Merge pull request #8844 from Budibase/bug/sev2/dev-user-permissions
Allow developers to set user access
This commit is contained in:
commit
233d1dc47b
|
@ -262,6 +262,14 @@ describe("/api/global/users", () => {
|
||||||
|
|
||||||
expect(events.user.created).toBeCalledTimes(1)
|
expect(events.user.created).toBeCalledTimes(1)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it("should not allow a non-admin user to create a new user", async () => {
|
||||||
|
const nonAdmin = await config.createUser(structures.users.builderUser())
|
||||||
|
await config.createSession(nonAdmin)
|
||||||
|
|
||||||
|
const newUser = structures.users.user()
|
||||||
|
await api.users.saveUser(newUser, 403, config.authHeaders(nonAdmin))
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe("update", () => {
|
describe("update", () => {
|
||||||
|
@ -418,6 +426,14 @@ describe("/api/global/users", () => {
|
||||||
expect(user).toStrictEqual(dbUser)
|
expect(user).toStrictEqual(dbUser)
|
||||||
expect(response.body.message).toBe("Email address cannot be changed")
|
expect(response.body.message).toBe("Email address cannot be changed")
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it("should allow a non-admin user to update an existing user", async () => {
|
||||||
|
const existingUser = await config.createUser(structures.users.user())
|
||||||
|
const nonAdmin = await config.createUser(structures.users.builderUser())
|
||||||
|
await config.createSession(nonAdmin)
|
||||||
|
|
||||||
|
await api.users.saveUser(existingUser, 200, config.authHeaders(nonAdmin))
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe("bulk (delete)", () => {
|
describe("bulk (delete)", () => {
|
||||||
|
|
|
@ -40,6 +40,14 @@ function buildInviteMultipleValidation() {
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const createUserAdminOnly = (ctx, next) => {
|
||||||
|
if (!ctx.request.body._id) {
|
||||||
|
return adminOnly(ctx, next)
|
||||||
|
} else {
|
||||||
|
return builderOrAdmin(ctx, next)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
function buildInviteAcceptValidation() {
|
function buildInviteAcceptValidation() {
|
||||||
// prettier-ignore
|
// prettier-ignore
|
||||||
return joiValidator.body(Joi.object({
|
return joiValidator.body(Joi.object({
|
||||||
|
@ -51,7 +59,7 @@ function buildInviteAcceptValidation() {
|
||||||
router
|
router
|
||||||
.post(
|
.post(
|
||||||
"/api/global/users",
|
"/api/global/users",
|
||||||
adminOnly,
|
createUserAdminOnly,
|
||||||
users.buildUserSaveValidation(),
|
users.buildUserSaveValidation(),
|
||||||
controller.save
|
controller.save
|
||||||
)
|
)
|
||||||
|
|
|
@ -91,11 +91,11 @@ export class UserAPI {
|
||||||
|
|
||||||
// USER
|
// USER
|
||||||
|
|
||||||
saveUser = (user: User, status?: number) => {
|
saveUser = (user: User, status?: number, headers?: any) => {
|
||||||
return this.request
|
return this.request
|
||||||
.post(`/api/global/users`)
|
.post(`/api/global/users`)
|
||||||
.send(user)
|
.send(user)
|
||||||
.set(this.config.defaultHeaders())
|
.set(headers ?? this.config.defaultHeaders())
|
||||||
.expect("Content-Type", /json/)
|
.expect("Content-Type", /json/)
|
||||||
.expect(status ? status : 200)
|
.expect(status ? status : 200)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue