synced/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2025-03-28 14:34:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Unable to delete user via API (#3619)

Browse Source 
Remove requirement to pass 'confirmation' to users.delete
closes #3604
This commit is contained in:
Tom Moor
2022-06-02 12:56:27 -07:00
committed by GitHub
parent 68dd76cfa3
commit 2d7dd558a1
5 changed files with 13 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/menus/UserMenu.tsx
View File

@ -108,9 +108,7 @@ function UserMenu({ user }: Props) {
const handleRevoke = React.useCallback(
(ev: React.SyntheticEvent) => {
ev.preventDefault();
users.delete(user, {
confirmation: true,
});
users.delete(user);
},
[users, user]
);

4
app/stores/AuthStore.ts
View File

@ -200,9 +200,7 @@ export default class AuthStore {
@action
deleteUser = async () => {
await client.post(`/users.delete`, {
confirmation: true,
});
await client.post(`/users.delete`);
runInAction("AuthStore#updateUser", () => {
this.user = null;
this.team = null;

4
server/policies/user.ts
View File

@ -28,7 +28,7 @@ allow(User, "update", User, (actor, user) => {
return true;
}
throw AdminRequiredError();
return false;
});
allow(User, "delete", User, (actor, user) => {
@ -38,7 +38,7 @@ allow(User, "delete", User, (actor, user) => {
if (user.id === actor.id) {
return true;
}
if (actor.isAdmin && !user.lastActiveAt) {
if (actor.isAdmin) {
return true;
}

30
server/routes/api/users.test.ts
View File

@ -299,16 +299,6 @@ describe("#users.invite", () => {
});
describe("#users.delete", () => {
it("should not allow deleting without confirmation", async () => {
const user = await buildUser();
const res = await server.post("/api/users.delete", {
body: {
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(400);
});
it("should not allow deleting last admin if many users", async () => {
const user = await buildAdmin();
await buildUser({
@ -318,13 +308,12 @@ describe("#users.delete", () => {
const res = await server.post("/api/users.delete", {
body: {
token: user.getJwtToken(),
confirmation: true,
},
});
expect(res.status).toEqual(400);
});
it("should allow deleting user account with confirmation", async () => {
it("should allow deleting user account", async () => {
const user = await buildUser();
await buildUser({
teamId: user.teamId,
@ -332,30 +321,28 @@ describe("#users.delete", () => {
const res = await server.post("/api/users.delete", {
body: {
token: user.getJwtToken(),
confirmation: true,
},
});
expect(res.status).toEqual(200);
});
it("should allow deleting pending user account with admin", async () => {
const user = await buildAdmin();
const pending = await buildUser({
teamId: user.teamId,
it("should allow deleting user account with admin", async () => {
const admin = await buildAdmin();
const user = await buildUser({
teamId: admin.teamId,
lastActiveAt: null,
});
const res = await server.post("/api/users.delete", {
body: {
token: user.getJwtToken(),
id: pending.id,
confirmation: true,
token: admin.getJwtToken(),
id: user.id,
},
});
expect(res.status).toEqual(200);
});
it("should not allow deleting another user account", async () => {
const user = await buildAdmin();
const user = await buildUser();
const user2 = await buildUser({
teamId: user.teamId,
});
@ -363,7 +350,6 @@ describe("#users.delete", () => {
body: {
token: user.getJwtToken(),
id: user2.id,
confirmation: true,
},
});
expect(res.status).toEqual(403);

3
server/routes/api/users.ts
View File

@ -355,8 +355,7 @@ router.post("users.resendInvite", auth(), async (ctx) => {
});
router.post("users.delete", auth(), async (ctx) => {
const { confirmation, id } = ctx.body;
assertPresent(confirmation, "confirmation is required");
const { id } = ctx.body;
const actor = ctx.state.user;
let user = actor;