From 44648fa901340434c61014ecb3b1d3d7320d6a59 Mon Sep 17 00:00:00 2001 From: Wyatt Johnson Date: Wed, 10 Jan 2018 13:04:56 -0700 Subject: [PATCH 1/2] fixed perms issue --- perms/reducers/mutation.js | 6 +++--- test/server/graph/mutations/updateSettings.js | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/perms/reducers/mutation.js b/perms/reducers/mutation.js index a49a901fa..8614bad96 100644 --- a/perms/reducers/mutation.js +++ b/perms/reducers/mutation.js @@ -22,17 +22,17 @@ module.exports = (user, perm) => { case types.REMOVE_COMMENT_TAG: return check(user, ['ADMIN', 'MODERATOR', 'STAFF']); - case types.UPDATE_USER_ROLES: case types.SET_COMMENT_STATUS: case types.SET_USER_USERNAME_STATUS: case types.SET_USER_BAN_STATUS: case types.SET_USER_SUSPENSION_STATUS: - case types.UPDATE_CONFIG: - case types.UPDATE_SETTINGS: case types.UPDATE_ASSET_SETTINGS: case types.UPDATE_ASSET_STATUS: return check(user, ['ADMIN', 'MODERATOR']); + case types.UPDATE_CONFIG: + case types.UPDATE_SETTINGS: + case types.UPDATE_USER_ROLES: case types.CREATE_TOKEN: case types.REVOKE_TOKEN: return check(user, ['ADMIN']); diff --git a/test/server/graph/mutations/updateSettings.js b/test/server/graph/mutations/updateSettings.js index c660ea169..3f7eac701 100644 --- a/test/server/graph/mutations/updateSettings.js +++ b/test/server/graph/mutations/updateSettings.js @@ -27,8 +27,8 @@ describe('graph.mutations.updateSettings', () => { [ {error: 'NOT_AUTHORIZED', role: 'COMMENTER'}, + {error: 'NOT_AUTHORIZED', role: 'MODERATOR'}, {role: 'ADMIN'}, - {role: 'MODERATOR'}, ].forEach(({role, error}) => { it(`role = ${role}`, async () => { const user = new UserModel({role}); From 4d65052eef1ad9a47749902be19a8b1212d86d18 Mon Sep 17 00:00:00 2001 From: Wyatt Johnson Date: Thu, 11 Jan 2018 14:00:26 -0700 Subject: [PATCH 2/2] allow moderators to view role --- graph/resolvers/user.js | 4 ++-- perms/constants/query.js | 1 + perms/reducers/query.js | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/graph/resolvers/user.js b/graph/resolvers/user.js index cfc72e6e4..7d0a0375a 100644 --- a/graph/resolvers/user.js +++ b/graph/resolvers/user.js @@ -4,7 +4,7 @@ const { SEARCH_ACTIONS, SEARCH_OTHER_USERS, SEARCH_OTHERS_COMMENTS, - UPDATE_USER_ROLES, + VIEW_USER_ROLE, LIST_OWN_TOKENS, VIEW_USER_STATUS, } = require('../../perms/constants'); @@ -68,7 +68,7 @@ const User = { role({id, role}, _, {user}) { // If the user is not an admin, only return the current user's roles. - if (user && (user.can(UPDATE_USER_ROLES) || user.id === id)) { + if (user && (user.can(VIEW_USER_ROLE) || user.id === id)) { return role; } diff --git a/perms/constants/query.js b/perms/constants/query.js index 0b73ed1f9..4cc07109c 100644 --- a/perms/constants/query.js +++ b/perms/constants/query.js @@ -8,4 +8,5 @@ module.exports = { VIEW_USER_STATUS: 'VIEW_USER_STATUS', VIEW_PROTECTED_SETTINGS: 'VIEW_PROTECTED_SETTINGS', LIST_OWN_TOKENS: 'LIST_OWN_TOKENS', + VIEW_USER_ROLE: 'VIEW_USER_ROLE', }; diff --git a/perms/reducers/query.js b/perms/reducers/query.js index 67824342b..7139f6f76 100644 --- a/perms/reducers/query.js +++ b/perms/reducers/query.js @@ -12,6 +12,7 @@ module.exports = (user, perm) => { case types.SEARCH_COMMENT_STATUS_HISTORY: case types.VIEW_USER_STATUS: case types.VIEW_PROTECTED_SETTINGS: + case types.VIEW_USER_ROLE: return check(user, ['ADMIN', 'MODERATOR']); case types.LIST_OWN_TOKENS: return check(user, ['ADMIN']);