mirror of
https://github.com/immich-app/immich.git
synced 2024-12-25 10:43:13 +02:00
fix(server): user update (#2143)
* fix(server): user update * update dto * generate api * improve validation * add e2e tests for updating user --------- Co-authored-by: Michel Heusschen <59014050+michelheusschen@users.noreply.github.com>
This commit is contained in:
parent
aaaf1a6cf8
commit
d04f340b5b
BIN
mobile/openapi/doc/UpdateUserDto.md
generated
BIN
mobile/openapi/doc/UpdateUserDto.md
generated
Binary file not shown.
BIN
mobile/openapi/lib/model/update_user_dto.dart
generated
BIN
mobile/openapi/lib/model/update_user_dto.dart
generated
Binary file not shown.
BIN
mobile/openapi/test/update_user_dto_test.dart
generated
BIN
mobile/openapi/test/update_user_dto_test.dart
generated
Binary file not shown.
@ -32,7 +32,7 @@ import { UserCountDto } from '@app/domain';
|
||||
|
||||
@ApiTags('User')
|
||||
@Controller('user')
|
||||
@UsePipes(new ValidationPipe({ transform: true }))
|
||||
@UsePipes(new ValidationPipe({ transform: true, whitelist: true }))
|
||||
export class UserController {
|
||||
constructor(private service: UserService) {}
|
||||
|
||||
|
@ -2,7 +2,7 @@ import { Test, TestingModule } from '@nestjs/testing';
|
||||
import { INestApplication } from '@nestjs/common';
|
||||
import request from 'supertest';
|
||||
import { clearDb, authCustom } from './test-utils';
|
||||
import { CreateUserDto, UserService, AuthUserDto } from '@app/domain';
|
||||
import { CreateUserDto, UserService, AuthUserDto, UserResponseDto } from '@app/domain';
|
||||
import { DataSource } from 'typeorm';
|
||||
import { AuthService } from '@app/domain';
|
||||
import { AppModule } from '../src/app.module';
|
||||
@ -39,10 +39,11 @@ describe('User', () => {
|
||||
});
|
||||
});
|
||||
|
||||
describe('with auth', () => {
|
||||
describe('with admin auth', () => {
|
||||
let userService: UserService;
|
||||
let authService: AuthService;
|
||||
let authUser: AuthUserDto;
|
||||
let userOne: UserResponseDto;
|
||||
|
||||
beforeAll(async () => {
|
||||
const builder = Test.createTestingModule({ imports: [AppModule] });
|
||||
@ -69,7 +70,8 @@ describe('User', () => {
|
||||
password: '1234',
|
||||
});
|
||||
authUser = { ...adminSignupResponseDto, isAdmin: true }; // TODO: find out why adminSignUp doesn't have isAdmin (maybe can just return UserResponseDto)
|
||||
await Promise.allSettled([
|
||||
|
||||
[userOne] = await Promise.all([
|
||||
_createUser(userService, {
|
||||
firstName: 'one',
|
||||
lastName: 'test',
|
||||
@ -121,6 +123,67 @@ describe('User', () => {
|
||||
);
|
||||
expect(body).toEqual(expect.not.arrayContaining([expect.objectContaining({ email: authUserEmail })]));
|
||||
});
|
||||
|
||||
it('disallows admin user from creating a second admin account', async () => {
|
||||
const { status } = await request(app.getHttpServer())
|
||||
.put('/user')
|
||||
.send({
|
||||
...userOne,
|
||||
isAdmin: true,
|
||||
});
|
||||
expect(status).toEqual(400);
|
||||
});
|
||||
|
||||
it('ignores updates to createdAt, updatedAt and deletedAt', async () => {
|
||||
const { status, body } = await request(app.getHttpServer())
|
||||
.put('/user')
|
||||
.send({
|
||||
...userOne,
|
||||
createdAt: '2023-01-01T00:00:00.000Z',
|
||||
updatedAt: '2023-01-01T00:00:00.000Z',
|
||||
deletedAt: '2023-01-01T00:00:00.000Z',
|
||||
});
|
||||
expect(status).toEqual(200);
|
||||
expect(body).toStrictEqual({
|
||||
...userOne,
|
||||
createdAt: new Date(userOne.createdAt).toISOString(),
|
||||
updatedAt: expect.anything(),
|
||||
});
|
||||
});
|
||||
|
||||
it('ignores updates to profileImagePath', async () => {
|
||||
const { status, body } = await request(app.getHttpServer())
|
||||
.put('/user')
|
||||
.send({
|
||||
...userOne,
|
||||
profileImagePath: 'invalid.jpg',
|
||||
});
|
||||
expect(status).toEqual(200);
|
||||
expect(body).toStrictEqual({
|
||||
...userOne,
|
||||
createdAt: new Date(userOne.createdAt).toISOString(),
|
||||
updatedAt: expect.anything(),
|
||||
});
|
||||
});
|
||||
|
||||
it('allows to update first and last name', async () => {
|
||||
const { status, body } = await request(app.getHttpServer())
|
||||
.put('/user')
|
||||
.send({
|
||||
...userOne,
|
||||
firstName: 'newFirstName',
|
||||
lastName: 'newLastName',
|
||||
});
|
||||
|
||||
expect(status).toEqual(200);
|
||||
expect(body).toMatchObject({
|
||||
...userOne,
|
||||
createdAt: new Date(userOne.createdAt).toISOString(),
|
||||
updatedAt: expect.anything(),
|
||||
firstName: 'newFirstName',
|
||||
lastName: 'newLastName',
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
|
@ -4812,29 +4812,31 @@
|
||||
"UpdateUserDto": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"id": {
|
||||
"type": "string"
|
||||
},
|
||||
"email": {
|
||||
"type": "string"
|
||||
"type": "string",
|
||||
"example": "testuser@email.com"
|
||||
},
|
||||
"password": {
|
||||
"type": "string"
|
||||
"type": "string",
|
||||
"example": "password"
|
||||
},
|
||||
"firstName": {
|
||||
"type": "string"
|
||||
"type": "string",
|
||||
"example": "John"
|
||||
},
|
||||
"lastName": {
|
||||
"type": "string"
|
||||
"type": "string",
|
||||
"example": "Doe"
|
||||
},
|
||||
"id": {
|
||||
"type": "string",
|
||||
"format": "uuid"
|
||||
},
|
||||
"isAdmin": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"shouldChangePassword": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"profileImagePath": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
|
@ -1,28 +1,18 @@
|
||||
import { IsEmail, IsNotEmpty, IsOptional } from 'class-validator';
|
||||
import { IsBoolean, IsNotEmpty, IsOptional, IsUUID } from 'class-validator';
|
||||
import { CreateUserDto } from './create-user.dto';
|
||||
import { ApiProperty, PartialType } from '@nestjs/swagger';
|
||||
|
||||
export class UpdateUserDto {
|
||||
export class UpdateUserDto extends PartialType(CreateUserDto) {
|
||||
@IsNotEmpty()
|
||||
@IsUUID('4')
|
||||
@ApiProperty({ format: 'uuid' })
|
||||
id!: string;
|
||||
|
||||
@IsEmail()
|
||||
@IsOptional()
|
||||
email?: string;
|
||||
|
||||
@IsOptional()
|
||||
password?: string;
|
||||
|
||||
@IsOptional()
|
||||
firstName?: string;
|
||||
|
||||
@IsOptional()
|
||||
lastName?: string;
|
||||
|
||||
@IsOptional()
|
||||
@IsBoolean()
|
||||
isAdmin?: boolean;
|
||||
|
||||
@IsOptional()
|
||||
@IsBoolean()
|
||||
shouldChangePassword?: boolean;
|
||||
|
||||
@IsOptional()
|
||||
profileImagePath?: string;
|
||||
}
|
||||
|
@ -21,12 +21,16 @@ export class UserCore {
|
||||
constructor(private userRepository: IUserRepository, private cryptoRepository: ICryptoRepository) {}
|
||||
|
||||
async updateUser(authUser: AuthUserDto, id: string, dto: Partial<UserEntity>): Promise<UserEntity> {
|
||||
if (!(authUser.isAdmin || authUser.id === id)) {
|
||||
if (!authUser.isAdmin && authUser.id !== id) {
|
||||
throw new ForbiddenException('You are not allowed to update this user');
|
||||
}
|
||||
|
||||
if (dto.isAdmin && authUser.isAdmin && authUser.id !== id) {
|
||||
throw new BadRequestException('Admin user exists');
|
||||
if (!authUser.isAdmin) {
|
||||
// Users can never update the isAdmin property.
|
||||
delete dto.isAdmin;
|
||||
} else if (dto.isAdmin && authUser.id !== id) {
|
||||
// Admin cannot create another admin.
|
||||
throw new BadRequestException('The server already has an admin');
|
||||
}
|
||||
|
||||
if (dto.email) {
|
||||
|
@ -90,6 +90,7 @@ export class UserService {
|
||||
if (!user) {
|
||||
throw new NotFoundException('User not found');
|
||||
}
|
||||
|
||||
const updatedUser = await this.userCore.updateUser(authUser, dto.id, dto);
|
||||
return mapUser(updatedUser);
|
||||
}
|
||||
|
18
web/src/api/open-api/api.ts
generated
18
web/src/api/open-api/api.ts
generated
@ -2292,12 +2292,6 @@ export interface UpdateTagDto {
|
||||
* @interface UpdateUserDto
|
||||
*/
|
||||
export interface UpdateUserDto {
|
||||
/**
|
||||
*
|
||||
* @type {string}
|
||||
* @memberof UpdateUserDto
|
||||
*/
|
||||
'id': string;
|
||||
/**
|
||||
*
|
||||
* @type {string}
|
||||
@ -2322,6 +2316,12 @@ export interface UpdateUserDto {
|
||||
* @memberof UpdateUserDto
|
||||
*/
|
||||
'lastName'?: string;
|
||||
/**
|
||||
*
|
||||
* @type {string}
|
||||
* @memberof UpdateUserDto
|
||||
*/
|
||||
'id': string;
|
||||
/**
|
||||
*
|
||||
* @type {boolean}
|
||||
@ -2334,12 +2334,6 @@ export interface UpdateUserDto {
|
||||
* @memberof UpdateUserDto
|
||||
*/
|
||||
'shouldChangePassword'?: boolean;
|
||||
/**
|
||||
*
|
||||
* @type {string}
|
||||
* @memberof UpdateUserDto
|
||||
*/
|
||||
'profileImagePath'?: string;
|
||||
}
|
||||
/**
|
||||
*
|
||||
|
Loading…
Reference in New Issue
Block a user