Skip to content
This repository has been archived by the owner on Feb 5, 2024. It is now read-only.

Commit

Permalink
chore: Merge branch 'develop' into web/feature/building-creation
Browse files Browse the repository at this point in the history
  • Loading branch information
@arvheule
arvheule committed May 21, 2023
2 parents 6d523c0 + ad2cb80 commit 5934196
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 1 deletion.
79 changes: 79 additions & 0 deletions api/__tests__/routes/user.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -831,6 +831,85 @@ describe("User tests", () => {
});
});

describe("Bugs", () => {
describe("Issue 491: Student is able to make himself Admin", () => {
describe("Requests to change permissions from users without administrator priviledges must be rejected", () => {
test("Student's request must be rejected", async () => {
runner.authLevel(AuthenticationLevel.STUDENT);
await runner.patch({
url: "/user/1",
data: { admin: true },
expectedResponse: forbiddenResponse,
statusCode: 403,
});
});

test("Superstudent's request must be rejected", async () => {
runner.authLevel(AuthenticationLevel.SUPER_STUDENT);
await runner.patch({
url: "/user/1",
data: { admin: true },
expectedResponse: forbiddenResponse,
statusCode: 403,
});
});

test("Syndicus' request must be rejected", async () => {
runner.authLevel(AuthenticationLevel.SYNDICUS);
await runner.patch({
url: "/user/1",
data: { admin: true },
expectedResponse: forbiddenResponse,
statusCode: 403,
});
});
});
});

test("Administrator must be allowed to perform permission change", async () => {
runner.authLevel(AuthenticationLevel.ADMINISTRATOR);
await runner.patch({
url: "/user/1",
data: { super_student: true },
expectedResponse: {
id: 1,
email: "[email protected]",
first_name: "Dirk",
last_name: "De Student",
last_login: "2023-05-04T12:00:00.000Z",
date_added: "2023-05-04T12:00:00.000Z",
phone: "0123456789",
address_id: 1,
student: true,
super_student: true,
admin: false,
deleted: false,
address: {
id: 1,
street: "Wallaby Way",
number: 42,
city: "Sydney",
zip_code: 2000,
latitude: -33.865143,
longitude: 151.2099,
},
regions: [
{
id: 1,
user_id: 1,
region_id: 1,
region: {
id: 1,
name: "Region 1",
deleted: false,
},
},
],
},
});
});
});

afterAll(() => {
app.close();
});
Expand Down
9 changes: 9 additions & 0 deletions api/src/routes/user.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,11 @@ export class UserRouting extends Routing {
throw new APIError(APIErrorCode.FORBIDDEN);
}

// only admins are allowed to change permission levels
if (!req.user?.admin && containsPermChange(req.body)) {
throw new APIError(APIErrorCode.FORBIDDEN);
}

// The body of a request can't be empty and can't contain a hash or salt
if (req.body == null || req.body.hash || req.body.salt) {
throw new APIError(APIErrorCode.BAD_REQUEST);
Expand Down Expand Up @@ -180,3 +185,7 @@ export class UserRouting extends Routing {
return new UserValidator();
}
}

const containsPermChange = (body: object): boolean => {
return "admin" in body || "super_student" in body || "student" in body;
};
2 changes: 1 addition & 1 deletion web/src/views/student/SchedulingScreenStudents.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
variant="text"
size="compact"
>
{{ new Date(item.schedule.day).toISOString().slice(11, 16) }}
{{ new Date(item.schedule.day).toLocaleTimeString().slice(0,5) }}
</v-chip>
<v-chip label color="primary" class="mr-2">
<v-icon
Expand Down

0 comments on commit 5934196

Please sign in to comment.