0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00

Fixed ability for the owner to change password of other users

closes #10927

-  Previous fix 2823c0b342
- It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed
- Removed unused variables
- Extended regression suite to prevent similar problems in the future
This commit is contained in:
Nazar Gargol 2019-07-22 19:00:21 +02:00
parent 3c7af7e6f0
commit bf5824a7ba
2 changed files with 29 additions and 6 deletions

View file

@ -146,7 +146,6 @@ module.exports = {
data: {
newPassword: {required: true},
ne2Password: {required: true},
oldPassword: {required: false},
user_id: {required: true}
}
},

View file

@ -8,7 +8,7 @@ const ghost = testUtils.startGhost;
let request;
describe('User API', function () {
let editor, author, ghostServer, inactiveUser, admin;
let editor, author, ghostServer, otherAuthor, admin;
describe('As Owner', function () {
before(function () {
@ -20,17 +20,17 @@ describe('User API', function () {
.then(function () {
// create inactive user
return testUtils.createUser({
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org', status: 'inactive'}),
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org'}),
role: testUtils.DataGenerator.Content.roles[2].name
});
})
.then(function (_user) {
inactiveUser = _user;
otherAuthor = _user;
// create admin user
return testUtils.createUser({
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'admin'}),
role: testUtils.DataGenerator.Content.roles[0].name
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'owner'}),
role: testUtils.DataGenerator.Content.roles[3].name
});
})
.then(function (_user) {
@ -103,6 +103,30 @@ describe('User API', function () {
});
});
describe('Edit', function () {
it('can change the other users password', function (done) {
request.put(localUtils.API.getApiQuery('users/password/'))
.set('Origin', config.get('url'))
.send({
password: [{
newPassword: 'superSecure',
ne2Password: 'superSecure',
user_id: otherAuthor.id
}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.end(function (err) {
if (err) {
return done(err);
}
done();
});
});
});
describe('Destroy', function () {
it('[failure] Destroy unknown user id', function (done) {
request.delete(localUtils.API.getApiQuery('users/' + ObjectId.generate()))