Skip to content

Commit

Permalink
fix(core): Do not allow admins to generate password-reset links for i…
Browse files Browse the repository at this point in the history
…nstance owner (#9488)
  • Loading branch information
netroy authored May 22, 2024
1 parent 8f55bb1 commit 88b9a40
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 6 deletions.
4 changes: 4 additions & 0 deletions packages/cli/src/controllers/users.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,10 @@ export class UsersController {
throw new NotFoundError('User not found');
}

if (req.user.role === 'global:admin' && user.role === 'global:owner') {
throw new ForbiddenError('Admin cannot reset password of global owner');
}

const link = this.authService.generatePasswordResetUrl(user);
return { link };
}
Expand Down
39 changes: 33 additions & 6 deletions packages/cli/test/integration/users.api.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,6 @@ const testServer = utils.setupTestServer({
enabledFeatures: ['feat:advancedPermissions'],
});

let projectRepository: ProjectRepository;

beforeAll(() => {
projectRepository = Container.get(ProjectRepository);
});

describe('GET /users', () => {
let owner: User;
let member: User;
Expand Down Expand Up @@ -243,6 +237,39 @@ describe('GET /users', () => {
});
});

describe('GET /users/:id/password-reset-link', () => {
let owner: User;
let admin: User;
let member: User;

beforeAll(async () => {
await testDb.truncate(['User']);

[owner, admin, member] = await Promise.all([createOwner(), createAdmin(), createMember()]);
});

it('should allow owners to generate password reset links for admins and members', async () => {
const ownerAgent = testServer.authAgentFor(owner);
await ownerAgent.get(`/users/${owner.id}/password-reset-link`).expect(200);
await ownerAgent.get(`/users/${admin.id}/password-reset-link`).expect(200);
await ownerAgent.get(`/users/${member.id}/password-reset-link`).expect(200);
});

it('should allow admins to generate password reset links for admins and members, but not owners', async () => {
const adminAgent = testServer.authAgentFor(admin);
await adminAgent.get(`/users/${owner.id}/password-reset-link`).expect(403);
await adminAgent.get(`/users/${admin.id}/password-reset-link`).expect(200);
await adminAgent.get(`/users/${member.id}/password-reset-link`).expect(200);
});

it('should not allow members to generate password reset links for anyone', async () => {
const memberAgent = testServer.authAgentFor(member);
await memberAgent.get(`/users/${owner.id}/password-reset-link`).expect(403);
await memberAgent.get(`/users/${admin.id}/password-reset-link`).expect(403);
await memberAgent.get(`/users/${member.id}/password-reset-link`).expect(403);
});
});

describe('DELETE /users/:id', () => {
let owner: User;
let ownerAgent: SuperAgentTest;
Expand Down

0 comments on commit 88b9a40

Please sign in to comment.