diff --git a/graph/resolvers/user.js b/graph/resolvers/user.js index cfc72e6e4..7d0a0375a 100644 --- a/graph/resolvers/user.js +++ b/graph/resolvers/user.js @@ -4,7 +4,7 @@ const { SEARCH_ACTIONS, SEARCH_OTHER_USERS, SEARCH_OTHERS_COMMENTS, - UPDATE_USER_ROLES, + VIEW_USER_ROLE, LIST_OWN_TOKENS, VIEW_USER_STATUS, } = require('../../perms/constants'); @@ -68,7 +68,7 @@ const User = { role({id, role}, _, {user}) { // If the user is not an admin, only return the current user's roles. - if (user && (user.can(UPDATE_USER_ROLES) || user.id === id)) { + if (user && (user.can(VIEW_USER_ROLE) || user.id === id)) { return role; } diff --git a/perms/constants/query.js b/perms/constants/query.js index 0b73ed1f9..4cc07109c 100644 --- a/perms/constants/query.js +++ b/perms/constants/query.js @@ -8,4 +8,5 @@ module.exports = { VIEW_USER_STATUS: 'VIEW_USER_STATUS', VIEW_PROTECTED_SETTINGS: 'VIEW_PROTECTED_SETTINGS', LIST_OWN_TOKENS: 'LIST_OWN_TOKENS', + VIEW_USER_ROLE: 'VIEW_USER_ROLE', }; diff --git a/perms/reducers/mutation.js b/perms/reducers/mutation.js index a49a901fa..8614bad96 100644 --- a/perms/reducers/mutation.js +++ b/perms/reducers/mutation.js @@ -22,17 +22,17 @@ module.exports = (user, perm) => { case types.REMOVE_COMMENT_TAG: return check(user, ['ADMIN', 'MODERATOR', 'STAFF']); - case types.UPDATE_USER_ROLES: case types.SET_COMMENT_STATUS: case types.SET_USER_USERNAME_STATUS: case types.SET_USER_BAN_STATUS: case types.SET_USER_SUSPENSION_STATUS: - case types.UPDATE_CONFIG: - case types.UPDATE_SETTINGS: case types.UPDATE_ASSET_SETTINGS: case types.UPDATE_ASSET_STATUS: return check(user, ['ADMIN', 'MODERATOR']); + case types.UPDATE_CONFIG: + case types.UPDATE_SETTINGS: + case types.UPDATE_USER_ROLES: case types.CREATE_TOKEN: case types.REVOKE_TOKEN: return check(user, ['ADMIN']); diff --git a/perms/reducers/query.js b/perms/reducers/query.js index 67824342b..7139f6f76 100644 --- a/perms/reducers/query.js +++ b/perms/reducers/query.js @@ -12,6 +12,7 @@ module.exports = (user, perm) => { case types.SEARCH_COMMENT_STATUS_HISTORY: case types.VIEW_USER_STATUS: case types.VIEW_PROTECTED_SETTINGS: + case types.VIEW_USER_ROLE: return check(user, ['ADMIN', 'MODERATOR']); case types.LIST_OWN_TOKENS: return check(user, ['ADMIN']); diff --git a/test/server/graph/mutations/updateSettings.js b/test/server/graph/mutations/updateSettings.js index c660ea169..3f7eac701 100644 --- a/test/server/graph/mutations/updateSettings.js +++ b/test/server/graph/mutations/updateSettings.js @@ -27,8 +27,8 @@ describe('graph.mutations.updateSettings', () => { [ {error: 'NOT_AUTHORIZED', role: 'COMMENTER'}, + {error: 'NOT_AUTHORIZED', role: 'MODERATOR'}, {role: 'ADMIN'}, - {role: 'MODERATOR'}, ].forEach(({role, error}) => { it(`role = ${role}`, async () => { const user = new UserModel({role});