DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-11-12 16:44:08 -08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Merge pull request #14982 from snipe/fixes/check_for_user_on_patch_api

Browse source 
Check that the user exists before trying to fill the request
This commit is contained in:
snipe 2024-06-27 14:36:21 +01:00 committed by GitHub
parent 422f3ec81e 85ce47f5bb
commit b6e8d28ed3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 96 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/Http/Controllers/Api/UsersController.php
View file

@ -437,7 +437,9 @@ class UsersController extends Controller
{
$this->authorize('update', User::class);
$user = User::find($id);
if ($user = User::find($id)) {
$this->authorize('update', $user);
/**
@ -510,6 +512,10 @@ class UsersController extends Controller
return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
}
return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/users/message.user_not_found', compact('id'))));
}
/**
* Remove the specified resource from storage.
*

45
tests/Feature/Users/Api/UpdateUserTest.php
View file

@ -153,47 +153,74 @@ class UpdateUserTest extends TestCase
// Admin for Company A should allow updating user from Company A
$this->actingAsForApi($adminA)
->patchJson(route('api.users.update', $scoped_user_in_companyA))
->assertStatus(200);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('success')
->json();
// Admin for Company A should get denied updating user from Company B
$this->actingAsForApi($adminA)
->patchJson(route('api.users.update', $scoped_user_in_companyB))
->assertStatus(403);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
// Admin for Company A should get denied updating user without a company
$this->actingAsForApi($adminA)
->patchJson(route('api.users.update', $scoped_user_in_no_company))
->assertStatus(403);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
// Admin for Company B should allow updating user from Company B
$this->actingAsForApi($adminB)
->patchJson(route('api.users.update', $scoped_user_in_companyB))
->assertStatus(200);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('success')
->json();
// Admin for Company B should get denied updating user from Company A
$this->actingAsForApi($adminB)
->patchJson(route('api.users.update', $scoped_user_in_companyA))
->assertStatus(403);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
// Admin for Company B should get denied updating user without a company
$this->actingAsForApi($adminB)
->patchJson(route('api.users.update', $scoped_user_in_no_company))
->assertStatus(403);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
// Admin without a company should allow updating user without a company
$this->actingAsForApi($adminNoCompany)
->patchJson(route('api.users.update', $scoped_user_in_no_company))
->assertStatus(200);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('success')
->json();
// Admin without a company should get denied updating user from Company A
$this->actingAsForApi($adminNoCompany)
->patchJson(route('api.users.update', $scoped_user_in_companyA))
->assertStatus(403);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
// Admin without a company should get denied updating user from Company B
$this->actingAsForApi($adminNoCompany)
->patchJson(route('api.users.update', $scoped_user_in_companyB))
->assertStatus(403);
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function testUserGroupsAreOnlyUpdatedIfAuthenticatedUserIsSuperUser()