diff --git a/packages/worker/src/api/routes/global/tests/users.spec.ts b/packages/worker/src/api/routes/global/tests/users.spec.ts index 218bc60800..8984105c88 100644 --- a/packages/worker/src/api/routes/global/tests/users.spec.ts +++ b/packages/worker/src/api/routes/global/tests/users.spec.ts @@ -262,6 +262,14 @@ describe("/api/global/users", () => { expect(events.user.created).toBeCalledTimes(1) }) + + it("should not allow a non-admin user to create a new user", async () => { + const nonAdmin = await config.createUser(structures.users.builderUser()) + await config.createSession(nonAdmin) + + const newUser = structures.users.user() + await api.users.saveUser(newUser, 403, config.authHeaders(nonAdmin)) + }) }) describe("update", () => { @@ -418,6 +426,14 @@ describe("/api/global/users", () => { expect(user).toStrictEqual(dbUser) expect(response.body.message).toBe("Email address cannot be changed") }) + + it("should allow a non-admin user to update an existing user", async () => { + const existingUser = await config.createUser(structures.users.user()) + const nonAdmin = await config.createUser(structures.users.builderUser()) + await config.createSession(nonAdmin) + + await api.users.saveUser(existingUser, 200, config.authHeaders(nonAdmin)) + }) }) describe("bulk (delete)", () => { diff --git a/packages/worker/src/api/routes/global/users.js b/packages/worker/src/api/routes/global/users.js index 2d9b1d9ac9..af1fbb0baf 100644 --- a/packages/worker/src/api/routes/global/users.js +++ b/packages/worker/src/api/routes/global/users.js @@ -40,6 +40,14 @@ function buildInviteMultipleValidation() { )) } +const createUserAdminOnly = (ctx, next) => { + if (!ctx.request.body._id) { + return adminOnly(ctx, next) + } else { + return builderOrAdmin(ctx, next) + } +} + function buildInviteAcceptValidation() { // prettier-ignore return joiValidator.body(Joi.object({ @@ -51,7 +59,7 @@ function buildInviteAcceptValidation() { router .post( "/api/global/users", - adminOnly, + createUserAdminOnly, users.buildUserSaveValidation(), controller.save ) diff --git a/packages/worker/src/tests/api/users.ts b/packages/worker/src/tests/api/users.ts index 3677bfffc6..a2f26052bc 100644 --- a/packages/worker/src/tests/api/users.ts +++ b/packages/worker/src/tests/api/users.ts @@ -91,11 +91,11 @@ export class UserAPI { // USER - saveUser = (user: User, status?: number) => { + saveUser = (user: User, status?: number, headers?: any) => { return this.request .post(`/api/global/users`) .send(user) - .set(this.config.defaultHeaders()) + .set(headers ?? this.config.defaultHeaders()) .expect("Content-Type", /json/) .expect(status ? status : 200) }