working

salesforce · Feb 15, 2017 · 970b675 · 970b675
1 parent 2ddc940
commit 970b675
Show file tree

Hide file tree

Showing 5 changed files with 302 additions and 73 deletions.
diff --git a/api/v1/controllers/users.js b/api/v1/controllers/users.js
@@ -110,6 +110,10 @@ module.exports = {
    *
    * Updates a user and sends it back in the response. If any attributes are
    * missing from the body of the request, those attributes are cleared.
+   * If the user is an admin, they can put to any user except for
+   * the out of box admin.
+   * Else if the user is not an admin, they can only PUT themself, if the
+   * profileId does not change
    *
    * @param {IncomingMessage} req - The request object
    * @param {ServerResponse} res - The response object
@@ -121,12 +125,22 @@ module.exports = {
       if (ok) {
         doPut(req, res, next, helper);
       } else {
-        u.forbidden(next);
+
+        // normal user
+        // allow iff user PUTTing themself AND profileId does not change
+        authUtils.getUser(req)
+        .then((user) => {
+          if (req.swagger.params.key.value === user.dataValues.name &&
+            user.dataValues.profileId === req.body.profileId) {
+            doPut(req, res, next, helper);
+          } else {
+            u.forbidden(next);
+          }
+        });
       }
     })
     .catch((err) => {
       u.forbidden(next);
     });
   },
-
 }; // exports
diff --git a/api/v1/swagger.yaml b/api/v1/swagger.yaml
@@ -5015,6 +5015,8 @@ paths:
                   First and last name.
               password:
                 type: string
+              profileId:
+                type: string
             required:
               - name
       responses:

diff --git a/db/model/user.js b/db/model/user.js
@@ -181,7 +181,8 @@ module.exports = function user(seq, dataTypes) {
           .then((hash) => inst.set('password', hash));
         }
 
-        if (inst.get('name').toLowerCase() ===
+        // inst name may be changed. Use previous name for comparison
+        if (inst._previousDataValues.name.toLowerCase() ===
           common.dbconf.adminUser.name.toLowerCase() &&
           inst.changed('profileId')) {
           throw new AdminUpdateDeleteForbidden();

diff --git a/tests/api/v1/users/patch.js b/tests/api/v1/users/patch.js
@@ -50,7 +50,7 @@ describe(`api: PATCH ${path}`, () => {
       profileOneId = profile.id;
       return Profile.create({
         name: pname + TWO,
-      })
+      });
     })
     .then((profile) => {
       profileTwoId = profile.id;
@@ -59,7 +59,7 @@ describe(`api: PATCH ${path}`, () => {
         name: userOne,
         email: userOne,
         password: userOne,
-      })
+      });
     }) // another normal user
     .then(() => User.create({
         profileId: profileTwoId,
@@ -81,7 +81,83 @@ describe(`api: PATCH ${path}`, () => {
 
   after(u.forceDelete);
 
-  it('admin FORBIDDEN from changing their profileId', (done) => {
+  describe('with non-out of box admin:', () => {
+    const userFour = `${tu.namePrefix}wwwwww@refocus.com`;
+    const userZero = `${tu.namePrefix}fffffff@refocus.com`;
+    const adminUserToken = jwtUtil.createToken(
+      userFour, userFour
+    );
+
+    before((done) => {
+      let adminProfileId = '';
+      User.findOne({
+        where: {
+          name: {
+            $iLike: adminUser.name,
+          },
+        },
+      })
+      .then((OBAdminUser) =>
+        adminProfileId = OBAdminUser.profileId
+      ) // create a normal user
+      .then(() => User.create({
+          profileId: profileOneId,
+          name: userZero,
+          email: userZero,
+          password: userZero,
+        })
+      ) // create a normal user
+      .then(() => User.create({
+          profileId: profileOneId,
+          name: userFour,
+          email: userFour,
+          password: userFour,
+        })
+      )
+
+      .then((normalUser) =>
+        normalUser.update({ profileId: adminProfileId })
+      )
+      .then(() => done())
+      .catch(done);
+    });
+
+    it('admin user can change a normal user"s profileId', (done) => {
+      api.patch(path + '/' + userZero)
+      .set('Authorization', adminUserToken)
+      .send({
+        profileId: profileTwoId,
+      })
+      .expect(constants.httpStatus.OK)
+      .end((err, res) => {
+        if (err) {
+          done(err);
+        }
+
+        expect(res.body.profileId).to.equal(profileTwoId);
+        done();
+      });
+    });
+
+    it('admin user can change its own profileId', (done) => {
+      api.patch(path + '/' + userFour)
+      .set('Authorization', adminUserToken)
+      .send({
+        profileId: profileTwoId,
+      })
+      .expect(constants.httpStatus.OK)
+      .end((err, res) => {
+        if (err) {
+          done(err);
+        }
+
+        expect(res.body.profileId).to.equal(profileTwoId);
+        done();
+      });
+    });
+  });
+
+  it('out of box admin FORBIDDEN from changing their profileId', (done) => {
     api.patch(path + '/' + adminUser.name)
     .set('Authorization', adminUserToken)
     .send({
@@ -92,7 +168,7 @@ describe(`api: PATCH ${path}`, () => {
       if (err) {
         done(err);
       }
-      console.log(res.body.errors)
+
       expect(res.body.errors).to.have.length(1);
       expect(res.body.errors).to.have.deep.property('[0].type',
         'AdminUpdateDeleteForbidden');
@@ -111,6 +187,7 @@ describe(`api: PATCH ${path}`, () => {
       if (err) {
         done(err);
       }
+
       expect(res.body.profileId).to.equal(profileTwoId);
       done();
     });