FEATURE: do not allow moderators to export user list (#6418)

This commit is contained in:
Kyle Zhao 2018-09-21 09:07:13 +08:00 committed by GitHub
parent 5f042a2c8d
commit 4bb980b9f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 48 additions and 4 deletions

View File

@ -16,7 +16,9 @@
{{#unless siteSettings.enable_sso}} {{#unless siteSettings.enable_sso}}
{{d-button action="sendInvites" title="admin.invite.button_title" icon="user-plus" label="admin.invite.button_text"}} {{d-button action="sendInvites" title="admin.invite.button_title" icon="user-plus" label="admin.invite.button_text"}}
{{/unless}} {{/unless}}
{{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}} {{#if currentUser.admin}}
{{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}}
{{/if}}
</div> </div>
</ul> </ul>
</nav> </nav>

View File

@ -357,7 +357,8 @@ class Guardian
def can_export_entity?(entity) def can_export_entity?(entity)
return false unless @user return false unless @user
return true if is_staff? return true if is_admin?
return entity != 'user_list' if is_moderator?
# Regular users can only export their archives # Regular users can only export their archives
return false unless entity == "user_archive" return false unless entity == "user_archive"

View File

@ -2576,6 +2576,24 @@ describe Guardian do
end end
end end
describe '#can_export_entity?' do
let(:user_guardian) { Guardian.new(user) }
let(:moderator_guardian) { Guardian.new(moderator) }
let(:admin_guardian) { Guardian.new(admin) }
it 'only allows admins to export user_list' do
expect(user_guardian.can_export_entity?('user_list')).to be_falsey
expect(moderator_guardian.can_export_entity?('user_list')).to be_falsey
expect(admin_guardian.can_export_entity?('user_list')).to be_truthy
end
it 'allow moderators to export other admin entities' do
expect(user_guardian.can_export_entity?('staff_action')).to be_falsey
expect(moderator_guardian.can_export_entity?('staff_action')).to be_truthy
expect(admin_guardian.can_export_entity?('staff_action')).to be_truthy
end
end
describe "#allow_themes?" do describe "#allow_themes?" do
let(:theme) { Fabricate(:theme) } let(:theme) { Fabricate(:theme) }
let(:theme2) { Fabricate(:theme) } let(:theme2) { Fabricate(:theme) }

View File

@ -7,7 +7,7 @@ describe ExportCsvController do
let(:user) { Fabricate(:user) } let(:user) { Fabricate(:user) }
before { sign_in(user) } before { sign_in(user) }
describe ".export_entity" do describe "#export_entity" do
it "enqueues export job" do it "enqueues export job" do
post "/export_csv/export_entity.json", params: { entity: "user_archive" } post "/export_csv/export_entity.json", params: { entity: "user_archive" }
expect(response.status).to eq(200) expect(response.status).to eq(200)
@ -46,7 +46,7 @@ describe ExportCsvController do
let(:admin) { Fabricate(:admin) } let(:admin) { Fabricate(:admin) }
before { sign_in(admin) } before { sign_in(admin) }
describe ".export_entity" do describe "#export_entity" do
it "enqueues export job" do it "enqueues export job" do
post "/export_csv/export_entity.json", params: { entity: "staff_action" } post "/export_csv/export_entity.json", params: { entity: "staff_action" }
expect(response.status).to eq(200) expect(response.status).to eq(200)
@ -78,4 +78,27 @@ describe ExportCsvController do
end end
end end
end end
context 'while logged in as a moderator' do
let(:moderator) { Fabricate(:moderator) }
before { sign_in(moderator) }
describe '#export_entity' do
it 'does not allow moderators to export user_list' do
post '/export_csv/export_entity.json', params: { entity: 'user_list' }
expect(response.status).to eq(403)
end
it 'allows moderator to export other entities' do
post "/export_csv/export_entity.json", params: { entity: 'staff_action' }
expect(response.status).to eq(200)
expect(Jobs::ExportCsvFile.jobs.size).to eq(1)
job_data = Jobs::ExportCsvFile.jobs.first['args'].first
expect(job_data['entity']).to eq('staff_action')
expect(job_data['user_id']).to eq(moderator.id)
end
end
end
end end