mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-20 22:42:53 -05:00
Fixed ability for the owner to change password of other users
closes #10927
- Previous fix 2823c0b342
- It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed
- Removed unused variables
- Extended regression suite to prevent similar problems in the future
This commit is contained in:
parent
3c7af7e6f0
commit
bf5824a7ba
2 changed files with 29 additions and 6 deletions
|
@ -146,7 +146,6 @@ module.exports = {
|
|||
data: {
|
||||
newPassword: {required: true},
|
||||
ne2Password: {required: true},
|
||||
oldPassword: {required: false},
|
||||
user_id: {required: true}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -8,7 +8,7 @@ const ghost = testUtils.startGhost;
|
|||
let request;
|
||||
|
||||
describe('User API', function () {
|
||||
let editor, author, ghostServer, inactiveUser, admin;
|
||||
let editor, author, ghostServer, otherAuthor, admin;
|
||||
|
||||
describe('As Owner', function () {
|
||||
before(function () {
|
||||
|
@ -20,17 +20,17 @@ describe('User API', function () {
|
|||
.then(function () {
|
||||
// create inactive user
|
||||
return testUtils.createUser({
|
||||
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org', status: 'inactive'}),
|
||||
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org'}),
|
||||
role: testUtils.DataGenerator.Content.roles[2].name
|
||||
});
|
||||
})
|
||||
.then(function (_user) {
|
||||
inactiveUser = _user;
|
||||
otherAuthor = _user;
|
||||
|
||||
// create admin user
|
||||
return testUtils.createUser({
|
||||
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'admin'}),
|
||||
role: testUtils.DataGenerator.Content.roles[0].name
|
||||
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'owner'}),
|
||||
role: testUtils.DataGenerator.Content.roles[3].name
|
||||
});
|
||||
})
|
||||
.then(function (_user) {
|
||||
|
@ -103,6 +103,30 @@ describe('User API', function () {
|
|||
});
|
||||
});
|
||||
|
||||
describe('Edit', function () {
|
||||
it('can change the other users password', function (done) {
|
||||
request.put(localUtils.API.getApiQuery('users/password/'))
|
||||
.set('Origin', config.get('url'))
|
||||
.send({
|
||||
password: [{
|
||||
newPassword: 'superSecure',
|
||||
ne2Password: 'superSecure',
|
||||
user_id: otherAuthor.id
|
||||
}]
|
||||
})
|
||||
.expect('Content-Type', /json/)
|
||||
.expect('Cache-Control', testUtils.cacheRules.private)
|
||||
.expect(200)
|
||||
.end(function (err) {
|
||||
if (err) {
|
||||
return done(err);
|
||||
}
|
||||
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('Destroy', function () {
|
||||
it('[failure] Destroy unknown user id', function (done) {
|
||||
request.delete(localUtils.API.getApiQuery('users/' + ObjectId.generate()))
|
||||
|
|
Loading…
Add table
Reference in a new issue