OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed ability for the owner to change password of other users

Browse Source 
closes #10927

-  Previous fix 2823c0b342
- It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed
- Removed unused variables
- Extended regression suite to prevent similar problems in the future
This commit is contained in:
Nazar Gargol 2019-07-22 19:00:21 +02:00
parent 3c7af7e6f0
commit bf5824a7ba
2 changed files with 29 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
core/server/api/v2/users.js
View File

@ -146,7 +146,6 @@ module.exports = {
data: { data: {
newPassword: {required: true}, newPassword: {required: true},
ne2Password: {required: true}, ne2Password: {required: true},
oldPassword: {required: false},
user_id: {required: true} user_id: {required: true}
} }
}, },

34
core/test/regression/api/v2/admin/users_spec.js
View File

@ -8,7 +8,7 @@ const ghost = testUtils.startGhost;
let request; let request;
describe('User API', function () { describe('User API', function () {
let editor, author, ghostServer, inactiveUser, admin; let editor, author, ghostServer, otherAuthor, admin;
describe('As Owner', function () { describe('As Owner', function () {
before(function () { before(function () {
@ -20,17 +20,17 @@ describe('User API', function () {
.then(function () { .then(function () {
// create inactive user // create inactive user
return testUtils.createUser({ return testUtils.createUser({
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org', status: 'inactive'}), user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org'}),
role: testUtils.DataGenerator.Content.roles[2].name role: testUtils.DataGenerator.Content.roles[2].name
}); });
}) })
.then(function (_user) { .then(function (_user) {
inactiveUser = _user; otherAuthor = _user;
// create admin user // create admin user
return testUtils.createUser({ return testUtils.createUser({
user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'admin'}), user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'owner'}),
role: testUtils.DataGenerator.Content.roles[0].name role: testUtils.DataGenerator.Content.roles[3].name
}); });
}) })
.then(function (_user) { .then(function (_user) {
@ -103,6 +103,30 @@ describe('User API', function () {
}); });
}); });
describe('Edit', function () {
it('can change the other users password', function (done) {
request.put(localUtils.API.getApiQuery('users/password/'))
.set('Origin', config.get('url'))
.send({
password: [{
newPassword: 'superSecure',
ne2Password: 'superSecure',
user_id: otherAuthor.id
}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.end(function (err) {
if (err) {
return done(err);
}
done();
});
});
});
describe('Destroy', function () { describe('Destroy', function () {
it('[failure] Destroy unknown user id', function (done) { it('[failure] Destroy unknown user id', function (done) {
request.delete(localUtils.API.getApiQuery('users/' + ObjectId.generate())) request.delete(localUtils.API.getApiQuery('users/' + ObjectId.generate()))