Merge pull request #13233 from Budibase/fix/group-fields-protection

Group fields protection
This commit is contained in:
Adria Navarro 2024-03-12 10:28:13 +01:00 committed by GitHub
commit 4f30c45ed6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 113 additions and 27 deletions

View File

@ -49,7 +49,8 @@
$: group = $groups.find(x => x._id === groupId)
$: isScimGroup = group?.scimInfo?.isSync
$: readonly = !sdk.users.isAdmin($auth.user) || isScimGroup
$: isAdmin = sdk.users.isAdmin($auth.user)
$: readonly = !isAdmin || isScimGroup
$: groupApps = $apps
.filter(app =>
groups.actions
@ -123,14 +124,18 @@
<span slot="control">
<Icon hoverable name="More" />
</span>
<MenuItem icon="Refresh" on:click={() => editModal.show()}>
<MenuItem
icon="Refresh"
on:click={() => editModal.show()}
disabled={!isAdmin}
>
Edit
</MenuItem>
<div title={isScimGroup && "Group synced from your AD"}>
<MenuItem
icon="Delete"
on:click={() => deleteModal.show()}
disabled={isScimGroup}
disabled={readonly}
>
Delete
</MenuItem>
@ -139,7 +144,7 @@
</div>
<Layout noPadding gap="S">
<GroupUsers {groupId} {readonly} />
<GroupUsers {groupId} {readonly} {isScimGroup} />
</Layout>
<Layout noPadding gap="S">

View File

@ -13,6 +13,7 @@
export let groupId
export let readonly
export let isScimGroup
let emailSearch
let fetchGroupUsers
@ -61,10 +62,10 @@
</script>
<div class="header">
{#if !readonly}
<EditUserPicker {groupId} onUsersUpdated={fetchGroupUsers.getInitialData} />
{:else}
{#if isScimGroup}
<ActiveDirectoryInfo text="Users synced from your AD" />
{:else if !readonly}
<EditUserPicker {groupId} onUsersUpdated={fetchGroupUsers.getInitialData} />
{/if}
<div class="controls-right">

View File

@ -35,7 +35,9 @@ export function createGroupsStore() {
get: getGroup,
save: async group => {
const { _scimInfo, ...dataToSave } = group
const { ...dataToSave } = group
delete dataToSave.scimInfo
delete dataToSave.userGroups
const response = await API.saveGroup(dataToSave)
group._id = response._id
group._rev = response._rev

@ -1 +1 @@
Subproject commit e565db07f6c51868087e88dfebde0328493443e6
Subproject commit c4c98ae70f2e936009250893898ecf11f4ddf2c3

View File

@ -104,19 +104,81 @@ describe("/api/global/groups", () => {
expect(events.group.permissionsEdited).not.toBeCalled()
})
describe("scim", () => {
async function createScimGroup() {
mocks.licenses.useScimIntegration()
await config.setSCIMConfig(true)
const scimGroup = await config.api.scimGroupsAPI.post({
body: structures.scim.createGroupRequest({
displayName: generator.word(),
}),
})
const { body: group } = await config.api.groups.find(scimGroup.id)
expect(group).toBeDefined()
return group
}
it("update will not allow sending SCIM fields", async () => {
const group = await createScimGroup()
const updatedGroup: UserGroup = {
...group,
name: generator.word(),
}
await config.api.groups.saveGroup(updatedGroup, {
expect: {
message: 'Invalid body - "scimInfo" is not allowed',
status: 400,
},
})
expect(events.group.updated).not.toBeCalled()
})
it("update will not amend the SCIM fields", async () => {
const group: UserGroup = await createScimGroup()
const updatedGroup: UserGroup = {
...group,
name: generator.word(),
scimInfo: undefined,
}
await config.api.groups.saveGroup(updatedGroup, {
expect: 200,
})
expect(events.group.updated).toBeCalledTimes(1)
expect(
(
await config.api.groups.find(group._id!, {
expect: 200,
})
).body
).toEqual(
expect.objectContaining({
...group,
name: updatedGroup.name,
scimInfo: group.scimInfo,
_rev: expect.any(String),
})
)
})
})
})
describe("destroy", () => {
it("should be able to delete a basic group", async () => {
const group = structures.groups.UserGroup()
let oldGroup = await config.api.groups.saveGroup(group)
await config.api.groups.deleteGroup(
oldGroup.body._id,
oldGroup.body._rev
)
await config.api.groups.deleteGroup(oldGroup.body._id, oldGroup.body._rev)
expect(events.group.deleted).toBeCalledTimes(1)
})
})
})
describe("find users", () => {
describe("without users", () => {
@ -147,7 +209,7 @@ describe("/api/global/groups", () => {
await Promise.all(
Array.from({ length: 30 }).map(async (_, i) => {
const email = `user${i}@example.com`
const email = `user${i}+${generator.guid()}@example.com`
const user = await config.api.users.saveUser({
...structures.users.user(),
email,
@ -257,12 +319,16 @@ describe("/api/global/groups", () => {
})
})
it("update should return 200", async () => {
it("update should return forbidden", async () => {
await config.withUser(builder, async () => {
await config.api.groups.updateGroupUsers(group._id!, {
await config.api.groups.updateGroupUsers(
group._id!,
{
add: [builder._id!],
remove: [],
})
},
{ expect: 403 }
)
})
})
})

View File

@ -7,7 +7,10 @@ export class GroupsAPI extends TestAPI {
super(config)
}
saveGroup = (group: UserGroup, { expect } = { expect: 200 }) => {
saveGroup = (
group: UserGroup,
{ expect }: { expect: number | object } = { expect: 200 }
) => {
return this.request
.post(`/api/global/groups`)
.send(group)
@ -44,14 +47,15 @@ export class GroupsAPI extends TestAPI {
updateGroupUsers = (
id: string,
body: { add: string[]; remove: string[] }
body: { add: string[]; remove: string[] },
{ expect } = { expect: 200 }
) => {
return this.request
.post(`/api/global/groups/${id}/users`)
.send(body)
.set(this.config.defaultHeaders())
.expect("Content-Type", /json/)
.expect(200)
.expect(expect)
}
fetch = ({ expect } = { expect: 200 }) => {
@ -61,4 +65,12 @@ export class GroupsAPI extends TestAPI {
.expect("Content-Type", /json/)
.expect(expect)
}
find = (id: string, { expect } = { expect: 200 }) => {
return this.request
.get(`/api/global/groups/${id}`)
.set(this.config.defaultHeaders())
.expect("Content-Type", /json/)
.expect(expect)
}
}