prevent non admin users changing admin signatures (#17)

katosdev · Dec 8, 2023 · f608268 · f608268
1 parent c1a9cc3
commit f608268
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/src/Access/UserPolicy.php b/src/Access/UserPolicy.php
@@ -9,6 +9,10 @@ class UserPolicy extends AbstractPolicy
 {
     public function editSignature(User $actor, User $user)
     {
+        if ($user->isAdmin() && !$actor->isAdmin()) {
+            return $this->deny();
+        }
+
         if ($actor->id === $user->id || $actor->can('user.editSignature')) {
             return $this->allow();
         }

diff --git a/tests/integration/api/UserAttributesTest.php b/tests/integration/api/UserAttributesTest.php
@@ -18,10 +18,12 @@ public function setUp(): void
         $this->prepareDatabase([
             'users' => [
                 $this->normalUser(),
-                ['id' => 3, 'username' => 'moderator', 'email' => '[email protected]', 'is_email_confirmed' => true]
+                ['id' => 3, 'username' => 'moderator', 'email' => '[email protected]', 'is_email_confirmed' => true],
+                ['id' => 4, 'username' => 'admin2', 'email' => '[email protected]', 'is_email_confirmed' => true],
             ],
             'group_user' => [
-                ['user_id' => 3, 'group_id' => 4]
+                ['user_id' => 3, 'group_id' => 4],
+                ['user_id' => 4, 'group_id' => 1],
             ],
             'group_permission' => [
                 ['group_id' => 4, 'permission' => 'user.editSignature']
@@ -92,4 +94,36 @@ public function user_with_permission_can_edit_others_signature()
 
         $this->assertTrue($json['data']['attributes']['canEditSignature']);
     }
+
+    /**
+     * @test
+     */
+    public function user_with_permission_cannot_edit_admin_signature()
+    {
+        $response = $this->send(
+            $this->request('GET', '/api/users/1', ['authenticatedAs' => 3])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $json = json_decode($response->getBody(), true);
+
+        $this->assertFalse($json['data']['attributes']['canEditSignature']);
+    }
+
+    /**
+     * @test
+     */
+    public function admin_can_edit_admin_signature()
+    {
+        $response = $this->send(
+            $this->request('GET', '/api/users/1', ['authenticatedAs' => 4])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $json = json_decode($response->getBody(), true);
+
+        $this->assertTrue($json['data']['attributes']['canEditSignature']);
+    }
 }