1
0
mirror of https://github.com/immich-app/immich.git synced 2024-12-25 10:43:13 +02:00

fix(server): user update (#2143)

* fix(server): user update

* update dto

* generate api

* improve validation

* add e2e tests for updating user

---------

Co-authored-by: Michel Heusschen <59014050+michelheusschen@users.noreply.github.com>
This commit is contained in:
Alex 2023-04-01 11:43:45 -05:00 committed by GitHub
parent aaaf1a6cf8
commit d04f340b5b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 101 additions and 47 deletions

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -32,7 +32,7 @@ import { UserCountDto } from '@app/domain';
@ApiTags('User')
@Controller('user')
@UsePipes(new ValidationPipe({ transform: true }))
@UsePipes(new ValidationPipe({ transform: true, whitelist: true }))
export class UserController {
constructor(private service: UserService) {}

View File

@ -2,7 +2,7 @@ import { Test, TestingModule } from '@nestjs/testing';
import { INestApplication } from '@nestjs/common';
import request from 'supertest';
import { clearDb, authCustom } from './test-utils';
import { CreateUserDto, UserService, AuthUserDto } from '@app/domain';
import { CreateUserDto, UserService, AuthUserDto, UserResponseDto } from '@app/domain';
import { DataSource } from 'typeorm';
import { AuthService } from '@app/domain';
import { AppModule } from '../src/app.module';
@ -39,10 +39,11 @@ describe('User', () => {
});
});
describe('with auth', () => {
describe('with admin auth', () => {
let userService: UserService;
let authService: AuthService;
let authUser: AuthUserDto;
let userOne: UserResponseDto;
beforeAll(async () => {
const builder = Test.createTestingModule({ imports: [AppModule] });
@ -69,7 +70,8 @@ describe('User', () => {
password: '1234',
});
authUser = { ...adminSignupResponseDto, isAdmin: true }; // TODO: find out why adminSignUp doesn't have isAdmin (maybe can just return UserResponseDto)
await Promise.allSettled([
[userOne] = await Promise.all([
_createUser(userService, {
firstName: 'one',
lastName: 'test',
@ -121,6 +123,67 @@ describe('User', () => {
);
expect(body).toEqual(expect.not.arrayContaining([expect.objectContaining({ email: authUserEmail })]));
});
it('disallows admin user from creating a second admin account', async () => {
const { status } = await request(app.getHttpServer())
.put('/user')
.send({
...userOne,
isAdmin: true,
});
expect(status).toEqual(400);
});
it('ignores updates to createdAt, updatedAt and deletedAt', async () => {
const { status, body } = await request(app.getHttpServer())
.put('/user')
.send({
...userOne,
createdAt: '2023-01-01T00:00:00.000Z',
updatedAt: '2023-01-01T00:00:00.000Z',
deletedAt: '2023-01-01T00:00:00.000Z',
});
expect(status).toEqual(200);
expect(body).toStrictEqual({
...userOne,
createdAt: new Date(userOne.createdAt).toISOString(),
updatedAt: expect.anything(),
});
});
it('ignores updates to profileImagePath', async () => {
const { status, body } = await request(app.getHttpServer())
.put('/user')
.send({
...userOne,
profileImagePath: 'invalid.jpg',
});
expect(status).toEqual(200);
expect(body).toStrictEqual({
...userOne,
createdAt: new Date(userOne.createdAt).toISOString(),
updatedAt: expect.anything(),
});
});
it('allows to update first and last name', async () => {
const { status, body } = await request(app.getHttpServer())
.put('/user')
.send({
...userOne,
firstName: 'newFirstName',
lastName: 'newLastName',
});
expect(status).toEqual(200);
expect(body).toMatchObject({
...userOne,
createdAt: new Date(userOne.createdAt).toISOString(),
updatedAt: expect.anything(),
firstName: 'newFirstName',
lastName: 'newLastName',
});
});
});
});
});

View File

@ -4812,29 +4812,31 @@
"UpdateUserDto": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"email": {
"type": "string"
"type": "string",
"example": "testuser@email.com"
},
"password": {
"type": "string"
"type": "string",
"example": "password"
},
"firstName": {
"type": "string"
"type": "string",
"example": "John"
},
"lastName": {
"type": "string"
"type": "string",
"example": "Doe"
},
"id": {
"type": "string",
"format": "uuid"
},
"isAdmin": {
"type": "boolean"
},
"shouldChangePassword": {
"type": "boolean"
},
"profileImagePath": {
"type": "string"
}
},
"required": [

View File

@ -1,28 +1,18 @@
import { IsEmail, IsNotEmpty, IsOptional } from 'class-validator';
import { IsBoolean, IsNotEmpty, IsOptional, IsUUID } from 'class-validator';
import { CreateUserDto } from './create-user.dto';
import { ApiProperty, PartialType } from '@nestjs/swagger';
export class UpdateUserDto {
export class UpdateUserDto extends PartialType(CreateUserDto) {
@IsNotEmpty()
@IsUUID('4')
@ApiProperty({ format: 'uuid' })
id!: string;
@IsEmail()
@IsOptional()
email?: string;
@IsOptional()
password?: string;
@IsOptional()
firstName?: string;
@IsOptional()
lastName?: string;
@IsOptional()
@IsBoolean()
isAdmin?: boolean;
@IsOptional()
@IsBoolean()
shouldChangePassword?: boolean;
@IsOptional()
profileImagePath?: string;
}

View File

@ -21,12 +21,16 @@ export class UserCore {
constructor(private userRepository: IUserRepository, private cryptoRepository: ICryptoRepository) {}
async updateUser(authUser: AuthUserDto, id: string, dto: Partial<UserEntity>): Promise<UserEntity> {
if (!(authUser.isAdmin || authUser.id === id)) {
if (!authUser.isAdmin && authUser.id !== id) {
throw new ForbiddenException('You are not allowed to update this user');
}
if (dto.isAdmin && authUser.isAdmin && authUser.id !== id) {
throw new BadRequestException('Admin user exists');
if (!authUser.isAdmin) {
// Users can never update the isAdmin property.
delete dto.isAdmin;
} else if (dto.isAdmin && authUser.id !== id) {
// Admin cannot create another admin.
throw new BadRequestException('The server already has an admin');
}
if (dto.email) {

View File

@ -90,6 +90,7 @@ export class UserService {
if (!user) {
throw new NotFoundException('User not found');
}
const updatedUser = await this.userCore.updateUser(authUser, dto.id, dto);
return mapUser(updatedUser);
}

View File

@ -2292,12 +2292,6 @@ export interface UpdateTagDto {
* @interface UpdateUserDto
*/
export interface UpdateUserDto {
/**
*
* @type {string}
* @memberof UpdateUserDto
*/
'id': string;
/**
*
* @type {string}
@ -2322,6 +2316,12 @@ export interface UpdateUserDto {
* @memberof UpdateUserDto
*/
'lastName'?: string;
/**
*
* @type {string}
* @memberof UpdateUserDto
*/
'id': string;
/**
*
* @type {boolean}
@ -2334,12 +2334,6 @@ export interface UpdateUserDto {
* @memberof UpdateUserDto
*/
'shouldChangePassword'?: boolean;
/**
*
* @type {string}
* @memberof UpdateUserDto
*/
'profileImagePath'?: string;
}
/**
*