sasjs/server
1
0
Fork 0
mirror of https://github.com/sasjs/server.git synced 2025-12-11 03:34:35 +00:00
Code Issues Projects Releases Wiki Activity

fix: add restriction on add/remove user to public group

Browse Source
This commit is contained in:
Sabir Hassan
2022-08-02 18:05:28 +05:00
parent c3e3befc17
commit d3a516c36e
2 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
api/src/controllers/group.ts
View File

@@ -10,7 +10,7 @@ import {
Body Body
} from 'tsoa' } from 'tsoa'
import Group, { GroupPayload } from '../model/Group' import Group, { GroupPayload, PUBLIC_GROUP_NAME } from '../model/Group'
import User from '../model/User' import User from '../model/User'
import { UserResponse } from './user' import { UserResponse } from './user'
@@ -241,6 +241,13 @@ const updateUsersListInGroup = async (
message: 'Group not found.' message: 'Group not found.'
} }
if (group.name === PUBLIC_GROUP_NAME)
throw {
code: 400,
status: 'Bad Request',
message: `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
}
const user = await User.findOne({ id: userId }) const user = await User.findOne({ id: userId })
if (!user) if (!user)
throw { throw {

25
api/src/routes/api/spec/group.spec.ts
View File

@@ -5,6 +5,7 @@ import request from 'supertest'
import appPromise from '../../../app' import appPromise from '../../../app'
import { UserController, GroupController } from '../../../controllers/' import { UserController, GroupController } from '../../../controllers/'
import { generateAccessToken, saveTokensInDB } from '../../../utils' import { generateAccessToken, saveTokensInDB } from '../../../utils'
import { PUBLIC_GROUP_NAME } from '../../../model/Group'
const clientId = 'someclientID' const clientId = 'someclientID'
const adminUser = { const adminUser = {
@@ -27,6 +28,12 @@ const group = {
description: 'DC group for testing purposes.' description: 'DC group for testing purposes.'
} }
const PUBLIC_GROUP = {
name: PUBLIC_GROUP_NAME,
description:
'It is a special group that bypasses authentication for particular routes.'
}
const userController = new UserController() const userController = new UserController()
const groupController = new GroupController() const groupController = new GroupController()
@@ -535,6 +542,24 @@ describe('group', () => {
expect(res.text).toEqual('User not found.') expect(res.text).toEqual('User not found.')
expect(res.body).toEqual({}) expect(res.body).toEqual({})
}) })
it('should respond with Bad Request when adding user to Public group', async () => {
const dbGroup = await groupController.createGroup(PUBLIC_GROUP)
const dbUser = await userController.createUser({
...user,
username: 'publicUser'
})
const res = await request(app)
.post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
.auth(adminAccessToken, { type: 'bearer' })
.send()
.expect(400)
expect(res.text).toEqual(
`Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
)
})
}) })
describe('RemoveUser', () => { describe('RemoveUser', () => {