Merge pull request #8844 from Budibase/bug/sev2/dev-user-permissions

Allow developers to set user access
This commit is contained in:
melohagan 2022-11-30 09:39:22 +00:00 committed by GitHub
commit a16a991541
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 3 deletions

View File

@ -262,6 +262,14 @@ describe("/api/global/users", () => {
expect(events.user.created).toBeCalledTimes(1) expect(events.user.created).toBeCalledTimes(1)
}) })
it("should not allow a non-admin user to create a new user", async () => {
const nonAdmin = await config.createUser(structures.users.builderUser())
await config.createSession(nonAdmin)
const newUser = structures.users.user()
await api.users.saveUser(newUser, 403, config.authHeaders(nonAdmin))
})
}) })
describe("update", () => { describe("update", () => {
@ -418,6 +426,14 @@ describe("/api/global/users", () => {
expect(user).toStrictEqual(dbUser) expect(user).toStrictEqual(dbUser)
expect(response.body.message).toBe("Email address cannot be changed") expect(response.body.message).toBe("Email address cannot be changed")
}) })
it("should allow a non-admin user to update an existing user", async () => {
const existingUser = await config.createUser(structures.users.user())
const nonAdmin = await config.createUser(structures.users.builderUser())
await config.createSession(nonAdmin)
await api.users.saveUser(existingUser, 200, config.authHeaders(nonAdmin))
})
}) })
describe("bulk (delete)", () => { describe("bulk (delete)", () => {

View File

@ -40,6 +40,14 @@ function buildInviteMultipleValidation() {
)) ))
} }
const createUserAdminOnly = (ctx, next) => {
if (!ctx.request.body._id) {
return adminOnly(ctx, next)
} else {
return builderOrAdmin(ctx, next)
}
}
function buildInviteAcceptValidation() { function buildInviteAcceptValidation() {
// prettier-ignore // prettier-ignore
return joiValidator.body(Joi.object({ return joiValidator.body(Joi.object({
@ -51,7 +59,7 @@ function buildInviteAcceptValidation() {
router router
.post( .post(
"/api/global/users", "/api/global/users",
adminOnly, createUserAdminOnly,
users.buildUserSaveValidation(), users.buildUserSaveValidation(),
controller.save controller.save
) )

View File

@ -91,11 +91,11 @@ export class UserAPI {
// USER // USER
saveUser = (user: User, status?: number) => { saveUser = (user: User, status?: number, headers?: any) => {
return this.request return this.request
.post(`/api/global/users`) .post(`/api/global/users`)
.send(user) .send(user)
.set(this.config.defaultHeaders()) .set(headers ?? this.config.defaultHeaders())
.expect("Content-Type", /json/) .expect("Content-Type", /json/)
.expect(status ? status : 200) .expect(status ? status : 200)
} }