Commit a2dfff41 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets Committed by Valery Sizov

Dont allow guests..developers to manage group members

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 995d1984
...@@ -39,14 +39,18 @@ module API ...@@ -39,14 +39,18 @@ module API
# Example Request: # Example Request:
# POST /groups/:id/members # POST /groups/:id/members
post ":id/members" do post ":id/members" do
group = find_group(params[:id])
authorize! :manage_group, group
required_attributes! [:user_id, :access_level] required_attributes! [:user_id, :access_level]
unless validate_access_level?(params[:access_level]) unless validate_access_level?(params[:access_level])
render_api_error!("Wrong access level", 422) render_api_error!("Wrong access level", 422)
end end
group = find_group(params[:id])
if group.group_members.find_by(user_id: params[:user_id]) if group.group_members.find_by(user_id: params[:user_id])
render_api_error!("Already exists", 409) render_api_error!("Already exists", 409)
end end
group.add_users([params[:user_id]], params[:access_level]) group.add_users([params[:user_id]], params[:access_level])
member = group.group_members.find_by(user_id: params[:user_id]) member = group.group_members.find_by(user_id: params[:user_id])
present member.user, with: Entities::GroupMember, group: group present member.user, with: Entities::GroupMember, group: group
...@@ -62,7 +66,9 @@ module API ...@@ -62,7 +66,9 @@ module API
# DELETE /groups/:id/members/:user_id # DELETE /groups/:id/members/:user_id
delete ":id/members/:user_id" do delete ":id/members/:user_id" do
group = find_group(params[:id]) group = find_group(params[:id])
member = group.group_members.find_by(user_id: params[:user_id]) authorize! :manage_group, group
member = group.group_members.find_by(user_id: params[:user_id])
if member.nil? if member.nil?
render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404) render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404)
else else
......
...@@ -115,16 +115,22 @@ describe API::API, api: true do ...@@ -115,16 +115,22 @@ describe API::API, api: true do
context "when a member of the group" do context "when a member of the group" do
it "should delete guest's membership of group" do it "should delete guest's membership of group" do
count_before=group_with_members.group_members.count expect {
delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner) delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
}.to change { group_with_members.members.count }.by(-1)
response.status.should == 200 response.status.should == 200
group_with_members.group_members.count.should == count_before - 1
end end
it "should return a 404 error when user id is not known" do it "should return a 404 error when user id is not known" do
delete api("/groups/#{group_with_members.id}/members/1328", owner) delete api("/groups/#{group_with_members.id}/members/1328", owner)
response.status.should == 404 response.status.should == 404
end end
it "should not allow guest to modify group members" do
delete api("/groups/#{group_with_members.id}/members/#{master.id}", guest)
response.status.should == 403
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment