FEATURE: do not allow moderators to export user list (#6418)
This commit is contained in:
parent
5f042a2c8d
commit
4bb980b9f7
|
@ -16,7 +16,9 @@
|
||||||
{{#unless siteSettings.enable_sso}}
|
{{#unless siteSettings.enable_sso}}
|
||||||
{{d-button action="sendInvites" title="admin.invite.button_title" icon="user-plus" label="admin.invite.button_text"}}
|
{{d-button action="sendInvites" title="admin.invite.button_title" icon="user-plus" label="admin.invite.button_text"}}
|
||||||
{{/unless}}
|
{{/unless}}
|
||||||
{{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}}
|
{{#if currentUser.admin}}
|
||||||
|
{{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}}
|
||||||
|
{{/if}}
|
||||||
</div>
|
</div>
|
||||||
</ul>
|
</ul>
|
||||||
</nav>
|
</nav>
|
||||||
|
|
|
@ -357,7 +357,8 @@ class Guardian
|
||||||
|
|
||||||
def can_export_entity?(entity)
|
def can_export_entity?(entity)
|
||||||
return false unless @user
|
return false unless @user
|
||||||
return true if is_staff?
|
return true if is_admin?
|
||||||
|
return entity != 'user_list' if is_moderator?
|
||||||
|
|
||||||
# Regular users can only export their archives
|
# Regular users can only export their archives
|
||||||
return false unless entity == "user_archive"
|
return false unless entity == "user_archive"
|
||||||
|
|
|
@ -2576,6 +2576,24 @@ describe Guardian do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '#can_export_entity?' do
|
||||||
|
let(:user_guardian) { Guardian.new(user) }
|
||||||
|
let(:moderator_guardian) { Guardian.new(moderator) }
|
||||||
|
let(:admin_guardian) { Guardian.new(admin) }
|
||||||
|
|
||||||
|
it 'only allows admins to export user_list' do
|
||||||
|
expect(user_guardian.can_export_entity?('user_list')).to be_falsey
|
||||||
|
expect(moderator_guardian.can_export_entity?('user_list')).to be_falsey
|
||||||
|
expect(admin_guardian.can_export_entity?('user_list')).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'allow moderators to export other admin entities' do
|
||||||
|
expect(user_guardian.can_export_entity?('staff_action')).to be_falsey
|
||||||
|
expect(moderator_guardian.can_export_entity?('staff_action')).to be_truthy
|
||||||
|
expect(admin_guardian.can_export_entity?('staff_action')).to be_truthy
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "#allow_themes?" do
|
describe "#allow_themes?" do
|
||||||
let(:theme) { Fabricate(:theme) }
|
let(:theme) { Fabricate(:theme) }
|
||||||
let(:theme2) { Fabricate(:theme) }
|
let(:theme2) { Fabricate(:theme) }
|
||||||
|
|
|
@ -7,7 +7,7 @@ describe ExportCsvController do
|
||||||
let(:user) { Fabricate(:user) }
|
let(:user) { Fabricate(:user) }
|
||||||
before { sign_in(user) }
|
before { sign_in(user) }
|
||||||
|
|
||||||
describe ".export_entity" do
|
describe "#export_entity" do
|
||||||
it "enqueues export job" do
|
it "enqueues export job" do
|
||||||
post "/export_csv/export_entity.json", params: { entity: "user_archive" }
|
post "/export_csv/export_entity.json", params: { entity: "user_archive" }
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(200)
|
||||||
|
@ -46,7 +46,7 @@ describe ExportCsvController do
|
||||||
let(:admin) { Fabricate(:admin) }
|
let(:admin) { Fabricate(:admin) }
|
||||||
before { sign_in(admin) }
|
before { sign_in(admin) }
|
||||||
|
|
||||||
describe ".export_entity" do
|
describe "#export_entity" do
|
||||||
it "enqueues export job" do
|
it "enqueues export job" do
|
||||||
post "/export_csv/export_entity.json", params: { entity: "staff_action" }
|
post "/export_csv/export_entity.json", params: { entity: "staff_action" }
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(200)
|
||||||
|
@ -78,4 +78,27 @@ describe ExportCsvController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'while logged in as a moderator' do
|
||||||
|
let(:moderator) { Fabricate(:moderator) }
|
||||||
|
|
||||||
|
before { sign_in(moderator) }
|
||||||
|
|
||||||
|
describe '#export_entity' do
|
||||||
|
it 'does not allow moderators to export user_list' do
|
||||||
|
post '/export_csv/export_entity.json', params: { entity: 'user_list' }
|
||||||
|
expect(response.status).to eq(403)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'allows moderator to export other entities' do
|
||||||
|
post "/export_csv/export_entity.json", params: { entity: 'staff_action' }
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
expect(Jobs::ExportCsvFile.jobs.size).to eq(1)
|
||||||
|
|
||||||
|
job_data = Jobs::ExportCsvFile.jobs.first['args'].first
|
||||||
|
expect(job_data['entity']).to eq('staff_action')
|
||||||
|
expect(job_data['user_id']).to eq(moderator.id)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue