Users list only available when use is authenticated

And has a special right

diff --git a/server.ts b/server.ts
index 0e963c3d30b501f77a84a122975d836ddaff55e3..3221c17907f925c46988dc3982ed7c1ad47f3de8 100644 (file)
--- a/server.ts
+++ b/server.ts
@@ -77,7 +77,7 @@ app.use(morgan('combined', {
 }))
 // For body requests
 app.use(bodyParser.json({
-  type: 'application/*+json',
+  type: [ 'application/json', 'application/*+json' ],
   limit: '500kb'
 }))
 app.use(bodyParser.urlencoded({ extended: false }))

diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts
index 721b233010eae6c68d3f2bf93702da4bf6359d1b..f9b871724176dd74827764d659a4c2ff24576ab7 100644 (file)
--- a/server/controllers/api/users.ts
+++ b/server/controllers/api/users.ts
@@ -48,6 +48,8 @@ usersRouter.get('/me/videos/:videoId/rating',
 )
 
 usersRouter.get('/',
+  authenticate,
+  ensureUserHasRight(UserRight.MANAGE_USERS),
   paginationValidator,
   usersSortValidator,
   setUsersSort,

diff --git a/server/tests/api/check-params/users.ts b/server/tests/api/check-params/users.ts
index 578fece49a7fc2bfd5223342e8b318acf95ea634..1e3533bf3cc5a3b83fb17507969e63fda3b711af 100644 (file)
--- a/server/tests/api/check-params/users.ts
+++ b/server/tests/api/check-params/users.ts
@@ -67,6 +67,7 @@ describe('Test users API validators', function () {
               .get(path)
               .query({ start: 'hello' })
               .set('Accept', 'application/json')
+              .set('Authorization', 'Bearer ' + server.accessToken)
               .expect(400)
     })
 
@@ -75,6 +76,7 @@ describe('Test users API validators', function () {
               .get(path)
               .query({ count: 'hello' })
               .set('Accept', 'application/json')
+              .set('Authorization', 'Bearer ' + server.accessToken)
               .expect(400)
     })
 
@@ -83,8 +85,24 @@ describe('Test users API validators', function () {
               .get(path)
               .query({ sort: 'hello' })
               .set('Accept', 'application/json')
+              .set('Authorization', 'Bearer ' + server.accessToken)
               .expect(400)
     })
+
+    it('Should fail with a non authenticated user', async function () {
+      await request(server.url)
+        .get(path)
+        .set('Accept', 'application/json')
+        .expect(401)
+    })
+
+    it('Should fail with a non admin user', async function () {
+      await request(server.url)
+        .get(path)
+        .set('Accept', 'application/json')
+        .set('Authorization', 'Bearer ' + userAccessToken)
+        .expect(403)
+    })
   })
 
   describe('When adding a new user', function () {
@@ -354,7 +372,7 @@ describe('Test users API validators', function () {
   describe('When updating a user', function () {
 
     before(async function () {
-      const res = await getUsersList(server.url)
+      const res = await getUsersList(server.url, server.accessToken)
 
       userId = res.body.data[1].id
       rootId = res.body.data[2].id

diff --git a/server/tests/api/users.ts b/server/tests/api/users.ts
index 5c053157114bdc110f075f304086780fcf8ba93f..33646e84f2dfbba2bc844a13b9a8e3b75fdfa255 100644 (file)
--- a/server/tests/api/users.ts
+++ b/server/tests/api/users.ts
@@ -1,4 +1,5 @@
 /* tslint:disable:no-unused-expression */
+
 import * as chai from 'chai'
 import 'mocha'
 import { UserRole } from '../../../shared'
@@ -28,6 +29,7 @@ import {
 } from '../utils'
 import { follow } from '../utils/follows'
 import { getMyVideos } from '../utils/videos'
+import { setAccessTokensToServers } from '../utils/login'
 
 const expect = chai.expect
 
@@ -43,6 +45,8 @@ describe('Test users', function () {
 
     await flushTests()
     server = await runServer(1)
+
+    await setAccessTokensToServers([ server ])
   })
 
   it('Should create a new client')
@@ -242,7 +246,7 @@ describe('Test users', function () {
   })
 
   it('Should list all the users', async function () {
-    const res = await getUsersList(server.url)
+    const res = await getUsersList(server.url, server.accessToken)
     const result = res.body
     const total = result.total
     const users = result.data
@@ -280,7 +284,7 @@ describe('Test users', function () {
   })
 
   it('Should list only the first user by username asc', async function () {
-    const res = await getUsersListPaginationAndSort(server.url, 0, 1, 'username')
+    const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, 'username')
 
     const result = res.body
     const total = result.total
@@ -307,7 +311,7 @@ describe('Test users', function () {
   })
 
   it('Should list only the first user by username desc', async function () {
-    const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-username')
+    const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-username')
     const result = res.body
     const total = result.total
     const users = result.data
@@ -330,7 +334,7 @@ describe('Test users', function () {
   })
 
   it('Should list only the second user by createdAt desc', async function () {
-    const res = await getUsersListPaginationAndSort(server.url, 0, 1, '-createdAt')
+    const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 1, '-createdAt')
     const result = res.body
     const total = result.total
     const users = result.data
@@ -353,7 +357,7 @@ describe('Test users', function () {
   })
 
   it('Should list all the users by createdAt asc', async function () {
-    const res = await getUsersListPaginationAndSort(server.url, 0, 2, 'createdAt')
+    const res = await getUsersListPaginationAndSort(server.url, server.accessToken, 0, 2, 'createdAt')
     const result = res.body
     const total = result.total
     const users = result.data

diff --git a/server/tests/utils/users.ts b/server/tests/utils/users.ts
index 12569dd425212e64435a270cb37b34753322651f..ce04b9d9663babc6f22b549a89c7bf1d0ba6960a 100644 (file)
--- a/server/tests/utils/users.ts
+++ b/server/tests/utils/users.ts
@@ -76,17 +76,18 @@ function getUserVideoRating (url: string, accessToken: string, videoId: number)
           .expect('Content-Type', /json/)
 }
 
-function getUsersList (url: string) {
+function getUsersList (url: string, accessToken: string) {
   const path = '/api/v1/users'
 
   return request(url)
           .get(path)
           .set('Accept', 'application/json')
+          .set('Authorization', 'Bearer ' + accessToken)
           .expect(200)
           .expect('Content-Type', /json/)
 }
 
-function getUsersListPaginationAndSort (url: string, start: number, count: number, sort: string) {
+function getUsersListPaginationAndSort (url: string, accessToken: string, start: number, count: number, sort: string) {
   const path = '/api/v1/users'
 
   return request(url)
@@ -95,6 +96,7 @@ function getUsersListPaginationAndSort (url: string, start: number, count: numbe
           .query({ count })
           .query({ sort })
           .set('Accept', 'application/json')
+          .set('Authorization', 'Bearer ' + accessToken)
           .expect(200)
           .expect('Content-Type', /json/)
 }