Fixed ability for the owner to change password of other users

closes #10927 - Previous fix 2823c0b342 - It didn't work because the validation layer in "frame" doesn't take into account the value under `required` property of the controller, so to prevent validation on the field whole `required` key/value have to be removed - Removed unused variables - Extended regression suite to prevent similar problems in the future
2019-07-22 19:00:21 +02:00 · 2019-07-22 19:00:21 +02:00 · bf5824a7ba
commit bf5824a7ba
parent 3c7af7e6f0
2 changed files with 29 additions and 6 deletions
--- a/core/server/api/v2/users.js
+++ b/core/server/api/v2/users.js
@ -146,7 +146,6 @@ module.exports = {
            data: {
                newPassword: {required: true},
                ne2Password: {required: true},
-                oldPassword: {required: false},
                user_id: {required: true}
            }
        },
--- a/core/test/regression/api/v2/admin/users_spec.js
+++ b/core/test/regression/api/v2/admin/users_spec.js
@ -8,7 +8,7 @@ const ghost = testUtils.startGhost;
 let request;

 describe('User API', function () {
-    let editor, author, ghostServer, inactiveUser, admin;
+    let editor, author, ghostServer, otherAuthor, admin;

    describe('As Owner', function () {
        before(function () {
@ -20,17 +20,17 @@ describe('User API', function () {
                .then(function () {
                    // create inactive user
                    return testUtils.createUser({
-                        user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org', status: 'inactive'}),
+                        user: testUtils.DataGenerator.forKnex.createUser({email: 'test+3@ghost.org'}),
                        role: testUtils.DataGenerator.Content.roles[2].name
                    });
                })
                .then(function (_user) {
-                    inactiveUser = _user;
+                    otherAuthor = _user;

                    // create admin user
                    return testUtils.createUser({
-                        user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'admin'}),
-                        role: testUtils.DataGenerator.Content.roles[0].name
+                        user: testUtils.DataGenerator.forKnex.createUser({email: 'test+admin@ghost.org', slug: 'owner'}),
+                        role: testUtils.DataGenerator.Content.roles[3].name
                    });
                })
                .then(function (_user) {
@ -103,6 +103,30 @@ describe('User API', function () {
            });
        });

+        describe('Edit', function () {
+            it('can change the other users password', function (done) {
+                request.put(localUtils.API.getApiQuery('users/password/'))
+                    .set('Origin', config.get('url'))
+                    .send({
+                        password: [{
+                            newPassword: 'superSecure',
+                            ne2Password: 'superSecure',
+                            user_id: otherAuthor.id
+                        }]
+                    })
+                    .expect('Content-Type', /json/)
+                    .expect('Cache-Control', testUtils.cacheRules.private)
+                    .expect(200)
+                    .end(function (err) {
+                        if (err) {
+                            return done(err);
+                        }
+
+                        done();
+                    });
+            });
+        });
+
        describe('Destroy', function () {
            it('[failure] Destroy unknown user id', function (done) {
                request.delete(localUtils.API.getApiQuery('users/' + ObjectId.generate()))