yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add updateRole endpoint (#6771)

Browse Source
This commit is contained in:
Tom Moor
2024-04-06 07:32:15 -06:00
committed by GitHub
parent 52643c511c
commit 3f209101e6
14 changed files with 314 additions and 207 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server/routes/api/users/__snapshots__/users.test.ts.snap
View File

@@ -21,7 +21,7 @@ exports[`#users.delete should require authentication 1`] = `
exports[`#users.demote should not allow demoting self 1`] = `
{
"error": "validation_error",
"message": "Unable to demote the current user",
"message": "You cannot change your own role",
"ok": false,
"status": 400,
}
@@ -30,7 +30,7 @@ exports[`#users.demote should not allow demoting self 1`] = `
exports[`#users.demote should require admin 1`] = `
{
"error": "authorization_error",
"message": "Authorization error",
"message": "Admin role required",
"ok": false,
"status": 403,
}
@@ -39,7 +39,7 @@ exports[`#users.demote should require admin 1`] = `
exports[`#users.promote should require admin 1`] = `
{
"error": "authorization_error",
"message": "Authorization error",
"message": "Admin role required",
"ok": false,
"status": 403,
}

11
server/routes/api/users/schema.ts
View File

@@ -110,6 +110,14 @@ export const UsersActivateSchema = BaseSchema.extend({
export type UsersActivateReq = z.infer<typeof UsersActivateSchema>;
export const UsersChangeRoleSchema = BaseSchema.extend({
body: BaseIdSchema.extend({
role: z.nativeEnum(UserRole),
}),
});
export type UsersChangeRoleReq = z.infer<typeof UsersChangeRoleSchema>;
export const UsersPromoteSchema = BaseSchema.extend({
body: BaseIdSchema,
});
@@ -117,8 +125,7 @@ export const UsersPromoteSchema = BaseSchema.extend({
export type UsersPromoteReq = z.infer<typeof UsersPromoteSchema>;
export const UsersDemoteSchema = BaseSchema.extend({
body: z.object({
id: z.string().uuid(),
body: BaseIdSchema.extend({
to: z.nativeEnum(UserRole).default(UserRole.Member),
}),
});

50
server/routes/api/users/users.test.ts
View File

@@ -555,6 +555,55 @@ describe("#users.update", () => {
});
});
describe("#users.updateRole", () => {
it("should promote", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildUser({ teamId: team.id });
const res = await server.post("/api/users.updateRole", {
body: {
token: admin.getJwtToken(),
id: user.id,
role: UserRole.Admin,
},
});
expect(res.status).toEqual(200);
expect((await user.reload()).role).toEqual(UserRole.Admin);
});
it("should demote", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildAdmin({ teamId: team.id });
const res = await server.post("/api/users.updateRole", {
body: {
token: admin.getJwtToken(),
id: user.id,
role: UserRole.Viewer,
},
});
expect(res.status).toEqual(200);
expect((await user.reload()).role).toEqual(UserRole.Viewer);
});
it("should error on same role", async () => {
const team = await buildTeam();
const admin = await buildAdmin({ teamId: team.id });
const user = await buildAdmin({ teamId: team.id });
const res = await server.post("/api/users.updateRole", {
body: {
token: admin.getJwtToken(),
id: user.id,
role: UserRole.Admin,
},
});
expect(res.status).toEqual(400);
});
});
describe("#users.promote", () => {
it("should promote a new admin", async () => {
const team = await buildTeam();
@@ -631,6 +680,7 @@ describe("#users.demote", () => {
it("should not allow demoting self", async () => {
const admin = await buildAdmin();
await buildAdmin({ teamId: admin.teamId });
const res = await server.post("/api/users.demote", {
body: {
token: admin.getJwtToken(),

180
server/routes/api/users/users.ts
View File

@@ -1,8 +1,8 @@
import Router from "koa-router";
import { Op, WhereOptions } from "sequelize";
import { UserPreference, UserRole } from "@shared/types";
import { UserRoleHelper } from "@shared/utils/UserRoleHelper";
import { UserValidation } from "@shared/validations";
import userDemoter from "@server/commands/userDemoter";
import userDestroyer from "@server/commands/userDestroyer";
import userInviter from "@server/commands/userInviter";
import userSuspender from "@server/commands/userSuspender";
@@ -255,92 +255,124 @@ router.post(
);
// Admin specific
/**
* Promote a user to an admin.
*
* @deprecated Use `users.updateRole` instead.
*/
router.post(
"users.promote",
auth(),
auth({ admin: true }),
validate(T.UsersPromoteSchema),
transaction(),
async (ctx: APIContext<T.UsersPromoteReq>) => {
const { transaction } = ctx.state;
const userId = ctx.input.body.id;
const actor = ctx.state.auth.user;
const teamId = actor.teamId;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
authorize(actor, "promote", user);
await user.promote({
transaction,
});
await Event.create(
{
name: "users.promote",
actorId: actor.id,
userId,
teamId,
data: {
name: user.name,
},
ip: ctx.request.ip,
(ctx: APIContext<T.UsersPromoteReq>) => {
const forward = ctx as unknown as APIContext<T.UsersChangeRoleReq>;
forward.input = {
body: {
id: ctx.input.body.id,
role: UserRole.Admin,
},
{
transaction,
}
);
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
return updateRole(forward);
}
);
/**
* Demote a user to another role.
*
* @deprecated Use `users.updateRole` instead.
*/
router.post(
"users.demote",
auth({ admin: true }),
validate(T.UsersDemoteSchema),
transaction(),
(ctx: APIContext<T.UsersDemoteReq>) => {
const forward = ctx as unknown as APIContext<T.UsersChangeRoleReq>;
forward.input = {
body: {
id: ctx.input.body.id,
role: ctx.input.body.to,
},
};
return updateRole(forward);
}
);
router.post(
"users.demote",
auth(),
validate(T.UsersDemoteSchema),
"users.updateRole",
auth({ admin: true }),
validate(T.UsersChangeRoleSchema),
transaction(),
async (ctx: APIContext<T.UsersDemoteReq>) => {
const { transaction } = ctx.state;
const { to, id: userId } = ctx.input.body;
const actor = ctx.state.auth.user;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
authorize(actor, "demote", user);
await Team.findByPk(user.teamId, {
transaction,
lock: transaction.LOCK.UPDATE,
});
await userDemoter({
to,
user,
actorId: actor.id,
transaction,
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
}
updateRole
);
async function updateRole(ctx: APIContext<T.UsersChangeRoleReq>) {
const { transaction } = ctx.state;
const userId = ctx.input.body.id;
const role = ctx.input.body.role;
const actor = ctx.state.auth.user;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
await Team.findByPk(user.teamId, {
transaction,
lock: transaction.LOCK.UPDATE,
});
let name;
if (user.role === role) {
throw ValidationError("User is already in that role");
}
if (user.id === actor.id) {
throw ValidationError("You cannot change your own role");
}
if (UserRoleHelper.canDemote(user, role)) {
name = "users.demote";
authorize(actor, "demote", user);
}
if (UserRoleHelper.canPromote(user, role)) {
name = "users.promote";
authorize(actor, "promote", user);
}
await user.update({ role }, { transaction });
await Event.create(
{
name,
userId,
actorId: actor.id,
teamId: actor.teamId,
data: {
name: user.name,
role,
},
ip: ctx.request.ip,
},
{
transaction,
}
);
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
}
router.post(
"users.suspend",
auth(),