Do not show suspended users to non admins (#3776)

2022-07-13 09:59:06 +02:00
parent dd6084d044
commit 973cfc3fa3
3 changed files with 75 additions and 37 deletions
--- a/server/routes/api/users.test.ts
+++ b/server/routes/api/users.test.ts
@@ -39,9 +39,26 @@ describe("#users.list", () => {
  });

  it("should allow filtering to suspended users", async () => {
-    const user = await buildUser({
+    const admin = await buildAdmin();
+    await buildUser({
      name: "Tester",
+      teamId: admin.teamId,
+      suspendedAt: new Date(),
    });
+    const res = await server.post("/api/users.list", {
+      body: {
+        query: "test",
+        filter: "suspended",
+        token: admin.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(1);
+  });
+
+  it("should not allow members to view suspended users", async () => {
+    const user = await buildUser();
    await buildUser({
      name: "Tester",
      teamId: user.teamId,
@@ -50,13 +67,12 @@ describe("#users.list", () => {
    const res = await server.post("/api/users.list", {
      body: {
        query: "test",
-        filter: "suspended",
        token: user.getJwtToken(),
      },
    });
    const body = await res.json();
    expect(res.status).toEqual(200);
-    expect(body.data.length).toEqual(1);
+    expect(body.data.length).toEqual(0);
  });

  it("should allow filtering to invited", async () => {
--- a/server/routes/api/users.ts
+++ b/server/routes/api/users.ts
@@ -44,6 +44,16 @@ router.post("users.list", auth(), pagination(), async (ctx) => {
    teamId: actor.teamId,
  };

+  // Filter out suspended users if we're not an admin
+  if (!actor.isAdmin) {
+    where = {
+      ...where,
+      suspendedAt: {
+        [Op.eq]: null,
+      },
+    };
+  }
+
  switch (filter) {
    case "invited": {
      where = { ...where, lastActiveAt: null };
@@ -61,12 +71,14 @@ router.post("users.list", auth(), pagination(), async (ctx) => {
    }

    case "suspended": {
-      where = {
-        ...where,
-        suspendedAt: {
-          [Op.ne]: null,
-        },
-      };
+      if (actor.isAdmin) {
+        where = {
+          ...where,
+          suspendedAt: {
+            [Op.ne]: null,
+          },
+        };
+      }
      break;
    }