coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: Correctly guard against last admin deleting their account (#2069)

Browse Source 
* fix: Correctly guard against last admin deleting their account

* test
This commit is contained in:
Tom Moor
2021-04-24 20:52:46 -07:00
committed by GitHub
parent 3fbb3a2403
commit 2d22399bbc
5 changed files with 163 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
server/api/users.js
View File

@ -1,5 +1,6 @@
// @flow
import Router from "koa-router";
import userDestroyer from "../commands/userDestroyer";
import userInviter from "../commands/userInviter";
import userSuspender from "../commands/userSuspender";
import auth from "../middlewares/authentication";
@ -232,17 +233,17 @@ router.post("users.delete", auth(), async (ctx) => {
const { confirmation, id } = ctx.body;
ctx.assertPresent(confirmation, "confirmation is required");
let user = ctx.state.user;
if (id) user = await User.findByPk(id);
authorize(ctx.state.user, "delete", user);
const actor = ctx.state.user;
let user = actor;
if (id) {
user = await User.findByPk(id);
}
await user.destroy();
await Event.create({
name: "users.delete",
actorId: user.id,
userId: user.id,
teamId: user.teamId,
data: { name: user.name },
authorize(actor, "delete", user);
await userDestroyer({
user,
actor,
ip: ctx.request.ip,
});

10
server/api/users.test.js
View File

@ -145,14 +145,6 @@ describe("#users.delete", () => {
expect(res.status).toEqual(400);
});
it("should allow deleting last admin if only user", async () => {
const user = await buildAdmin();
const res = await server.post("/api/users.delete", {
body: { token: user.getJwtToken(), confirmation: true },
});
expect(res.status).toEqual(200);
});
it("should not allow deleting last admin if many users", async () => {
const user = await buildAdmin();
await buildUser({ teamId: user.teamId, isAdmin: false });
@ -165,6 +157,8 @@ describe("#users.delete", () => {
it("should allow deleting user account with confirmation", async () => {
const user = await buildUser();
await buildUser({ teamId: user.teamId });
const res = await server.post("/api/users.delete", {
body: { token: user.getJwtToken(), confirmation: true },
});