Dont allow guests..developers to manage group members

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Dont allow guests..developers to manage group members
a2dfff41 · Dmitriy Zaporozhets · Valery Sizov · 995d1984 · a2dfff41 · a2dfff41
Commit a2dfff41 authored 10 years ago by Dmitriy Zaporozhets Committed by Valery Sizov 10 years ago
--- a/lib/api/group_members.rb
+++ b/lib/api/group_members.rb
@@ -39,14 +39,18 @@ module API
      # Example Request:
      #  POST /groups/:id/members
      post ":id/members" do
+        group = find_group(params[:id])
+        authorize! :manage_group, group
        required_attributes! [:user_id, :access_level]
+
        unless validate_access_level?(params[:access_level])
          render_api_error!("Wrong access level", 422)
        end
-        group = find_group(params[:id])
+
        if group.group_members.find_by(user_id: params[:user_id])
          render_api_error!("Already exists", 409)
        end
+
        group.add_users([params[:user_id]], params[:access_level])
        member = group.group_members.find_by(user_id: params[:user_id])
        present member.user, with: Entities::GroupMember, group: group
@@ -62,7 +66,9 @@ module API
      #   DELETE /groups/:id/members/:user_id
      delete ":id/members/:user_id" do
        group = find_group(params[:id])
-        member =  group.group_members.find_by(user_id: params[:user_id])
+        authorize! :manage_group, group
+        member = group.group_members.find_by(user_id: params[:user_id])
+
        if member.nil?
          render_api_error!("404 Not Found - user_id:#{params[:user_id]} not a member of group #{group.name}",404)
        else

--- a/spec/requests/api/group_members_spec.rb
+++ b/spec/requests/api/group_members_spec.rb
@@ -115,16 +115,22 @@ describe API::API, api: true  do
  
    context "when a member of the group" do
      it "should delete guest's membership of group" do
-        count_before=group_with_members.group_members.count
-        delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
+        expect {
+          delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
+        }.to change { group_with_members.members.count }.by(-1)
+
        response.status.should == 200
-        group_with_members.group_members.count.should == count_before - 1
      end
  
      it "should return a 404 error when user id is not known" do
        delete api("/groups/#{group_with_members.id}/members/1328", owner)
        response.status.should == 404
      end
+
+      it "should not allow guest to modify group members" do
+        delete api("/groups/#{group_with_members.id}/members/#{master.id}", guest)
+        response.status.should == 403
+      end
    end
  end
 end