#140 Only allow admins to get another user's communicators

cboard-org · Mar 30, 2021 · 0bcbd49 · 0bcbd49
1 parent 97a839a
commit 0bcbd49
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 2 deletions.
diff --git a/api/controllers/communicator.js b/api/controllers/communicator.js
@@ -51,6 +51,13 @@ async function listCommunicators(req, res) {
 
 async function getCommunicatorsEmail(req, res) {
   const email = req.swagger.params.email.value;
+
+  if (!req.user.isAdmin && req.user.email !== email) {
+    return res.status(403).json({
+      message: "You are not authorized to get this user's communicators."
+    });
+  }
+
   const { search = '' } = req.query;
 
   const searchFields = ['name', 'author', 'description'];

diff --git a/package.json b/package.json
@@ -67,7 +67,7 @@
   "scripts": {
     "dev": "nodemon app.js",
     "start": "node app.js",
-    "test": "swagger project test",
+    "test": "NODE_ENV=test swagger project test",
     "precommit": "lint-staged",
     "snyk-protect": "snyk protect",
     "prepare": "npm run snyk-protect"

diff --git a/test/controllers/communicator.js b/test/controllers/communicator.js
@@ -0,0 +1,46 @@
+const request = require('supertest');
+const server = require('../../app');
+const helper = require('../helper');
+
+describe('Communicator API calls', function () {
+  describe('GET /communicator/byemail/:email', function() {
+    it("only allows an admin to get another user's communicators", async function() {
+      const adminEmail = helper.generateEmail();
+      const admin = await helper.prepareUser(server, {
+        role: 'admin',
+        email: adminEmail,
+      });
+
+      const userEmail = helper.generateEmail();
+      const user = await helper.prepareUser(server, {
+        role: 'user',
+        email: userEmail,
+      });
+
+      // Try to get another user's communicators as a regular user.
+      // This should fail.
+      await request(server)
+        .get(`/communicator/byemail/${encodeURI(adminEmail)}`)
+        .set('Authorization', `Bearer ${user.token}`)
+        .expect({
+          message: "You are not authorized to get this user's communicators.",
+        })
+        .expect(403);
+
+      // Try to get another user's communicators as an admin user.
+      // This should succeed.
+      await request(server)
+        .get(`/communicator/byemail/${encodeURI(userEmail)}`)
+        .set('Authorization', `Bearer ${admin.token}`)
+        .expect(200);
+
+
+      // Try to get my own communicators as a regular user.
+      // This should succeed.
+      await request(server)
+        .get(`/communicator/byemail/${encodeURI(userEmail)}`)
+        .set('Authorization', `Bearer ${user.token}`)
+        .expect(200);
+    });
+  });
+});
diff --git a/test/helper.js b/test/helper.js
@@ -6,6 +6,7 @@ const { token } = require('morgan');
 var request = require('supertest');
 const user = require('../api/controllers/user');
 const should = chai.should();
+const uuid = require('uuid');
 
 const User = require('../api/models/User');
 
@@ -96,7 +97,7 @@ function prepareDb() {
 }
 
 function generateEmail() {
-  return `test${Date.now()}@example.com`;
+  return `test.${uuid.v4()}@example.com`;
 }
 
 /**