fix: User can cannot change their own permission

tolgee · Mar 21, 2022 · 79cc46e · 79cc46e
1 parent 30bb84d
commit 79cc46e
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 34 deletions.
diff --git a/backend/app/src/main/kotlin/io/tolgee/api/v2/controllers/OrganizationController.kt b/backend/app/src/main/kotlin/io/tolgee/api/v2/controllers/OrganizationController.kt
@@ -15,11 +15,13 @@ import io.tolgee.api.v2.hateoas.organization.UserAccountWithOrganizationRoleMode
 import io.tolgee.api.v2.hateoas.project.ProjectModel
 import io.tolgee.api.v2.hateoas.project.ProjectModelAssembler
 import io.tolgee.configuration.tolgee.TolgeeProperties
+import io.tolgee.constants.Message
 import io.tolgee.dtos.request.organization.OrganizationDto
 import io.tolgee.dtos.request.organization.OrganizationInviteUserDto
 import io.tolgee.dtos.request.organization.OrganizationRequestParamsDto
 import io.tolgee.dtos.request.organization.SetOrganizationRoleDto
 import io.tolgee.dtos.request.validators.exceptions.ValidationException
+import io.tolgee.exceptions.BadRequestException
 import io.tolgee.exceptions.NotFoundException
 import io.tolgee.exceptions.PermissionException
 import io.tolgee.model.UserAccount
@@ -170,6 +172,9 @@ class OrganizationController(
     @PathVariable("userId") userId: Long,
     @RequestBody dto: SetOrganizationRoleDto
   ) {
+    if (authenticationFacade.userAccount.id == userId) {
+      throw BadRequestException(Message.CANNOT_SET_YOUR_OWN_ROLE)
+    }
     organizationRoleService.checkUserIsOwner(organizationId)
     organizationRoleService.setMemberRole(organizationId, userId, dto)
   }

diff --git a/backend/app/src/test/kotlin/io/tolgee/api/v2/controllers/OrganizationControllerTest.kt b/backend/app/src/test/kotlin/io/tolgee/api/v2/controllers/OrganizationControllerTest.kt
@@ -1,11 +1,13 @@
 package io.tolgee.api.v2.controllers
 
+import io.tolgee.constants.Message
 import io.tolgee.dtos.request.organization.OrganizationDto
 import io.tolgee.dtos.request.organization.OrganizationInviteUserDto
 import io.tolgee.dtos.request.organization.SetOrganizationRoleDto
 import io.tolgee.exceptions.BadRequestException
 import io.tolgee.fixtures.andAssertError
 import io.tolgee.fixtures.andAssertThatJson
+import io.tolgee.fixtures.andHasErrorMessage
 import io.tolgee.fixtures.andIsBadRequest
 import io.tolgee.fixtures.andIsCreated
 import io.tolgee.fixtures.andIsForbidden
@@ -14,6 +16,7 @@ import io.tolgee.fixtures.andPrettyPrint
 import io.tolgee.model.Organization
 import io.tolgee.model.OrganizationRole
 import io.tolgee.model.Permission
+import io.tolgee.model.UserAccount
 import io.tolgee.model.enums.OrganizationRoleType
 import io.tolgee.testing.AuthorizedControllerTest
 import io.tolgee.testing.assertions.Assertions.assertThat
@@ -28,7 +31,7 @@ import org.springframework.transaction.annotation.Transactional
 
 @SpringBootTest
 @AutoConfigureMockMvc
-class OrganizationControllerTest : AuthorizedControllerTest() {
+open class OrganizationControllerTest : AuthorizedControllerTest() {
 
   lateinit var dummyDto: OrganizationDto
   lateinit var dummyDto2: OrganizationDto
@@ -306,43 +309,35 @@ class OrganizationControllerTest : AuthorizedControllerTest() {
 
   @Test
   @Transactional
-  fun testSetUserRole() {
-    this.organizationService.create(dummyDto, userAccount!!).let { organization ->
-      dbPopulator.createUserIfNotExists("superuser").let { createdUser ->
-        OrganizationRole(
-          user = createdUser,
-          organization = organization,
-          type = OrganizationRoleType.OWNER
-        ).let { createdMemberRole ->
-          organizationRoleRepository.save(createdMemberRole)
-          performAuthPut(
-            "/v2/organizations/${organization.id}/users/${createdUser.id}/set-role",
-            SetOrganizationRoleDto(OrganizationRoleType.MEMBER)
-          ).andIsOk
-          createdMemberRole.let { assertThat(it.type).isEqualTo(OrganizationRoleType.MEMBER) }
-        }
-      }
+  open fun testSetUserRole() {
+    withOwnerInOrganization { organization, owner, role ->
+      performAuthPut(
+        "/v2/organizations/${organization.id}/users/${owner.id}/set-role",
+        SetOrganizationRoleDto(OrganizationRoleType.MEMBER)
+      ).andIsOk
+      role.let { assertThat(it.type).isEqualTo(OrganizationRoleType.MEMBER) }
+    }
+  }
+
+  @Test
+  @Transactional
+  open fun `cannot set own permission`() {
+    withOwnerInOrganization { organization, owner, role ->
+      loginAsUser(owner)
+      performAuthPut(
+        "/v2/organizations/${organization.id}/users/${owner.id}/set-role",
+        SetOrganizationRoleDto(OrganizationRoleType.MEMBER)
+      ).andIsBadRequest.andHasErrorMessage(Message.CANNOT_SET_YOUR_OWN_ROLE)
     }
   }
 
   @Test
   fun testRemoveUser() {
-    this.organizationService.create(dummyDto, userAccount!!).let { organization ->
-      dbPopulator.createUserIfNotExists("superuser").let { createdUser ->
-        OrganizationRole(
-          user = createdUser,
-          organization = organization,
-          type = OrganizationRoleType.OWNER
-        ).let { createdMemberRole ->
-          organizationRoleRepository.save(createdMemberRole)
-          performAuthDelete(
-            "/v2/organizations/${organization.id}/users/${createdUser.id}",
-            SetOrganizationRoleDto(OrganizationRoleType.MEMBER)
-          ).andIsOk
-          organizationRoleRepository.findByIdOrNull(createdMemberRole.id!!).let {
-            assertThat(it).isNull()
-          }
-        }
+    withOwnerInOrganization { organization, owner, role ->
+      organizationRoleRepository.save(role)
+      performAuthDelete("/v2/organizations/${organization.id}/users/${owner.id}", null).andIsOk
+      organizationRoleRepository.findByIdOrNull(role.id!!).let {
+        assertThat(it).isNull()
       }
     }
   }
@@ -456,4 +451,21 @@ class OrganizationControllerTest : AuthorizedControllerTest() {
         .isInstanceOf(BadRequestException::class.java)
     }
   }
+
+  private fun withOwnerInOrganization(
+    fn: (organization: Organization, owner: UserAccount, ownerRole: OrganizationRole) -> Unit
+  ) {
+    this.organizationService.create(dummyDto, userAccount!!).let { organization ->
+      dbPopulator.createUserIfNotExists("superuser").let { createdUser ->
+        OrganizationRole(
+          user = createdUser,
+          organization = organization,
+          type = OrganizationRoleType.OWNER
+        ).let { createdOwnerRole ->
+          organizationRoleRepository.save(createdOwnerRole)
+          fn(organization, createdUser, createdOwnerRole)
+        }
+      }
+    }
+  }
 }
diff --git a/backend/data/src/main/kotlin/io/tolgee/constants/Message.kt b/backend/data/src/main/kotlin/io/tolgee/constants/Message.kt
@@ -83,7 +83,8 @@ enum class Message {
   CANNOT_FIND_BASE_LANGUAGE,
   BASE_LANGUAGE_NOT_FOUND,
   NO_EXPORTED_RESULT,
-  MULTIPLE_FILES_MUST_BE_ZIPPED;
+  MULTIPLE_FILES_MUST_BE_ZIPPED,
+  CANNOT_SET_YOUR_OWN_ROLE;
 
   val code: String
     get() = name.lowercase(Locale.getDefault())

diff --git a/backend/testing/src/main/kotlin/io/tolgee/fixtures/statusExpectations.kt b/backend/testing/src/main/kotlin/io/tolgee/fixtures/statusExpectations.kt
@@ -2,6 +2,7 @@ package io.tolgee.fixtures
 
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import com.fasterxml.jackson.module.kotlin.readValue
+import io.tolgee.constants.Message
 import io.tolgee.testing.assertions.Assertions.assertThat
 import io.tolgee.testing.assertions.MvcResultAssert
 import net.javacrumbs.jsonunit.assertj.JsonAssert
@@ -24,6 +25,14 @@ val ResultActions.andIsCreated: ResultActions
 val ResultActions.andIsBadRequest: ResultActions
   get() = this.tryPrettyPrinting { this.andExpect(status().isBadRequest) }
 
+fun ResultActions.andHasErrorMessage(message: Message): ResultActions {
+  return this.tryPrettyPrinting {
+    this.andAssertThatJson {
+      node("code").isEqualTo(message.code)
+    }
+  }
+}
+
 val ResultActions.andIsForbidden: ResultActions
   get() = this.tryPrettyPrinting { this.andExpect(status().isForbidden) }