Fix profiles not administrators able to edit a group
Related to #385 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
2adf688092
commit
3e89a72d74
49
js/src/mixins/group.ts
Normal file
49
js/src/mixins/group.ts
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
import { PERSON_MEMBERSHIPS, CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
|
||||||
|
import { FETCH_GROUP } from "@/graphql/group";
|
||||||
|
import { Group, IActor, IGroup, IPerson, MemberRole } from "@/types/actor";
|
||||||
|
import { Component, Vue } from "vue-property-decorator";
|
||||||
|
|
||||||
|
@Component({
|
||||||
|
apollo: {
|
||||||
|
group: {
|
||||||
|
query: FETCH_GROUP,
|
||||||
|
fetchPolicy: "cache-and-network",
|
||||||
|
variables() {
|
||||||
|
return {
|
||||||
|
name: this.$route.params.preferredUsername,
|
||||||
|
};
|
||||||
|
},
|
||||||
|
skip() {
|
||||||
|
return !this.$route.params.preferredUsername;
|
||||||
|
},
|
||||||
|
},
|
||||||
|
person: {
|
||||||
|
query: PERSON_MEMBERSHIPS,
|
||||||
|
fetchPolicy: "cache-and-network",
|
||||||
|
variables() {
|
||||||
|
return {
|
||||||
|
id: this.currentActor.id,
|
||||||
|
};
|
||||||
|
},
|
||||||
|
skip() {
|
||||||
|
return !this.currentActor || !this.currentActor.id;
|
||||||
|
},
|
||||||
|
},
|
||||||
|
currentActor: CURRENT_ACTOR_CLIENT,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
export default class GroupMixin extends Vue {
|
||||||
|
group: IGroup = new Group();
|
||||||
|
currentActor!: IActor;
|
||||||
|
|
||||||
|
person!: IPerson;
|
||||||
|
|
||||||
|
get isCurrentActorAGroupAdmin(): boolean {
|
||||||
|
return (
|
||||||
|
this.person &&
|
||||||
|
this.person.memberships.elements.some(
|
||||||
|
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
@ -338,19 +338,9 @@
|
|||||||
</template>
|
</template>
|
||||||
|
|
||||||
<script lang="ts">
|
<script lang="ts">
|
||||||
import { Component, Prop, Vue, Watch } from "vue-property-decorator";
|
import { Component, Prop, Watch } from "vue-property-decorator";
|
||||||
import EventCard from "@/components/Event/EventCard.vue";
|
import EventCard from "@/components/Event/EventCard.vue";
|
||||||
import { CURRENT_ACTOR_CLIENT, PERSON_MEMBERSHIPS } from "@/graphql/actor";
|
import { IActor, usernameWithDomain, MemberRole, IMember } from "@/types/actor";
|
||||||
import { FETCH_GROUP } from "@/graphql/group";
|
|
||||||
import {
|
|
||||||
IActor,
|
|
||||||
IGroup,
|
|
||||||
IPerson,
|
|
||||||
usernameWithDomain,
|
|
||||||
Group as GroupModel,
|
|
||||||
MemberRole,
|
|
||||||
IMember,
|
|
||||||
} from "@/types/actor";
|
|
||||||
import Subtitle from "@/components/Utils/Subtitle.vue";
|
import Subtitle from "@/components/Utils/Subtitle.vue";
|
||||||
import CompactTodo from "@/components/Todo/CompactTodo.vue";
|
import CompactTodo from "@/components/Todo/CompactTodo.vue";
|
||||||
import EventMinimalistCard from "@/components/Event/EventMinimalistCard.vue";
|
import EventMinimalistCard from "@/components/Event/EventMinimalistCard.vue";
|
||||||
@ -365,34 +355,14 @@ import { CONFIG } from "@/graphql/config";
|
|||||||
import { CREATE_REPORT } from "@/graphql/report";
|
import { CREATE_REPORT } from "@/graphql/report";
|
||||||
import { IReport } from "@/types/report.model";
|
import { IReport } from "@/types/report.model";
|
||||||
import { IConfig } from "@/types/config.model";
|
import { IConfig } from "@/types/config.model";
|
||||||
|
import GroupMixin from "@/mixins/group";
|
||||||
|
import { mixins } from "vue-class-component";
|
||||||
import RouteName from "../../router/name";
|
import RouteName from "../../router/name";
|
||||||
import GroupSection from "../../components/Group/GroupSection.vue";
|
import GroupSection from "../../components/Group/GroupSection.vue";
|
||||||
import ReportModal from "../../components/Report/ReportModal.vue";
|
import ReportModal from "../../components/Report/ReportModal.vue";
|
||||||
|
|
||||||
@Component({
|
@Component({
|
||||||
apollo: {
|
apollo: {
|
||||||
group: {
|
|
||||||
query: FETCH_GROUP,
|
|
||||||
fetchPolicy: "cache-and-network",
|
|
||||||
variables() {
|
|
||||||
return {
|
|
||||||
name: this.preferredUsername,
|
|
||||||
};
|
|
||||||
},
|
|
||||||
},
|
|
||||||
person: {
|
|
||||||
query: PERSON_MEMBERSHIPS,
|
|
||||||
fetchPolicy: "cache-and-network",
|
|
||||||
variables() {
|
|
||||||
return {
|
|
||||||
id: this.currentActor.id,
|
|
||||||
};
|
|
||||||
},
|
|
||||||
skip() {
|
|
||||||
return !this.currentActor || !this.currentActor.id;
|
|
||||||
},
|
|
||||||
},
|
|
||||||
currentActor: CURRENT_ACTOR_CLIENT,
|
|
||||||
config: CONFIG,
|
config: CONFIG,
|
||||||
},
|
},
|
||||||
components: {
|
components: {
|
||||||
@ -425,15 +395,9 @@ import ReportModal from "../../components/Report/ReportModal.vue";
|
|||||||
};
|
};
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
export default class Group extends Vue {
|
export default class Group extends mixins(GroupMixin) {
|
||||||
@Prop({ type: String, required: true }) preferredUsername!: string;
|
@Prop({ type: String, required: true }) preferredUsername!: string;
|
||||||
|
|
||||||
currentActor!: IActor;
|
|
||||||
|
|
||||||
person!: IPerson;
|
|
||||||
|
|
||||||
group: IGroup = new GroupModel();
|
|
||||||
|
|
||||||
config!: IConfig;
|
config!: IConfig;
|
||||||
|
|
||||||
loading = true;
|
loading = true;
|
||||||
@ -550,15 +514,6 @@ export default class Group extends Vue {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
get isCurrentActorAGroupAdmin(): boolean {
|
|
||||||
return (
|
|
||||||
this.person &&
|
|
||||||
this.person.memberships.elements.some(
|
|
||||||
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* New members, if on a different server,
|
* New members, if on a different server,
|
||||||
* can take a while to refresh the group and fetch all private data
|
* can take a while to refresh the group and fetch all private data
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</nav>
|
</nav>
|
||||||
<section class="container section" v-if="group">
|
<section class="container section" v-if="group && isCurrentActorAGroupAdmin">
|
||||||
<form @submit.prevent="inviteMember">
|
<form @submit.prevent="inviteMember">
|
||||||
<b-field :label="$t('Invite a new member')" custom-class="add-relay" horizontal>
|
<b-field :label="$t('Invite a new member')" custom-class="add-relay" horizontal>
|
||||||
<b-field
|
<b-field
|
||||||
@ -171,42 +171,23 @@
|
|||||||
</template>
|
</template>
|
||||||
</b-table>
|
</b-table>
|
||||||
</section>
|
</section>
|
||||||
|
<b-message v-else-if="group">
|
||||||
|
{{ $t("You are not an administrator for this group.") }}
|
||||||
|
</b-message>
|
||||||
</div>
|
</div>
|
||||||
</template>
|
</template>
|
||||||
|
|
||||||
<script lang="ts">
|
<script lang="ts">
|
||||||
import { Component, Vue, Watch } from "vue-property-decorator";
|
import { Component, Watch } from "vue-property-decorator";
|
||||||
import { CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
|
import GroupMixin from "@/mixins/group";
|
||||||
|
import { mixins } from "vue-class-component";
|
||||||
import RouteName from "../../router/name";
|
import RouteName from "../../router/name";
|
||||||
import { INVITE_MEMBER, GROUP_MEMBERS, REMOVE_MEMBER, UPDATE_MEMBER } from "../../graphql/member";
|
import { INVITE_MEMBER, GROUP_MEMBERS, REMOVE_MEMBER, UPDATE_MEMBER } from "../../graphql/member";
|
||||||
import { IGroup, IPerson, usernameWithDomain } from "../../types/actor";
|
import { IGroup, usernameWithDomain } from "../../types/actor";
|
||||||
import { IMember, MemberRole } from "../../types/actor/group.model";
|
import { IMember, MemberRole } from "../../types/actor/group.model";
|
||||||
|
|
||||||
@Component({
|
@Component
|
||||||
apollo: {
|
export default class GroupMembers extends mixins(GroupMixin) {
|
||||||
currentActor: CURRENT_ACTOR_CLIENT,
|
|
||||||
group: {
|
|
||||||
query: GROUP_MEMBERS,
|
|
||||||
fetchPolicy: "network-only",
|
|
||||||
variables() {
|
|
||||||
return {
|
|
||||||
name: this.$route.params.preferredUsername,
|
|
||||||
page: 1,
|
|
||||||
limit: this.MEMBERS_PER_PAGE,
|
|
||||||
roles: this.roles,
|
|
||||||
};
|
|
||||||
},
|
|
||||||
skip() {
|
|
||||||
return !this.$route.params.preferredUsername;
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
})
|
|
||||||
export default class GroupMembers extends Vue {
|
|
||||||
group!: IGroup;
|
|
||||||
|
|
||||||
currentActor!: IPerson;
|
|
||||||
|
|
||||||
loading = true;
|
loading = true;
|
||||||
|
|
||||||
newMemberUsername = "";
|
newMemberUsername = "";
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</nav>
|
</nav>
|
||||||
<section class="container section">
|
<section class="container section" v-if="isCurrentActorAGroupAdmin">
|
||||||
<form @submit.prevent="updateGroup">
|
<form @submit.prevent="updateGroup">
|
||||||
<b-field :label="$t('Group name')">
|
<b-field :label="$t('Group name')">
|
||||||
<b-input v-model="group.name" />
|
<b-input v-model="group.name" />
|
||||||
@ -114,44 +114,32 @@
|
|||||||
</div>
|
</div>
|
||||||
</form>
|
</form>
|
||||||
</section>
|
</section>
|
||||||
|
<b-message>
|
||||||
|
{{ $t("You are not an administrator for this group.") }}
|
||||||
|
</b-message>
|
||||||
</div>
|
</div>
|
||||||
</template>
|
</template>
|
||||||
|
|
||||||
<script lang="ts">
|
<script lang="ts">
|
||||||
import { Component, Vue } from "vue-property-decorator";
|
import { Component } from "vue-property-decorator";
|
||||||
import FullAddressAutoComplete from "@/components/Event/FullAddressAutoComplete.vue";
|
import FullAddressAutoComplete from "@/components/Event/FullAddressAutoComplete.vue";
|
||||||
import { Route } from "vue-router";
|
import { Route } from "vue-router";
|
||||||
import PictureUpload from "@/components/PictureUpload.vue";
|
import PictureUpload from "@/components/PictureUpload.vue";
|
||||||
|
import { mixins } from "vue-class-component";
|
||||||
|
import GroupMixin from "@/mixins/group";
|
||||||
import RouteName from "../../router/name";
|
import RouteName from "../../router/name";
|
||||||
import { FETCH_GROUP, UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
|
import { UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
|
||||||
import { IGroup, usernameWithDomain } from "../../types/actor";
|
import { IGroup, usernameWithDomain } from "../../types/actor";
|
||||||
import { Address, IAddress } from "../../types/address.model";
|
import { Address, IAddress } from "../../types/address.model";
|
||||||
import { Group } from "../../types/actor/group.model";
|
|
||||||
|
|
||||||
@Component({
|
@Component({
|
||||||
apollo: {
|
|
||||||
group: {
|
|
||||||
query: FETCH_GROUP,
|
|
||||||
fetchPolicy: "cache-and-network",
|
|
||||||
variables() {
|
|
||||||
return {
|
|
||||||
name: this.$route.params.preferredUsername,
|
|
||||||
};
|
|
||||||
},
|
|
||||||
skip() {
|
|
||||||
return !this.$route.params.preferredUsername;
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
components: {
|
components: {
|
||||||
FullAddressAutoComplete,
|
FullAddressAutoComplete,
|
||||||
PictureUpload,
|
PictureUpload,
|
||||||
editor: () => import("../../components/Editor.vue"),
|
editor: () => import("../../components/Editor.vue"),
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
export default class GroupSettings extends Vue {
|
export default class GroupSettings extends mixins(GroupMixin) {
|
||||||
group: IGroup = new Group();
|
|
||||||
|
|
||||||
loading = true;
|
loading = true;
|
||||||
|
|
||||||
RouteName = RouteName;
|
RouteName = RouteName;
|
||||||
|
@ -23,8 +23,9 @@
|
|||||||
</aside>
|
</aside>
|
||||||
</template>
|
</template>
|
||||||
<script lang="ts">
|
<script lang="ts">
|
||||||
import { Component, Vue } from "vue-property-decorator";
|
import { Component } from "vue-property-decorator";
|
||||||
import { IGroup } from "@/types/actor";
|
import { mixins } from "vue-class-component";
|
||||||
|
import GroupMixin from "@/mixins/group";
|
||||||
import RouteName from "../../router/name";
|
import RouteName from "../../router/name";
|
||||||
import SettingMenuSection from "../../components/Settings/SettingMenuSection.vue";
|
import SettingMenuSection from "../../components/Settings/SettingMenuSection.vue";
|
||||||
import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
|
import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
|
||||||
@ -32,10 +33,8 @@ import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
|
|||||||
@Component({
|
@Component({
|
||||||
components: { SettingMenuSection, SettingMenuItem },
|
components: { SettingMenuSection, SettingMenuItem },
|
||||||
})
|
})
|
||||||
export default class Settings extends Vue {
|
export default class Settings extends mixins(GroupMixin) {
|
||||||
RouteName = RouteName;
|
RouteName = RouteName;
|
||||||
|
|
||||||
group!: IGroup[];
|
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
@ -145,11 +145,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
|
|||||||
end
|
end
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
Create a new group. The creator is automatically added as admin
|
Update a group. The creator is automatically added as admin
|
||||||
"""
|
"""
|
||||||
def update_group(
|
def update_group(
|
||||||
_parent,
|
_parent,
|
||||||
args,
|
%{id: group_id} = args,
|
||||||
%{
|
%{
|
||||||
context: %{
|
context: %{
|
||||||
current_user: %User{} = user
|
current_user: %User{} = user
|
||||||
@ -157,6 +157,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
|
|||||||
}
|
}
|
||||||
) do
|
) do
|
||||||
with %Actor{} = updater_actor <- Users.get_actor_for_user(user),
|
with %Actor{} = updater_actor <- Users.get_actor_for_user(user),
|
||||||
|
{:administrator, true} <-
|
||||||
|
{:administrator, Actors.is_administrator?(updater_actor.id, group_id)},
|
||||||
args <- Map.put(args, :updater_actor, updater_actor),
|
args <- Map.put(args, :updater_actor, updater_actor),
|
||||||
args <- save_attached_pictures(args),
|
args <- save_attached_pictures(args),
|
||||||
{:ok, _activity, %Actor{type: :Group} = group} <-
|
{:ok, _activity, %Actor{type: :Group} = group} <-
|
||||||
@ -166,8 +168,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
|
|||||||
{:error, err} when is_binary(err) ->
|
{:error, err} when is_binary(err) ->
|
||||||
{:error, err}
|
{:error, err}
|
||||||
|
|
||||||
{:is_owned, nil} ->
|
{:administrator, false} ->
|
||||||
{:error, dgettext("errors", "Creator profile is not owned by the current user")}
|
{:error, dgettext("errors", "Profile is not administrator for the group")}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -704,6 +704,22 @@ defmodule Mobilizon.Actors do
|
|||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@spec is_moderator?(integer | String.t(), integer | String.t()) :: boolean()
|
||||||
|
def is_moderator?(actor_id, parent_id) do
|
||||||
|
match?(
|
||||||
|
{:ok, %Member{}},
|
||||||
|
get_member(actor_id, parent_id, @moderator_roles)
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
@spec is_administrator?(integer | String.t(), integer | String.t()) :: boolean()
|
||||||
|
def is_administrator?(actor_id, parent_id) do
|
||||||
|
match?(
|
||||||
|
{:ok, %Member{}},
|
||||||
|
get_member(actor_id, parent_id, @administrator_roles)
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
Gets a single member of an actor (for example a group).
|
Gets a single member of an actor (for example a group).
|
||||||
"""
|
"""
|
||||||
|
@ -239,6 +239,111 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "update a group" do
|
||||||
|
@update_group_mutation """
|
||||||
|
mutation UpdateGroup(
|
||||||
|
$id: ID!
|
||||||
|
$name: String
|
||||||
|
$summary: String
|
||||||
|
$avatar: PictureInput
|
||||||
|
$banner: PictureInput
|
||||||
|
$visibility: GroupVisibility
|
||||||
|
$physicalAddress: AddressInput
|
||||||
|
) {
|
||||||
|
updateGroup(
|
||||||
|
id: $id
|
||||||
|
name: $name
|
||||||
|
summary: $summary
|
||||||
|
banner: $banner
|
||||||
|
avatar: $avatar
|
||||||
|
visibility: $visibility
|
||||||
|
physicalAddress: $physicalAddress
|
||||||
|
) {
|
||||||
|
id
|
||||||
|
preferredUsername
|
||||||
|
name
|
||||||
|
summary
|
||||||
|
visibility
|
||||||
|
avatar {
|
||||||
|
url
|
||||||
|
}
|
||||||
|
banner {
|
||||||
|
url
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
@new_group_name "new name for group"
|
||||||
|
|
||||||
|
test "update_group/3 updates a group", %{conn: conn, user: user, actor: actor} do
|
||||||
|
group = insert(:group)
|
||||||
|
insert(:member, parent: group, actor: actor, role: :administrator)
|
||||||
|
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> auth_conn(user)
|
||||||
|
|> AbsintheHelpers.graphql_query(
|
||||||
|
query: @update_group_mutation,
|
||||||
|
variables: %{
|
||||||
|
id: group.id,
|
||||||
|
name: @new_group_name,
|
||||||
|
visibility: "UNLISTED"
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert is_nil(res["errors"])
|
||||||
|
assert res["data"]["updateGroup"]["name"] == @new_group_name
|
||||||
|
assert res["data"]["updateGroup"]["visibility"] == "UNLISTED"
|
||||||
|
end
|
||||||
|
|
||||||
|
test "update_group/3 requires to be logged-in to update a group", %{conn: conn} do
|
||||||
|
group = insert(:group)
|
||||||
|
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> AbsintheHelpers.graphql_query(
|
||||||
|
query: @update_group_mutation,
|
||||||
|
variables: %{id: group.id, name: @new_group_name}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert hd(res["errors"])["message"] == "You need to be logged-in to update a group"
|
||||||
|
end
|
||||||
|
|
||||||
|
test "update_group/3 requires to be an admin of the group to update a group", %{
|
||||||
|
conn: conn,
|
||||||
|
actor: actor
|
||||||
|
} do
|
||||||
|
group = insert(:group)
|
||||||
|
insert(:member, parent: group, actor: actor, role: :administrator)
|
||||||
|
user = insert(:user)
|
||||||
|
actor2 = insert(:actor, user: user)
|
||||||
|
|
||||||
|
# Actor not member
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> auth_conn(user)
|
||||||
|
|> AbsintheHelpers.graphql_query(
|
||||||
|
query: @update_group_mutation,
|
||||||
|
variables: %{id: group.id, name: @new_group_name}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
|
||||||
|
|
||||||
|
# Actor member but not admin
|
||||||
|
insert(:member, parent: group, actor: actor2, role: :moderator)
|
||||||
|
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> auth_conn(user)
|
||||||
|
|> AbsintheHelpers.graphql_query(
|
||||||
|
query: @update_group_mutation,
|
||||||
|
variables: %{id: group.id, name: @new_group_name}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "delete a group" do
|
describe "delete a group" do
|
||||||
@delete_group_mutation """
|
@delete_group_mutation """
|
||||||
mutation DeleteGroup($groupId: ID!) {
|
mutation DeleteGroup($groupId: ID!) {
|
||||||
|
Loading…
Reference in New Issue
Block a user