Dont allow guests..developers to manage group members
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
Dmitriy Zaporozhets
parent
f6491508fe
commit
eea6a8a17d
2 changed files with 17 additions and 5 deletions
|
|
@ -39,14 +39,18 @@ module API
|
||||||
# Example Request:
|
# Example Request:
|
||||||
# POST /groups/:id/members
|
# POST /groups/:id/members
|
||||||
post ":id/members" do
|
post ":id/members" do
|
||||||
|
group = find_group(params[:id])
|
||||||
|
authorize! :manage_group, group
|
||||||
required_attributes! [:user_id, :access_level]
|
required_attributes! [:user_id, :access_level]
|
||||||
|
|
||||||
unless validate_access_level?(params[:access_level])
|
unless validate_access_level?(params[:access_level])
|
||||||
render_api_error!("Wrong access level", 422)
|
render_api_error!("Wrong access level", 422)
|
||||||
end
|
end
|
||||||
group = find_group(params[:id])
|
|
||||||
if group.group_members.find_by(user_id: params[:user_id])
|
if group.group_members.find_by(user_id: params[:user_id])
|
||||||
render_api_error!("Already exists", 409)
|
render_api_error!("Already exists", 409)
|
||||||
end
|
end
|
||||||
|
|
||||||
group.add_users([params[:user_id]], params[:access_level])
|
group.add_users([params[:user_id]], params[:access_level])
|
||||||
member = group.group_members.find_by(user_id: params[:user_id])
|
member = group.group_members.find_by(user_id: params[:user_id])
|
||||||
present member.user, with: Entities::GroupMember, group: group
|
present member.user, with: Entities::GroupMember, group: group
|
||||||
|
|
@ -62,7 +66,9 @@ module API
|
||||||
# DELETE /groups/:id/members/:user_id
|
# DELETE /groups/:id/members/:user_id
|
||||||
delete ":id/members/:user_id" do
|
delete ":id/members/:user_id" do
|
||||||
group = find_group(params[:id])
|
group = find_group(params[:id])
|
||||||
|
authorize! :manage_group, group
|
||||||
member = group.group_members.find_by(user_id: params[:user_id])
|
member = group.group_members.find_by(user_id: params[:user_id])
|
||||||
|
|
||||||
if member.nil?
|
if member.nil?
|
||||||
render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404)
|
render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404)
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -115,16 +115,22 @@ describe API::API, api: true do
|
||||||
|
|
||||||
context "when a member of the group" do
|
context "when a member of the group" do
|
||||||
it "should delete guest's membership of group" do
|
it "should delete guest's membership of group" do
|
||||||
count_before=group_with_members.group_members.count
|
expect {
|
||||||
delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
|
delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
|
||||||
|
}.to change { group_with_members.members.count }.by(-1)
|
||||||
|
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
group_with_members.group_members.count.should == count_before - 1
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return a 404 error when user id is not known" do
|
it "should return a 404 error when user id is not known" do
|
||||||
delete api("/groups/#{group_with_members.id}/members/1328", owner)
|
delete api("/groups/#{group_with_members.id}/members/1328", owner)
|
||||||
response.status.should == 404
|
response.status.should == 404
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should not allow guest to modify group members" do
|
||||||
|
delete api("/groups/#{group_with_members.id}/members/#{master.id}", guest)
|
||||||
|
response.status.should == 403
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue