mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-03-11 02:12:21 -05:00
Merge pull request #3775 from felixrieseberg/iss3765
Ensure Owner's role isn't downgraded
This commit is contained in:
commit
9b7be32c0c
2 changed files with 28 additions and 2 deletions
|
@ -162,8 +162,14 @@ users = {
|
||||||
parseInt(options.id, 10) === parseInt(options.context.user, 10)) {
|
parseInt(options.id, 10) === parseInt(options.context.user, 10)) {
|
||||||
return when.reject(new errors.NoPermissionError('You cannot change your own role.'));
|
return when.reject(new errors.NoPermissionError('You cannot change your own role.'));
|
||||||
} else if (roleId !== contextRoleId) {
|
} else if (roleId !== contextRoleId) {
|
||||||
return canThis(options.context).assign.role(role).then(function () {
|
return dataProvider.User.findOne({role: 'Owner'}).then(function (result) {
|
||||||
return editOperation();
|
if (parseInt(result.id, 10) !== parseInt(options.id, 10)) {
|
||||||
|
return canThis(options.context).assign.role(role).then(function () {
|
||||||
|
return editOperation();
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
return when.reject(new errors.NoPermissionError('There has to be one owner.'));
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -852,6 +852,26 @@ describe('Users API', function () {
|
||||||
}).catch(done);
|
}).catch(done);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('CANNOT downgrade owner', function (done) {
|
||||||
|
var options = _.extend({}, context.admin, {id: userIdFor.owner}, {include: 'roles'});
|
||||||
|
UserAPI.read(options).then(function (response) {
|
||||||
|
response.users[0].id.should.equal(userIdFor.owner);
|
||||||
|
response.users[0].roles[0].name.should.equal('Owner');
|
||||||
|
|
||||||
|
return UserAPI.edit(
|
||||||
|
{users: [
|
||||||
|
{name: newName, roles: [roleIdFor.author]}
|
||||||
|
]},
|
||||||
|
options
|
||||||
|
).then(function (response) {
|
||||||
|
done(new Error('Author should not be able to downgrade owner'));
|
||||||
|
}).catch(function (error) {
|
||||||
|
error.type.should.eql('NoPermissionError');
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('Editor', function () {
|
describe('Editor', function () {
|
||||||
|
|
Loading…
Add table
Reference in a new issue