FEATURE: do not allow moderators to export user list (#6418)
This commit is contained in:
parent
5f042a2c8d
commit
4bb980b9f7
|
@ -16,7 +16,9 @@
|
|||
{{#unless siteSettings.enable_sso}}
|
||||
{{d-button action="sendInvites" title="admin.invite.button_title" icon="user-plus" label="admin.invite.button_text"}}
|
||||
{{/unless}}
|
||||
{{#if currentUser.admin}}
|
||||
{{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}}
|
||||
{{/if}}
|
||||
</div>
|
||||
</ul>
|
||||
</nav>
|
||||
|
|
|
@ -357,7 +357,8 @@ class Guardian
|
|||
|
||||
def can_export_entity?(entity)
|
||||
return false unless @user
|
||||
return true if is_staff?
|
||||
return true if is_admin?
|
||||
return entity != 'user_list' if is_moderator?
|
||||
|
||||
# Regular users can only export their archives
|
||||
return false unless entity == "user_archive"
|
||||
|
|
|
@ -2576,6 +2576,24 @@ describe Guardian do
|
|||
end
|
||||
end
|
||||
|
||||
describe '#can_export_entity?' do
|
||||
let(:user_guardian) { Guardian.new(user) }
|
||||
let(:moderator_guardian) { Guardian.new(moderator) }
|
||||
let(:admin_guardian) { Guardian.new(admin) }
|
||||
|
||||
it 'only allows admins to export user_list' do
|
||||
expect(user_guardian.can_export_entity?('user_list')).to be_falsey
|
||||
expect(moderator_guardian.can_export_entity?('user_list')).to be_falsey
|
||||
expect(admin_guardian.can_export_entity?('user_list')).to be_truthy
|
||||
end
|
||||
|
||||
it 'allow moderators to export other admin entities' do
|
||||
expect(user_guardian.can_export_entity?('staff_action')).to be_falsey
|
||||
expect(moderator_guardian.can_export_entity?('staff_action')).to be_truthy
|
||||
expect(admin_guardian.can_export_entity?('staff_action')).to be_truthy
|
||||
end
|
||||
end
|
||||
|
||||
describe "#allow_themes?" do
|
||||
let(:theme) { Fabricate(:theme) }
|
||||
let(:theme2) { Fabricate(:theme) }
|
||||
|
|
|
@ -7,7 +7,7 @@ describe ExportCsvController do
|
|||
let(:user) { Fabricate(:user) }
|
||||
before { sign_in(user) }
|
||||
|
||||
describe ".export_entity" do
|
||||
describe "#export_entity" do
|
||||
it "enqueues export job" do
|
||||
post "/export_csv/export_entity.json", params: { entity: "user_archive" }
|
||||
expect(response.status).to eq(200)
|
||||
|
@ -46,7 +46,7 @@ describe ExportCsvController do
|
|||
let(:admin) { Fabricate(:admin) }
|
||||
before { sign_in(admin) }
|
||||
|
||||
describe ".export_entity" do
|
||||
describe "#export_entity" do
|
||||
it "enqueues export job" do
|
||||
post "/export_csv/export_entity.json", params: { entity: "staff_action" }
|
||||
expect(response.status).to eq(200)
|
||||
|
@ -78,4 +78,27 @@ describe ExportCsvController do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'while logged in as a moderator' do
|
||||
let(:moderator) { Fabricate(:moderator) }
|
||||
|
||||
before { sign_in(moderator) }
|
||||
|
||||
describe '#export_entity' do
|
||||
it 'does not allow moderators to export user_list' do
|
||||
post '/export_csv/export_entity.json', params: { entity: 'user_list' }
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
it 'allows moderator to export other entities' do
|
||||
post "/export_csv/export_entity.json", params: { entity: 'staff_action' }
|
||||
expect(response.status).to eq(200)
|
||||
expect(Jobs::ExportCsvFile.jobs.size).to eq(1)
|
||||
|
||||
job_data = Jobs::ExportCsvFile.jobs.first['args'].first
|
||||
expect(job_data['entity']).to eq('staff_action')
|
||||
expect(job_data['user_id']).to eq(moderator.id)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue