc', async function () {
const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-createdAt') const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-createdAt')
const result = res.body const result = res.body
const total = result.total const total = result.total
const users = result.data const users = result.data
@ -353,7 +357,7 @@ describe('Test users', function () {
}) })
it('Should list all the users by createdAt asc', async function () { it('Should list all the users by createdAt asc', async function () {
const res = await getUsersListPaginationAndSort(server.url, 0, 2, 'createdAt') const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 2, 'createdAt')
const result = res.body const result = res.body
const total = result.total const total = result.total
const users = result.data const users = result.data

View File

@ -76,17 +76,18 @@ function getUserVideoRating (url: string, accessToken: string, videoId: number)
.expect('Content-Type', /json/) .expect('Content-Type', /json/)
} }
function getUsersList (url: string) { function getUsersList (url: string, accessToken: string) {
const path = '/api/v1/users' const path = '/api/v1/users'
return request(url) return request(url)
.get(path) .get(path)
.set('Accept', 'application/json') .set('Accept', 'application/json')
.set('Authorization', 'Bearer ' + accessToken)
.expect(200) .expect(200)
.expect('Content-Type', /json/) .expect('Content-Type', /json/)
} }
function getUsersListPaginationAndSort (url: string, start: number, count: number, sort: string) { function getUsersListPaginationAndSort (url: string, accessToken: string, start: number, count: number, sort: string) {
const path = '/api/v1/users' const path = '/api/v1/users'
return request(url) return request(url)
@ -95,6 +96,7 @@ function getUsersListPaginationAndSort (url: string, start: number, count: numbe
.query({ count }) .query({ count })
.query({ sort }) .query({ sort })
.set('Accept', 'application/json') .set('Accept', 'application/json')
.set('Authorization', 'Bearer ' + accessToken)
.expect(200) .expect(200)
.expect('Content-Type', /json/) .expect('Content-Type', /json/)
} }