Fix profiles not administrators able to edit a group
Related to #385 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
2adf688092
commit
3e89a72d74
49
js/src/mixins/group.ts
Normal file
49
js/src/mixins/group.ts
Normal file
@ -0,0 +1,49 @@
|
||||
import { PERSON_MEMBERSHIPS, CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
|
||||
import { FETCH_GROUP } from "@/graphql/group";
|
||||
import { Group, IActor, IGroup, IPerson, MemberRole } from "@/types/actor";
|
||||
import { Component, Vue } from "vue-property-decorator";
|
||||
|
||||
@Component({
|
||||
apollo: {
|
||||
group: {
|
||||
query: FETCH_GROUP,
|
||||
fetchPolicy: "cache-and-network",
|
||||
variables() {
|
||||
return {
|
||||
name: this.$route.params.preferredUsername,
|
||||
};
|
||||
},
|
||||
skip() {
|
||||
return !this.$route.params.preferredUsername;
|
||||
},
|
||||
},
|
||||
person: {
|
||||
query: PERSON_MEMBERSHIPS,
|
||||
fetchPolicy: "cache-and-network",
|
||||
variables() {
|
||||
return {
|
||||
id: this.currentActor.id,
|
||||
};
|
||||
},
|
||||
skip() {
|
||||
return !this.currentActor || !this.currentActor.id;
|
||||
},
|
||||
},
|
||||
currentActor: CURRENT_ACTOR_CLIENT,
|
||||
},
|
||||
})
|
||||
export default class GroupMixin extends Vue {
|
||||
group: IGroup = new Group();
|
||||
currentActor!: IActor;
|
||||
|
||||
person!: IPerson;
|
||||
|
||||
get isCurrentActorAGroupAdmin(): boolean {
|
||||
return (
|
||||
this.person &&
|
||||
this.person.memberships.elements.some(
|
||||
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
@ -338,19 +338,9 @@
|
||||
</template>
|
||||
|
||||
<script lang="ts">
|
||||
import { Component, Prop, Vue, Watch } from "vue-property-decorator";
|
||||
import { Component, Prop, Watch } from "vue-property-decorator";
|
||||
import EventCard from "@/components/Event/EventCard.vue";
|
||||
import { CURRENT_ACTOR_CLIENT, PERSON_MEMBERSHIPS } from "@/graphql/actor";
|
||||
import { FETCH_GROUP } from "@/graphql/group";
|
||||
import {
|
||||
IActor,
|
||||
IGroup,
|
||||
IPerson,
|
||||
usernameWithDomain,
|
||||
Group as GroupModel,
|
||||
MemberRole,
|
||||
IMember,
|
||||
} from "@/types/actor";
|
||||
import { IActor, usernameWithDomain, MemberRole, IMember } from "@/types/actor";
|
||||
import Subtitle from "@/components/Utils/Subtitle.vue";
|
||||
import CompactTodo from "@/components/Todo/CompactTodo.vue";
|
||||
import EventMinimalistCard from "@/components/Event/EventMinimalistCard.vue";
|
||||
@ -365,34 +355,14 @@ import { CONFIG } from "@/graphql/config";
|
||||
import { CREATE_REPORT } from "@/graphql/report";
|
||||
import { IReport } from "@/types/report.model";
|
||||
import { IConfig } from "@/types/config.model";
|
||||
import GroupMixin from "@/mixins/group";
|
||||
import { mixins } from "vue-class-component";
|
||||
import RouteName from "../../router/name";
|
||||
import GroupSection from "../../components/Group/GroupSection.vue";
|
||||
import ReportModal from "../../components/Report/ReportModal.vue";
|
||||
|
||||
@Component({
|
||||
apollo: {
|
||||
group: {
|
||||
query: FETCH_GROUP,
|
||||
fetchPolicy: "cache-and-network",
|
||||
variables() {
|
||||
return {
|
||||
name: this.preferredUsername,
|
||||
};
|
||||
},
|
||||
},
|
||||
person: {
|
||||
query: PERSON_MEMBERSHIPS,
|
||||
fetchPolicy: "cache-and-network",
|
||||
variables() {
|
||||
return {
|
||||
id: this.currentActor.id,
|
||||
};
|
||||
},
|
||||
skip() {
|
||||
return !this.currentActor || !this.currentActor.id;
|
||||
},
|
||||
},
|
||||
currentActor: CURRENT_ACTOR_CLIENT,
|
||||
config: CONFIG,
|
||||
},
|
||||
components: {
|
||||
@ -425,15 +395,9 @@ import ReportModal from "../../components/Report/ReportModal.vue";
|
||||
};
|
||||
},
|
||||
})
|
||||
export default class Group extends Vue {
|
||||
export default class Group extends mixins(GroupMixin) {
|
||||
@Prop({ type: String, required: true }) preferredUsername!: string;
|
||||
|
||||
currentActor!: IActor;
|
||||
|
||||
person!: IPerson;
|
||||
|
||||
group: IGroup = new GroupModel();
|
||||
|
||||
config!: IConfig;
|
||||
|
||||
loading = true;
|
||||
@ -550,15 +514,6 @@ export default class Group extends Vue {
|
||||
);
|
||||
}
|
||||
|
||||
get isCurrentActorAGroupAdmin(): boolean {
|
||||
return (
|
||||
this.person &&
|
||||
this.person.memberships.elements.some(
|
||||
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* New members, if on a different server,
|
||||
* can take a while to refresh the group and fetch all private data
|
||||
|
@ -31,7 +31,7 @@
|
||||
</li>
|
||||
</ul>
|
||||
</nav>
|
||||
<section class="container section" v-if="group">
|
||||
<section class="container section" v-if="group && isCurrentActorAGroupAdmin">
|
||||
<form @submit.prevent="inviteMember">
|
||||
<b-field :label="$t('Invite a new member')" custom-class="add-relay" horizontal>
|
||||
<b-field
|
||||
@ -171,42 +171,23 @@
|
||||
</template>
|
||||
</b-table>
|
||||
</section>
|
||||
<b-message v-else-if="group">
|
||||
{{ $t("You are not an administrator for this group.") }}
|
||||
</b-message>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script lang="ts">
|
||||
import { Component, Vue, Watch } from "vue-property-decorator";
|
||||
import { CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
|
||||
import { Component, Watch } from "vue-property-decorator";
|
||||
import GroupMixin from "@/mixins/group";
|
||||
import { mixins } from "vue-class-component";
|
||||
import RouteName from "../../router/name";
|
||||
import { INVITE_MEMBER, GROUP_MEMBERS, REMOVE_MEMBER, UPDATE_MEMBER } from "../../graphql/member";
|
||||
import { IGroup, IPerson, usernameWithDomain } from "../../types/actor";
|
||||
import { IGroup, usernameWithDomain } from "../../types/actor";
|
||||
import { IMember, MemberRole } from "../../types/actor/group.model";
|
||||
|
||||
@Component({
|
||||
apollo: {
|
||||
currentActor: CURRENT_ACTOR_CLIENT,
|
||||
group: {
|
||||
query: GROUP_MEMBERS,
|
||||
fetchPolicy: "network-only",
|
||||
variables() {
|
||||
return {
|
||||
name: this.$route.params.preferredUsername,
|
||||
page: 1,
|
||||
limit: this.MEMBERS_PER_PAGE,
|
||||
roles: this.roles,
|
||||
};
|
||||
},
|
||||
skip() {
|
||||
return !this.$route.params.preferredUsername;
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
export default class GroupMembers extends Vue {
|
||||
group!: IGroup;
|
||||
|
||||
currentActor!: IPerson;
|
||||
|
||||
@Component
|
||||
export default class GroupMembers extends mixins(GroupMixin) {
|
||||
loading = true;
|
||||
|
||||
newMemberUsername = "";
|
||||
|
@ -31,7 +31,7 @@
|
||||
</li>
|
||||
</ul>
|
||||
</nav>
|
||||
<section class="container section">
|
||||
<section class="container section" v-if="isCurrentActorAGroupAdmin">
|
||||
<form @submit.prevent="updateGroup">
|
||||
<b-field :label="$t('Group name')">
|
||||
<b-input v-model="group.name" />
|
||||
@ -114,44 +114,32 @@
|
||||
</div>
|
||||
</form>
|
||||
</section>
|
||||
<b-message>
|
||||
{{ $t("You are not an administrator for this group.") }}
|
||||
</b-message>
|
||||
</div>
|
||||
</template>
|
||||
|
||||
<script lang="ts">
|
||||
import { Component, Vue } from "vue-property-decorator";
|
||||
import { Component } from "vue-property-decorator";
|
||||
import FullAddressAutoComplete from "@/components/Event/FullAddressAutoComplete.vue";
|
||||
import { Route } from "vue-router";
|
||||
import PictureUpload from "@/components/PictureUpload.vue";
|
||||
import { mixins } from "vue-class-component";
|
||||
import GroupMixin from "@/mixins/group";
|
||||
import RouteName from "../../router/name";
|
||||
import { FETCH_GROUP, UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
|
||||
import { UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
|
||||
import { IGroup, usernameWithDomain } from "../../types/actor";
|
||||
import { Address, IAddress } from "../../types/address.model";
|
||||
import { Group } from "../../types/actor/group.model";
|
||||
|
||||
@Component({
|
||||
apollo: {
|
||||
group: {
|
||||
query: FETCH_GROUP,
|
||||
fetchPolicy: "cache-and-network",
|
||||
variables() {
|
||||
return {
|
||||
name: this.$route.params.preferredUsername,
|
||||
};
|
||||
},
|
||||
skip() {
|
||||
return !this.$route.params.preferredUsername;
|
||||
},
|
||||
},
|
||||
},
|
||||
components: {
|
||||
FullAddressAutoComplete,
|
||||
PictureUpload,
|
||||
editor: () => import("../../components/Editor.vue"),
|
||||
},
|
||||
})
|
||||
export default class GroupSettings extends Vue {
|
||||
group: IGroup = new Group();
|
||||
|
||||
export default class GroupSettings extends mixins(GroupMixin) {
|
||||
loading = true;
|
||||
|
||||
RouteName = RouteName;
|
||||
|
@ -23,8 +23,9 @@
|
||||
</aside>
|
||||
</template>
|
||||
<script lang="ts">
|
||||
import { Component, Vue } from "vue-property-decorator";
|
||||
import { IGroup } from "@/types/actor";
|
||||
import { Component } from "vue-property-decorator";
|
||||
import { mixins } from "vue-class-component";
|
||||
import GroupMixin from "@/mixins/group";
|
||||
import RouteName from "../../router/name";
|
||||
import SettingMenuSection from "../../components/Settings/SettingMenuSection.vue";
|
||||
import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
|
||||
@ -32,10 +33,8 @@ import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
|
||||
@Component({
|
||||
components: { SettingMenuSection, SettingMenuItem },
|
||||
})
|
||||
export default class Settings extends Vue {
|
||||
export default class Settings extends mixins(GroupMixin) {
|
||||
RouteName = RouteName;
|
||||
|
||||
group!: IGroup[];
|
||||
}
|
||||
</script>
|
||||
|
||||
|
@ -145,11 +145,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
|
||||
end
|
||||
|
||||
@doc """
|
||||
Create a new group. The creator is automatically added as admin
|
||||
Update a group. The creator is automatically added as admin
|
||||
"""
|
||||
def update_group(
|
||||
_parent,
|
||||
args,
|
||||
%{id: group_id} = args,
|
||||
%{
|
||||
context: %{
|
||||
current_user: %User{} = user
|
||||
@ -157,6 +157,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
|
||||
}
|
||||
) do
|
||||
with %Actor{} = updater_actor <- Users.get_actor_for_user(user),
|
||||
{:administrator, true} <-
|
||||
{:administrator, Actors.is_administrator?(updater_actor.id, group_id)},
|
||||
args <- Map.put(args, :updater_actor, updater_actor),
|
||||
args <- save_attached_pictures(args),
|
||||
{:ok, _activity, %Actor{type: :Group} = group} <-
|
||||
@ -166,8 +168,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
|
||||
{:error, err} when is_binary(err) ->
|
||||
{:error, err}
|
||||
|
||||
{:is_owned, nil} ->
|
||||
{:error, dgettext("errors", "Creator profile is not owned by the current user")}
|
||||
{:administrator, false} ->
|
||||
{:error, dgettext("errors", "Profile is not administrator for the group")}
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -704,6 +704,22 @@ defmodule Mobilizon.Actors do
|
||||
)
|
||||
end
|
||||
|
||||
@spec is_moderator?(integer | String.t(), integer | String.t()) :: boolean()
|
||||
def is_moderator?(actor_id, parent_id) do
|
||||
match?(
|
||||
{:ok, %Member{}},
|
||||
get_member(actor_id, parent_id, @moderator_roles)
|
||||
)
|
||||
end
|
||||
|
||||
@spec is_administrator?(integer | String.t(), integer | String.t()) :: boolean()
|
||||
def is_administrator?(actor_id, parent_id) do
|
||||
match?(
|
||||
{:ok, %Member{}},
|
||||
get_member(actor_id, parent_id, @administrator_roles)
|
||||
)
|
||||
end
|
||||
|
||||
@doc """
|
||||
Gets a single member of an actor (for example a group).
|
||||
"""
|
||||
|
@ -239,6 +239,111 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
|
||||
end
|
||||
end
|
||||
|
||||
describe "update a group" do
|
||||
@update_group_mutation """
|
||||
mutation UpdateGroup(
|
||||
$id: ID!
|
||||
$name: String
|
||||
$summary: String
|
||||
$avatar: PictureInput
|
||||
$banner: PictureInput
|
||||
$visibility: GroupVisibility
|
||||
$physicalAddress: AddressInput
|
||||
) {
|
||||
updateGroup(
|
||||
id: $id
|
||||
name: $name
|
||||
summary: $summary
|
||||
banner: $banner
|
||||
avatar: $avatar
|
||||
visibility: $visibility
|
||||
physicalAddress: $physicalAddress
|
||||
) {
|
||||
id
|
||||
preferredUsername
|
||||
name
|
||||
summary
|
||||
visibility
|
||||
avatar {
|
||||
url
|
||||
}
|
||||
banner {
|
||||
url
|
||||
}
|
||||
}
|
||||
}
|
||||
"""
|
||||
@new_group_name "new name for group"
|
||||
|
||||
test "update_group/3 updates a group", %{conn: conn, user: user, actor: actor} do
|
||||
group = insert(:group)
|
||||
insert(:member, parent: group, actor: actor, role: :administrator)
|
||||
|
||||
res =
|
||||
conn
|
||||
|> auth_conn(user)
|
||||
|> AbsintheHelpers.graphql_query(
|
||||
query: @update_group_mutation,
|
||||
variables: %{
|
||||
id: group.id,
|
||||
name: @new_group_name,
|
||||
visibility: "UNLISTED"
|
||||
}
|
||||
)
|
||||
|
||||
assert is_nil(res["errors"])
|
||||
assert res["data"]["updateGroup"]["name"] == @new_group_name
|
||||
assert res["data"]["updateGroup"]["visibility"] == "UNLISTED"
|
||||
end
|
||||
|
||||
test "update_group/3 requires to be logged-in to update a group", %{conn: conn} do
|
||||
group = insert(:group)
|
||||
|
||||
res =
|
||||
conn
|
||||
|> AbsintheHelpers.graphql_query(
|
||||
query: @update_group_mutation,
|
||||
variables: %{id: group.id, name: @new_group_name}
|
||||
)
|
||||
|
||||
assert hd(res["errors"])["message"] == "You need to be logged-in to update a group"
|
||||
end
|
||||
|
||||
test "update_group/3 requires to be an admin of the group to update a group", %{
|
||||
conn: conn,
|
||||
actor: actor
|
||||
} do
|
||||
group = insert(:group)
|
||||
insert(:member, parent: group, actor: actor, role: :administrator)
|
||||
user = insert(:user)
|
||||
actor2 = insert(:actor, user: user)
|
||||
|
||||
# Actor not member
|
||||
res =
|
||||
conn
|
||||
|> auth_conn(user)
|
||||
|> AbsintheHelpers.graphql_query(
|
||||
query: @update_group_mutation,
|
||||
variables: %{id: group.id, name: @new_group_name}
|
||||
)
|
||||
|
||||
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
|
||||
|
||||
# Actor member but not admin
|
||||
insert(:member, parent: group, actor: actor2, role: :moderator)
|
||||
|
||||
res =
|
||||
conn
|
||||
|> auth_conn(user)
|
||||
|> AbsintheHelpers.graphql_query(
|
||||
query: @update_group_mutation,
|
||||
variables: %{id: group.id, name: @new_group_name}
|
||||
)
|
||||
|
||||
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
|
||||
end
|
||||
end
|
||||
|
||||
describe "delete a group" do
|
||||
@delete_group_mutation """
|
||||
mutation DeleteGroup($groupId: ID!) {
|
||||
|
Loading…
Reference in New Issue
Block a user