Merge pull request #8844 from Budibase/bug/sev2/dev-user-permissions

Allow developers to set user access
2022-11-30 09:39:22 +00:00 · 2022-11-30 09:39:22 +00:00 · 233d1dc47b
parent 41e017f3ba 6fe2c38bce
commit 233d1dc47b
3 changed files with 27 additions and 3 deletions
--- a/packages/worker/src/api/routes/global/tests/users.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/users.spec.ts
@ -262,6 +262,14 @@ describe("/api/global/users", () => {

      expect(events.user.created).toBeCalledTimes(1)
    })
+
+    it("should not allow a non-admin user to create a new user", async () => {
+      const nonAdmin = await config.createUser(structures.users.builderUser())
+      await config.createSession(nonAdmin)
+
+      const newUser = structures.users.user()
+      await api.users.saveUser(newUser, 403, config.authHeaders(nonAdmin))
+    })
  })

  describe("update", () => {
@ -418,6 +426,14 @@ describe("/api/global/users", () => {
      expect(user).toStrictEqual(dbUser)
      expect(response.body.message).toBe("Email address cannot be changed")
    })
+
+    it("should allow a non-admin user to update an existing user", async () => {
+      const existingUser = await config.createUser(structures.users.user())
+      const nonAdmin = await config.createUser(structures.users.builderUser())
+      await config.createSession(nonAdmin)
+
+      await api.users.saveUser(existingUser, 200, config.authHeaders(nonAdmin))
+    })
  })

  describe("bulk (delete)", () => {
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@ -40,6 +40,14 @@ function buildInviteMultipleValidation() {
  ))
 }

+const createUserAdminOnly = (ctx, next) => {
+  if (!ctx.request.body._id) {
+    return adminOnly(ctx, next)
+  } else {
+    return builderOrAdmin(ctx, next)
+  }
+}
+
 function buildInviteAcceptValidation() {
  // prettier-ignore
  return joiValidator.body(Joi.object({
@ -51,7 +59,7 @@ function buildInviteAcceptValidation() {
 router
  .post(
    "/api/global/users",
-    adminOnly,
+    createUserAdminOnly,
    users.buildUserSaveValidation(),
    controller.save
  )
--- a/packages/worker/src/tests/api/users.ts
+++ b/packages/worker/src/tests/api/users.ts
@ -91,11 +91,11 @@ export class UserAPI {

  // USER

-  saveUser = (user: User, status?: number) => {
+  saveUser = (user: User, status?: number, headers?: any) => {
    return this.request
      .post(`/api/global/users`)
      .send(user)
-      .set(this.config.defaultHeaders())
+      .set(headers ?? this.config.defaultHeaders())
      .expect("Content-Type", /json/)
      .expect(status ? status : 200)
  }