Fix profiles not administrators able to edit a group

Related to #385

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2020-10-09 15:26:37 +02:00
parent f338867345
commit 9430f1145f
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
8 changed files with 204 additions and 109 deletions

49
js/src/mixins/group.ts Normal file
View file

@ -0,0 +1,49 @@
import { PERSON_MEMBERSHIPS, CURRENT_ACTOR_CLIENT } from "@/graphql/actor";
import { FETCH_GROUP } from "@/graphql/group";
import { Group, IActor, IGroup, IPerson, MemberRole } from "@/types/actor";
import { Component, Vue } from "vue-property-decorator";
@Component({
apollo: {
group: {
query: FETCH_GROUP,
fetchPolicy: "cache-and-network",
variables() {
return {
name: this.$route.params.preferredUsername,
};
},
skip() {
return !this.$route.params.preferredUsername;
},
},
person: {
query: PERSON_MEMBERSHIPS,
fetchPolicy: "cache-and-network",
variables() {
return {
id: this.currentActor.id,
};
},
skip() {
return !this.currentActor || !this.currentActor.id;
},
},
currentActor: CURRENT_ACTOR_CLIENT,
},
})
export default class GroupMixin extends Vue {
group: IGroup = new Group();
currentActor!: IActor;
person!: IPerson;
get isCurrentActorAGroupAdmin(): boolean {
return (
this.person &&
this.person.memberships.elements.some(
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
)
);
}
}

View file

@ -338,19 +338,9 @@
</template> </template>
<script lang="ts"> <script lang="ts">
import { Component, Prop, Vue, Watch } from "vue-property-decorator"; import { Component, Prop, Watch } from "vue-property-decorator";
import EventCard from "@/components/Event/EventCard.vue"; import EventCard from "@/components/Event/EventCard.vue";
import { CURRENT_ACTOR_CLIENT, PERSON_MEMBERSHIPS } from "@/graphql/actor"; import { IActor, usernameWithDomain, MemberRole, IMember } from "@/types/actor";
import { FETCH_GROUP } from "@/graphql/group";
import {
IActor,
IGroup,
IPerson,
usernameWithDomain,
Group as GroupModel,
MemberRole,
IMember,
} from "@/types/actor";
import Subtitle from "@/components/Utils/Subtitle.vue"; import Subtitle from "@/components/Utils/Subtitle.vue";
import CompactTodo from "@/components/Todo/CompactTodo.vue"; import CompactTodo from "@/components/Todo/CompactTodo.vue";
import EventMinimalistCard from "@/components/Event/EventMinimalistCard.vue"; import EventMinimalistCard from "@/components/Event/EventMinimalistCard.vue";
@ -365,34 +355,14 @@ import { CONFIG } from "@/graphql/config";
import { CREATE_REPORT } from "@/graphql/report"; import { CREATE_REPORT } from "@/graphql/report";
import { IReport } from "@/types/report.model"; import { IReport } from "@/types/report.model";
import { IConfig } from "@/types/config.model"; import { IConfig } from "@/types/config.model";
import GroupMixin from "@/mixins/group";
import { mixins } from "vue-class-component";
import RouteName from "../../router/name"; import RouteName from "../../router/name";
import GroupSection from "../../components/Group/GroupSection.vue"; import GroupSection from "../../components/Group/GroupSection.vue";
import ReportModal from "../../components/Report/ReportModal.vue"; import ReportModal from "../../components/Report/ReportModal.vue";
@Component({ @Component({
apollo: { apollo: {
group: {
query: FETCH_GROUP,
fetchPolicy: "cache-and-network",
variables() {
return {
name: this.preferredUsername,
};
},
},
person: {
query: PERSON_MEMBERSHIPS,
fetchPolicy: "cache-and-network",
variables() {
return {
id: this.currentActor.id,
};
},
skip() {
return !this.currentActor || !this.currentActor.id;
},
},
currentActor: CURRENT_ACTOR_CLIENT,
config: CONFIG, config: CONFIG,
}, },
components: { components: {
@ -425,15 +395,9 @@ import ReportModal from "../../components/Report/ReportModal.vue";
}; };
}, },
}) })
export default class Group extends Vue { export default class Group extends mixins(GroupMixin) {
@Prop({ type: String, required: true }) preferredUsername!: string; @Prop({ type: String, required: true }) preferredUsername!: string;
currentActor!: IActor;
person!: IPerson;
group: IGroup = new GroupModel();
config!: IConfig; config!: IConfig;
loading = true; loading = true;
@ -550,15 +514,6 @@ export default class Group extends Vue {
); );
} }
get isCurrentActorAGroupAdmin(): boolean {
return (
this.person &&
this.person.memberships.elements.some(
({ parent: { id }, role }) => id === this.group.id && role === MemberRole.ADMINISTRATOR
)
);
}
/** /**
* New members, if on a different server, * New members, if on a different server,
* can take a while to refresh the group and fetch all private data * can take a while to refresh the group and fetch all private data

View file

@ -31,7 +31,7 @@
</li> </li>
</ul> </ul>
</nav> </nav>
<section class="container section" v-if="group"> <section class="container section" v-if="group && isCurrentActorAGroupAdmin">
<form @submit.prevent="inviteMember"> <form @submit.prevent="inviteMember">
<b-field :label="$t('Invite a new member')" custom-class="add-relay" horizontal> <b-field :label="$t('Invite a new member')" custom-class="add-relay" horizontal>
<b-field <b-field
@ -171,42 +171,23 @@
</template> </template>
</b-table> </b-table>
</section> </section>
<b-message v-else-if="group">
{{ $t("You are not an administrator for this group.") }}
</b-message>
</div> </div>
</template> </template>
<script lang="ts"> <script lang="ts">
import { Component, Vue, Watch } from "vue-property-decorator"; import { Component, Watch } from "vue-property-decorator";
import { CURRENT_ACTOR_CLIENT } from "@/graphql/actor"; import GroupMixin from "@/mixins/group";
import { mixins } from "vue-class-component";
import RouteName from "../../router/name"; import RouteName from "../../router/name";
import { INVITE_MEMBER, GROUP_MEMBERS, REMOVE_MEMBER, UPDATE_MEMBER } from "../../graphql/member"; import { INVITE_MEMBER, GROUP_MEMBERS, REMOVE_MEMBER, UPDATE_MEMBER } from "../../graphql/member";
import { IGroup, IPerson, usernameWithDomain } from "../../types/actor"; import { IGroup, usernameWithDomain } from "../../types/actor";
import { IMember, MemberRole } from "../../types/actor/group.model"; import { IMember, MemberRole } from "../../types/actor/group.model";
@Component({ @Component
apollo: { export default class GroupMembers extends mixins(GroupMixin) {
currentActor: CURRENT_ACTOR_CLIENT,
group: {
query: GROUP_MEMBERS,
fetchPolicy: "network-only",
variables() {
return {
name: this.$route.params.preferredUsername,
page: 1,
limit: this.MEMBERS_PER_PAGE,
roles: this.roles,
};
},
skip() {
return !this.$route.params.preferredUsername;
},
},
},
})
export default class GroupMembers extends Vue {
group!: IGroup;
currentActor!: IPerson;
loading = true; loading = true;
newMemberUsername = ""; newMemberUsername = "";

View file

@ -31,7 +31,7 @@
</li> </li>
</ul> </ul>
</nav> </nav>
<section class="container section"> <section class="container section" v-if="isCurrentActorAGroupAdmin">
<form @submit.prevent="updateGroup"> <form @submit.prevent="updateGroup">
<b-field :label="$t('Group name')"> <b-field :label="$t('Group name')">
<b-input v-model="group.name" /> <b-input v-model="group.name" />
@ -114,44 +114,32 @@
</div> </div>
</form> </form>
</section> </section>
<b-message>
{{ $t("You are not an administrator for this group.") }}
</b-message>
</div> </div>
</template> </template>
<script lang="ts"> <script lang="ts">
import { Component, Vue } from "vue-property-decorator"; import { Component } from "vue-property-decorator";
import FullAddressAutoComplete from "@/components/Event/FullAddressAutoComplete.vue"; import FullAddressAutoComplete from "@/components/Event/FullAddressAutoComplete.vue";
import { Route } from "vue-router"; import { Route } from "vue-router";
import PictureUpload from "@/components/PictureUpload.vue"; import PictureUpload from "@/components/PictureUpload.vue";
import { mixins } from "vue-class-component";
import GroupMixin from "@/mixins/group";
import RouteName from "../../router/name"; import RouteName from "../../router/name";
import { FETCH_GROUP, UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group"; import { UPDATE_GROUP, DELETE_GROUP } from "../../graphql/group";
import { IGroup, usernameWithDomain } from "../../types/actor"; import { IGroup, usernameWithDomain } from "../../types/actor";
import { Address, IAddress } from "../../types/address.model"; import { Address, IAddress } from "../../types/address.model";
import { Group } from "../../types/actor/group.model";
@Component({ @Component({
apollo: {
group: {
query: FETCH_GROUP,
fetchPolicy: "cache-and-network",
variables() {
return {
name: this.$route.params.preferredUsername,
};
},
skip() {
return !this.$route.params.preferredUsername;
},
},
},
components: { components: {
FullAddressAutoComplete, FullAddressAutoComplete,
PictureUpload, PictureUpload,
editor: () => import("../../components/Editor.vue"), editor: () => import("../../components/Editor.vue"),
}, },
}) })
export default class GroupSettings extends Vue { export default class GroupSettings extends mixins(GroupMixin) {
group: IGroup = new Group();
loading = true; loading = true;
RouteName = RouteName; RouteName = RouteName;

View file

@ -23,8 +23,9 @@
</aside> </aside>
</template> </template>
<script lang="ts"> <script lang="ts">
import { Component, Vue } from "vue-property-decorator"; import { Component } from "vue-property-decorator";
import { IGroup } from "@/types/actor"; import { mixins } from "vue-class-component";
import GroupMixin from "@/mixins/group";
import RouteName from "../../router/name"; import RouteName from "../../router/name";
import SettingMenuSection from "../../components/Settings/SettingMenuSection.vue"; import SettingMenuSection from "../../components/Settings/SettingMenuSection.vue";
import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue"; import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
@ -32,10 +33,8 @@ import SettingMenuItem from "../../components/Settings/SettingMenuItem.vue";
@Component({ @Component({
components: { SettingMenuSection, SettingMenuItem }, components: { SettingMenuSection, SettingMenuItem },
}) })
export default class Settings extends Vue { export default class Settings extends mixins(GroupMixin) {
RouteName = RouteName; RouteName = RouteName;
group!: IGroup[];
} }
</script> </script>

View file

@ -145,11 +145,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
end end
@doc """ @doc """
Create a new group. The creator is automatically added as admin Update a group. The creator is automatically added as admin
""" """
def update_group( def update_group(
_parent, _parent,
args, %{id: group_id} = args,
%{ %{
context: %{ context: %{
current_user: %User{} = user current_user: %User{} = user
@ -157,6 +157,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
} }
) do ) do
with %Actor{} = updater_actor <- Users.get_actor_for_user(user), with %Actor{} = updater_actor <- Users.get_actor_for_user(user),
{:administrator, true} <-
{:administrator, Actors.is_administrator?(updater_actor.id, group_id)},
args <- Map.put(args, :updater_actor, updater_actor), args <- Map.put(args, :updater_actor, updater_actor),
args <- save_attached_pictures(args), args <- save_attached_pictures(args),
{:ok, _activity, %Actor{type: :Group} = group} <- {:ok, _activity, %Actor{type: :Group} = group} <-
@ -166,8 +168,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Group do
{:error, err} when is_binary(err) -> {:error, err} when is_binary(err) ->
{:error, err} {:error, err}
{:is_owned, nil} -> {:administrator, false} ->
{:error, dgettext("errors", "Creator profile is not owned by the current user")} {:error, dgettext("errors", "Profile is not administrator for the group")}
end end
end end

View file

@ -704,6 +704,22 @@ defmodule Mobilizon.Actors do
) )
end end
@spec is_moderator?(integer | String.t(), integer | String.t()) :: boolean()
def is_moderator?(actor_id, parent_id) do
match?(
{:ok, %Member{}},
get_member(actor_id, parent_id, @moderator_roles)
)
end
@spec is_administrator?(integer | String.t(), integer | String.t()) :: boolean()
def is_administrator?(actor_id, parent_id) do
match?(
{:ok, %Member{}},
get_member(actor_id, parent_id, @administrator_roles)
)
end
@doc """ @doc """
Gets a single member of an actor (for example a group). Gets a single member of an actor (for example a group).
""" """

View file

@ -239,6 +239,111 @@ defmodule Mobilizon.Web.Resolvers.GroupTest do
end end
end end
describe "update a group" do
@update_group_mutation """
mutation UpdateGroup(
$id: ID!
$name: String
$summary: String
$avatar: PictureInput
$banner: PictureInput
$visibility: GroupVisibility
$physicalAddress: AddressInput
) {
updateGroup(
id: $id
name: $name
summary: $summary
banner: $banner
avatar: $avatar
visibility: $visibility
physicalAddress: $physicalAddress
) {
id
preferredUsername
name
summary
visibility
avatar {
url
}
banner {
url
}
}
}
"""
@new_group_name "new name for group"
test "update_group/3 updates a group", %{conn: conn, user: user, actor: actor} do
group = insert(:group)
insert(:member, parent: group, actor: actor, role: :administrator)
res =
conn
|> auth_conn(user)
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{
id: group.id,
name: @new_group_name,
visibility: "UNLISTED"
}
)
assert is_nil(res["errors"])
assert res["data"]["updateGroup"]["name"] == @new_group_name
assert res["data"]["updateGroup"]["visibility"] == "UNLISTED"
end
test "update_group/3 requires to be logged-in to update a group", %{conn: conn} do
group = insert(:group)
res =
conn
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{id: group.id, name: @new_group_name}
)
assert hd(res["errors"])["message"] == "You need to be logged-in to update a group"
end
test "update_group/3 requires to be an admin of the group to update a group", %{
conn: conn,
actor: actor
} do
group = insert(:group)
insert(:member, parent: group, actor: actor, role: :administrator)
user = insert(:user)
actor2 = insert(:actor, user: user)
# Actor not member
res =
conn
|> auth_conn(user)
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{id: group.id, name: @new_group_name}
)
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
# Actor member but not admin
insert(:member, parent: group, actor: actor2, role: :moderator)
res =
conn
|> auth_conn(user)
|> AbsintheHelpers.graphql_query(
query: @update_group_mutation,
variables: %{id: group.id, name: @new_group_name}
)
assert hd(res["errors"])["message"] == "Profile is not administrator for the group"
end
end
describe "delete a group" do describe "delete a group" do
@delete_group_mutation """ @delete_group_mutation """
mutation DeleteGroup($groupId: ID!) { mutation DeleteGroup($groupId: ID!) {