Skip to content

Commit

Permalink
only allow admins to create users
Browse files Browse the repository at this point in the history
  • Loading branch information
@mattciferri
mattciferri committed Sep 20, 2019
1 parent ce5dda2 commit d115d72
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 46 deletions.
2 changes: 1 addition & 1 deletion tests/fixtures/auth.default.json
View file
Expand Up @@ -27,7 +27,7 @@
"user": {
"info": "self",
"list": "public",
"create": "public",
"create": "admin",
"create_session": "self"
},
"style": {
Expand Down
92 changes: 47 additions & 45 deletions tests/users.rs
View file
Expand Up @@ -5,6 +5,7 @@ extern crate postgres;
#[cfg(test)]
mod test {
use std::fs::File;
use std::env;
use std::io::prelude::*;
use postgres::{Connection, TlsMode};
use std::process::Command;
Expand Down Expand Up @@ -41,15 +42,25 @@ mod test {
file.read_to_string(&mut table_sql).unwrap();
conn.batch_execute(&*table_sql).unwrap();
}
let mut server = Command::new("cargo").args(&[ "run" ]).spawn().unwrap();

let mut server = Command::new("cargo").args(&[
"run",
"--",
"--auth", env::current_dir().unwrap().join("tests/fixtures/auth.default.json").to_str().unwrap()
]).spawn().unwrap();

thread::sleep(Duration::from_secs(1));

{ // Seed DB with user to create others
{ // Seed DB with admin user to create others
let conn = Connection::connect("postgres://postgres@localhost:5432/hecate", TlsMode::None).unwrap();
conn.execute("
INSERT INTO users (username, password, email)
VALUES ('ingalls', crypt('yeaheh', gen_salt('bf', 10)), 'ingalls@protonmail.com')
", &[]).unwrap();

conn.execute("
UPDATE users SET access = 'admin' WHERE id = 1;
", &[]).unwrap();
}

{ //Create Username
Expand Down Expand Up @@ -105,9 +116,8 @@ mod test {
.header(reqwest::header::CONTENT_TYPE, "application/json")
.send()
.unwrap();

assert!(resp.status().is_client_error());
assert_eq!(resp.text().unwrap(), "{\"code\":401,\"reason\":\"You must be logged in to access this resource\",\"status\":\"Unauthorized\"}");
assert_eq!(resp.text().unwrap(), "");
}

{ //Feature Upload with bad username
Expand Down Expand Up @@ -279,7 +289,7 @@ mod test {
"username": "filter",
},{
"id": 1,
"access": null,
"access": "admin",
"username": "ingalls",
},{
"id": 2,
Expand Down Expand Up @@ -323,7 +333,7 @@ mod test {

assert_eq!(json_body, json!([{
"id": 1,
"access": null,
"access": "admin",
"username": "ingalls",
},{
"id": 2,
Expand All @@ -349,7 +359,7 @@ mod test {

assert_eq!(json_body, json!([{
"id": 1,
"access": null,
"access": "admin",
"username": "ingalls",
},{
"id": 2,
Expand Down Expand Up @@ -403,79 +413,71 @@ mod test {

assert_eq!(json_body, json!({
"id": 1,
"access": null,
"access": "admin",
"username": "ingalls",
"email": "ingalls@protonmail.com",
"meta": {}
}));
}

{ // A non-admin cannot get user info about an arbitrary user
{ // Create user to be set as admin
let client = reqwest::Client::new();
let resp = client.get("http://localhost:8000/api/user/3")
let mut resp = client.get("http://localhost:8000/api/user/create?username=future_admin&password=yeaheh&email=fake@example.com")
.basic_auth("ingalls", Some("yeaheh"))
.send()
.unwrap();

assert!(resp.status().is_client_error());
assert_eq!(resp.text().unwrap(), "true");
assert!(resp.status().is_success());
}

{ // A non-admin cannot set an admin
{ // An admin can get user info about an arbitrary user
let client = reqwest::Client::new();
let resp = client.put("http://localhost:8000/api/user/1/admin")
let mut resp = client.get("http://localhost:8000/api/user/6")
.basic_auth("ingalls", Some("yeaheh"))
.send()
.unwrap();

assert!(resp.status().is_client_error());
assert!(resp.status().is_success());

let json_body: serde_json::value::Value = resp.json().unwrap();

assert_eq!(json_body, json!({
"id": 6,
"access": null,
"username": "future_admin",
"email": "fake@example.com",
"meta": {}
}));
}

{ // A non-admin cannot unset an admin
{ // A non-admin cannot get user info about an arbitrary user
let client = reqwest::Client::new();
let resp = client.delete("http://localhost:8000/api/user/1/admin")
.basic_auth("ingalls", Some("yeaheh"))
let resp = client.get("http://localhost:8000/api/user/3")
.basic_auth("future_admin", Some("yeaheh"))
.send()
.unwrap();

assert!(resp.status().is_client_error());
}

{
let conn = Connection::connect("postgres://postgres@localhost:5432/hecate", TlsMode::None).unwrap();

conn.execute("
UPDATE users SET access = 'admin' WHERE id = 1;
", &[]).unwrap();
}

{ //Create Second User
{ // A non-admin cannot set an admin
let client = reqwest::Client::new();
let mut resp = client.get("http://localhost:8000/api/user/create?username=future_admin&password=yeaheh&email=fake@example.com")
.basic_auth("ingalls", Some("yeaheh"))
let resp = client.put("http://localhost:8000/api/user/1/admin")
.basic_auth("future_admin", Some("yeaheh"))
.send()
.unwrap();
assert_eq!(resp.text().unwrap(), "true");
assert!(resp.status().is_success());

assert!(resp.status().is_client_error());
}

{ // An admin can get user info about an arbitrary user
{ // A non-admin cannot unset an admin
let client = reqwest::Client::new();
let mut resp = client.get("http://localhost:8000/api/user/6")
.basic_auth("ingalls", Some("yeaheh"))
let resp = client.delete("http://localhost:8000/api/user/1/admin")
.basic_auth("future_admin", Some("yeaheh"))
.send()
.unwrap();

assert!(resp.status().is_success());

let json_body: serde_json::value::Value = resp.json().unwrap();

assert_eq!(json_body, json!({
"id": 6,
"access": null,
"username": "future_admin",
"email": "fake@example.com",
"meta": {}
}));
assert!(resp.status().is_client_error());
}

{ // An admin can set an admin
Expand Down

0 comments on commit d115d72

Please sign in to comment.