Fix profiles not administrators able to edit a group

Related to #385

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2020-10-09 15:26:37 +02:00
parent 2adf688092
commit 3e89a72d74
8 changed files with 204 additions and 109 deletions

49
js/src/mixins/group.ts Normal file
View File

@ -0,0 +1,49 @@
import { PERSON_MEMBERSHIPS, CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
import { FETCH_GROUP } from "@/graphql/group";
import { Group, IActor, IGroup, IPerson, MemberRole } from "@/types/actor";
import { Component, Vue } from "vue-property-decorator";
@Component({
apollo: {
group: {
query: FETCH_GROUP,
fetchPolicy: "cache-and-network",
variables() {
return {
name: this.$route.params.preferredUsername,
};
},
skip() {
return !this.$route.params.preferredUsername;
},
},
person: {
query: PERSON_MEMBERSHIPS,
fetchPolicy: "cache-and-network",
variables() {
return {
id: this.currentActor.id,
};
},
skip() {
return !this.currentActor || !this.currentActor.id;
},
},
currentActor: CURRENT_ACTOR_CLIENT,
},
})
export default class GroupMixin extends Vue {
group: IGroup = new Group();
currentActor!: IActor;
person!: IPerson;
get isCurrentActorAGroupAdmin(): boolean {
return (
this.person &&
this.person.memberships.elements.some(
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
)
);
}
}

View File

@ -338,19 +338,9 @@
</template>
<script lang="ts">
import { Component, Prop, Vue, Watch } from "vue-property-decorator";
import { Component, Prop, Watch } from "vue-property-decorator";
import EventCard from "@/components/Event/EventCard.vue";
import { CURRENT_ACTOR_CLIENT, PERSON_MEMBERSHIPS } from "@/graphql/actor";
import { FETCH_GROUP } from "@/graphql/group";
import {
IActor,
IGroup,
IPerson,
usernameWithDomain,
Group as GroupModel,
MemberRole,
IMember,
} from "@/types/actor";
import { IActor, usernameWithDomain, MemberRole, IMember } from "@/types/actor";
import Subtitle from "@/components/Utils/Subtitle.vue";
import CompactTodo from "@/components/Todo/CompactTodo.vue";
import EventMinimalistCard from "@/components/Event/EventMinimalistCard.vue";
@ -365,34 +355,14 @@ import { CONFIG } from "@/graphql/config";
import { CREATE_REPORT } from "@/graphql/report";
import { IReport } from "@/types/report.model";
import { IConfig } from "@/types/config.model";
import GroupMixin from "@/mixins/group";
import { mixins } from "vue-class-component";
import RouteName from "../../router/name";
import GroupSection from "../../components/Group/GroupSection.vue";
import ReportModal from "../../components/Report/ReportModal.vue";
@Component({
apollo: {
group: {
query: FETCH_GROUP,
fetchPolicy: "cache-and-network",
variables() {
return {
name: this.preferredUsername,
};
},
},
person: {
query: PERSON_MEMBERSHIPS,
fetchPolicy: "cache-and-network",
variables() {
return {
id: this.currentActor.id,
};
},
skip() {
return !this.currentActor || !this.currentActor.id;
},
},
currentActor: CURRENT_ACTOR_CLIENT,
config: CONFIG,
},
components: {
@ -425,15 +395,9 @@ import ReportModal from "../../components/Report/ReportModal.vue";
};
},
})
export default class Group extends Vue {
export default class Group extends mixins(GroupMixin) {
@Prop({ type: String, required: true }) preferredUsername!: string;
currentActor!: IActor;
person!: IPerson;
group: IGroup = new GroupModel();
config!: IConfig;
loading = true;
@ -550,15 +514,6 @@ export default class Group extends Vue {
);
}
get isCurrentActorAGroupAdmin(): boolean {
return (
this.person &&
this.person.memberships.elements.some(
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
)
);
}
/**
* New members, if on a different server,
* can take a while to refresh the group and fetch all private data

View File

@ -31,7 +31,7 @@
</li>
</ul>
</nav>
<section class="container section" v-if="group">
<section class="container section" v-if="group && isCurrentActorAGroupAdmin">
<form @submit.prevent="inviteMember">
<b-field :label="$t('Invite a new member')" custom-class="add-relay" horizontal>
<b-field
@ -171,42 +171,23 @@
</template>
</b-table>
</section>
<b-message v-else-if="group">
{{ $t("You are not an administrator for this group.") }}
</b-message>
</div>
</template>
<script lang="ts">
import { Component, Vue, Watch } from "vue-property-decorator";
import { CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
import { Component, Watch } from "vue-property-decorator";
import GroupMixin from "@/mixins/group";
import { mixins } from "vue-class-component";
import RouteName from "../../router/name";
import { INVITE_MEMBER, GROUP_MEMBERS, REMOVE_MEMBER, UPDATE_MEMBER } from "../../graphql/member";
import { IGroup, IPerson, usernameWithDomain } from "../../types/actor";
import { IGroup, usernameWithDomain } from "../../types/actor";
import { IMember, MemberRole } from "../../types/actor/group.model";
@Component({
apollo: {
currentActor: CURRENT_ACTOR_CLIENT,
group: {
query: GROUP_MEMBERS,
fetchPolicy: "network-only",
variables() {
return {
name: this.$route.params.preferredUsername,
page: 1,
limit: this.MEMBERS_PER_PAGE,
roles: this.roles,
};
},
skip() {
return !this.$route.params.preferredUsername;
},
},
},
})
export default class GroupMembers extends Vue {
group!: IGroup;
currentActor!: IPerson;
@Component
export default class GroupMembers extends mixins(GroupMixin) {
loading = true;
newMemberUsername = "";

View File

@ -31,7 +31,7 @@
</li>
</ul>
</nav>
<section class="container section">
<section class="container section" v-if="isCurrentActorAGroupAdmin">
<form @submit.prevent="updateGroup">
<b-field :label="$t('Group name')">
<b-input v-model="group.name" />
@ -114,44 +114,32 @@
</div>
</form>
</section>
<b-message>
{{ $t("You are not an administrator for this group.") }}
</b-message>
</div>
</template>
<script lang="ts">
import { Component, Vue } from "vue-property-decorator";
import { Component } from "vue-property-decorator";
import FullAddressAutoComplete from "@/components/Event/FullAddressAutoComplete.vue";
import { Route } from "vue-router";
import PictureUpload from "@/components/PictureUpload.vue";
import { mixins } from "vue-class-component";
import GroupMixin from "@/mixins/group";
import RouteName from "../../router/name";
import { FETCH_GROUP, UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
import { UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
import { IGroup, usernameWithDomain } from "../../types/actor";
import { Address, IAddress } from "../../types/address.model";
import { Group } from "../../types/actor/group.model";
@Component({
apollo: {
group: {
query: FETCH_GROUP,
fetchPolicy: "cache-and-network",
variables() {
return {
name: this.$route.params.preferredUsername,
};
},
skip() {
return !this.$route.params.preferredUsername;
},
},
},
components: {
FullAddressAutoComplete,
PictureUpload,
editor: () => import("../../components/Editor.vue"),
},
})
export default class GroupSettings extends Vue {
group: IGroup = new Group();
export default class GroupSettings extends mixins(GroupMixin) {
loading = true;
RouteName = RouteName;

View File

@ -23,8 +23,9 @@
</aside>
</template>
<script lang="ts">
import { Component, Vue } from "vue-property-decorator";
import { IGroup } from "@/types/actor";
import { Component } from "vue-property-decorator";
import { mixins } from "vue-class-component";
import GroupMixin from "@/mixins/group";
import RouteName from "../../router/name";
import SettingMenuSection from "../../components/Settings/SettingMenuSection.vue";
import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
@ -32,10 +33,8 @@ import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
@Component({
components: { SettingMenuSection, SettingMenuItem },
})
export default class Settings extends Vue {
export default class Settings extends mixins(GroupMixin) {
RouteName = RouteName;
group!: IGroup[];
}
</script>

View File

@ -145,11 +145,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
end
@doc """
Create a new group. The creator is automatically added as admin
Update a group. The creator is automatically added as admin
"""
def update_group(
_parent,
args,
%{id: group_id} = args,
%{
context: %{
current_user: %User{} = user
@ -157,6 +157,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
}
) do
with %Actor{} = updater_actor <- Users.get_actor_for_user(user),
{:administrator, true} <-
{:administrator, Actors.is_administrator?(updater_actor.id, group_id)},
args <- Map.put(args, :updater_actor, updater_actor),
args <- save_attached_pictures(args),
{:ok, _activity, %Actor{type: :Group} = group} <-
@ -166,8 +168,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
{:error, err} when is_binary(err) ->
{:error, err}
{:is_owned, nil} ->
{:error, dgettext("errors", "Creator profile is not owned by the current user")}
{:administrator, false} ->
{:error, dgettext("errors", "Profile is not administrator for the group")}
end
end

View File

@ -704,6 +704,22 @@ defmodule Mobilizon.Actors do
)
end
@spec is_moderator?(integer | String.t(), integer | String.t()) :: boolean()
def is_moderator?(actor_id, parent_id) do
match?(
{:ok, %Member{}},
get_member(actor_id, parent_id, @moderator_roles)
)
end
@spec is_administrator?(integer | String.t(), integer | String.t()) :: boolean()
def is_administrator?(actor_id, parent_id) do
match?(
{:ok, %Member{}},
get_member(actor_id, parent_id, @administrator_roles)
)
end
@doc """
Gets a single member of an actor (for example a group).
"""

View File

@ -239,6 +239,111 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
end
end
describe "update a group" do
@update_group_mutation """
mutation UpdateGroup(
$id: ID!
$name: String
$summary: String
$avatar: PictureInput
$banner: PictureInput
$visibility: GroupVisibility
$physicalAddress: AddressInput
) {
updateGroup(
id: $id
name: $name
summary: $summary
banner: $banner
avatar: $avatar
visibility: $visibility
physicalAddress: $physicalAddress
) {
id
preferredUsername
name
summary
visibility
avatar {
url
}
banner {
url
}
}
}
"""
@new_group_name "new name for group"
test "update_group/3 updates a group", %{conn: conn, user: user, actor: actor} do
group = insert(:group)
insert(:member, parent: group, actor: actor, role: :administrator)
res =
conn
|> auth_conn(user)
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{
id: group.id,
name: @new_group_name,
visibility: "UNLISTED"
}
)
assert is_nil(res["errors"])
assert res["data"]["updateGroup"]["name"] == @new_group_name
assert res["data"]["updateGroup"]["visibility"] == "UNLISTED"
end
test "update_group/3 requires to be logged-in to update a group", %{conn: conn} do
group = insert(:group)
res =
conn
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{id: group.id, name: @new_group_name}
)
assert hd(res["errors"])["message"] == "You need to be logged-in to update a group"
end
test "update_group/3 requires to be an admin of the group to update a group", %{
conn: conn,
actor: actor
} do
group = insert(:group)
insert(:member, parent: group, actor: actor, role: :administrator)
user = insert(:user)
actor2 = insert(:actor, user: user)
# Actor not member
res =
conn
|> auth_conn(user)
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{id: group.id, name: @new_group_name}
)
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
# Actor member but not admin
insert(:member, parent: group, actor: actor2, role: :moderator)
res =
conn
|> auth_conn(user)
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{id: group.id, name: @new_group_name}
)
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
end
end
describe "delete a group" do
@delete_group_mutation """
mutation DeleteGroup($groupId: ID!) {