From b9f5f7fcf12ee6cb300d2fe7bb7a250bca91fe52 Mon Sep 17 00:00:00 2001 From: Guillermo Giuliana Date: Tue, 28 Dec 2021 00:26:55 -0300 Subject: [PATCH] [DEV-205] Users/Staffs should not be able to change the email for one already used by another user/staff (#1121) * add verification of email on staffs * add email verification users * fix inviteStaff ruby test function * add edit staff ruby tests * add edit user ruby tests * update other ruby tests --- server/controllers/staff/edit.php | 19 ++++++- server/controllers/user/edit-email.php | 18 +++++++ tests/scripts.rb | 2 +- tests/staff/delete.rb | 4 +- tests/staff/edit.rb | 69 ++++++++++++++++++++++++++ tests/user/edit-email.rb | 61 +++++++++++++++++++++++ tests/user/edit-supervised-list.rb | 4 +- tests/user/get-supervised-tickets.rb | 28 +++++------ tests/user/get-users-test.rb | 2 +- 9 files changed, 186 insertions(+), 21 deletions(-) diff --git a/server/controllers/staff/edit.php b/server/controllers/staff/edit.php index 17baa42e..2683d111 100755 --- a/server/controllers/staff/edit.php +++ b/server/controllers/staff/edit.php @@ -85,7 +85,11 @@ class EditStaffController extends Controller { private function editInformation() { if(Controller::request('email')) { - $this->staffInstance->email = Controller::request('email'); + $newEmail = Controller::request('email'); + + $this->verifyEmail($newEmail); + + $this->staffInstance->email = $newEmail; } if(Controller::request('password')) { @@ -131,7 +135,20 @@ class EditStaffController extends Controller { $this->staffInstance->store(); } + private function verifyEmail($email){ + $staff = Staff::getDataStore($email,'email'); + $user = User::getDataStore($email,'email'); + + if($user->email == $email){ + throw new RequestException(ERRORS::INVALID_EMAIL); + } + + if($staff->email == $email && $this->staffInstance->email != $email){ + throw new RequestException(ERRORS::INVALID_EMAIL); + } + } + private function getDepartmentList() { $listDepartments = new DataStoreList(); $departmentIds = json_decode(Controller::request('departments')); diff --git a/server/controllers/user/edit-email.php b/server/controllers/user/edit-email.php index c7617373..d8cd7b5e 100755 --- a/server/controllers/user/edit-email.php +++ b/server/controllers/user/edit-email.php @@ -42,7 +42,11 @@ class EditEmail extends Controller{ $newEmail = Controller::request('newEmail'); $user = Controller::getLoggedUser(); $oldEmail = $user->email; + + $this->verifyEmail($newEmail, $user); + $user->email = $newEmail; + $user->store(); $mailSender = MailSender::getInstance(); @@ -55,4 +59,18 @@ class EditEmail extends Controller{ Response::respondSuccess(); } + + private function verifyEmail($email, $logedUser){ + + $staff = Staff::getDataStore($email,'email'); + $user = User::getDataStore($email,'email'); + + if($user->email == $email && $logedUser->email != $email){ + throw new RequestException(ERRORS::INVALID_EMAIL); + } + + if($staff->email == $email){ + throw new RequestException(ERRORS::INVALID_EMAIL); + } + } } \ No newline at end of file diff --git a/tests/scripts.rb b/tests/scripts.rb index 1c5d6610..bc4dbe2d 100644 --- a/tests/scripts.rb +++ b/tests/scripts.rb @@ -28,7 +28,7 @@ class Scripts :name => name, :email => email, :level => level, - :departments => departments.to_string + :departments => departments.to_str }) end diff --git a/tests/staff/delete.rb b/tests/staff/delete.rb index 80420e6a..b73c6030 100644 --- a/tests/staff/delete.rb +++ b/tests/staff/delete.rb @@ -16,7 +16,7 @@ describe'/staff/delete' do (row).should.equal(nil) row = $database.getRow('department', 1, 'id') - (row['owners']).should.equal(4) + (row['owners']).should.equal(6) end @@ -31,6 +31,6 @@ describe'/staff/delete' do (result['message']).should.equal('INVALID_STAFF') row = $database.getRow('department', 1, 'id') - (row['owners']).should.equal(4) + (row['owners']).should.equal(6) end end diff --git a/tests/staff/edit.rb b/tests/staff/edit.rb index a8180d6e..e1f078a5 100644 --- a/tests/staff/edit.rb +++ b/tests/staff/edit.rb @@ -107,4 +107,73 @@ describe'/staff/edit' do (result['status']).should.equal('fail') (result['message']).should.equal('NO_PERMISSION') end + + it 'should success if email selected is used by himself' do + + Scripts.login($staff[:email], $staff[:password], true) + + result = request('/staff/invite', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'sellamamarlos', + email: 'dalas@os4.com', + level: 2, + profilePic: '', + departments: '[1]' + }) + + row = $database.getRow('staff', 'dalas@os4.com', 'email') + + result = request('/staff/edit', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + staffId: row['id'], + email: row['email'] + }) + + (result['status']).should.equal('success') + + staffRow = $database.getRow('staff', 'dalas@os4.com', 'email') + + (staffRow['email']).should.equal('dalas@os4.com') + + end + + it 'should fail if email selected is already used' do + + staffRow = $database.getRow('staff', 'dalas@os4.com', 'email') + + result = request('/staff/invite', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'sellamamarlos', + email: 'dalas2@os4.com', + level: 2, + profilePic: '', + departments: '[1]' + }) + + staffRow2 = $database.getRow('staff', 'dalas2@os4.com', 'email') + userRow = $database.getRow('user', 'miare@os4.com', 'email') + + result = request('/staff/edit', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + staffId: staffRow['id'], + email: staffRow2['email'], + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_EMAIL') + + result = request('/staff/edit', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + staffId: staffRow['id'], + email: userRow['email'], + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_EMAIL') + end end diff --git a/tests/user/edit-email.rb b/tests/user/edit-email.rb index 02912283..1b87f937 100644 --- a/tests/user/edit-email.rb +++ b/tests/user/edit-email.rb @@ -42,4 +42,65 @@ describe '/user/edit-email' do csrf_token: $csrf_token }) end + + + it 'should success if email selected is used by himself' do + + Scripts.logout() + + Scripts.createUser('miare@os4.com','sellamamarlos', 'maria') + + result = request('/user/login', { + email: 'miare@os4.com', + password: 'sellamamarlos' + }) + + (result['status']).should.equal('success') + + $csrf_userid = result['data']['userId'] + $csrf_token = result['data']['token'] + + row = $database.getRow('user', 'miare@os4.com', 'email') + + result = request('/user/edit-email', { + newEmail: row['email'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + + (result['status']).should.equal('success') + + row = $database.getRow('user', 'miare@os4.com', 'email') + + (row['email']).should.equal('miare@os4.com') + + end + + it 'should fail if email selected is already used' do + + staffRow = $database.getRow('staff', 1, 'id') + userRow = $database.getRow('user', 1, 'id') + + result = request('/user/edit-email', { + newEmail: staffRow['email'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_EMAIL') + + row = $database.getRow('user', 'miare@os4.com', 'email') + (row['email']).should.equal('miare@os4.com') + + result = request('/user/edit-email', { + newEmail: userRow['email'], + csrf_userid: $csrf_userid, + csrf_token: $csrf_token + }) + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_EMAIL') + + row = $database.getRow('user', 'miare@os4.com', 'email') + (row['email']).should.equal('miare@os4.com') + end end diff --git a/tests/user/edit-supervised-list.rb b/tests/user/edit-supervised-list.rb index 381deee1..9d80fdb4 100644 --- a/tests/user/edit-supervised-list.rb +++ b/tests/user/edit-supervised-list.rb @@ -117,7 +117,7 @@ describe '/staff/supervisor-user-list' do Scripts.login($staff[:email], $staff[:password], true) result = request('/user/edit-supervised-list', { - userIdList: "[30,31,32]", + userIdList: "[31,32,33]", userId: supervisor['id'], csrf_userid: $csrf_userid, csrf_token: $csrf_token @@ -164,7 +164,7 @@ describe '/staff/supervisor-user-list' do Scripts.login($staff[:email], $staff[:password], true) request('/user/edit-supervised-list', { - userIdList: "[30]", + userIdList: "[31]", userId: supervisor['id'], csrf_userid: $csrf_userid, csrf_token: $csrf_token diff --git a/tests/user/get-supervised-tickets.rb b/tests/user/get-supervised-tickets.rb index 228a7dd9..901c61ab 100644 --- a/tests/user/get-supervised-tickets.rb +++ b/tests/user/get-supervised-tickets.rb @@ -16,7 +16,7 @@ describe '/user/get-supervised-tickets' do Scripts.login($staff[:email], $staff[:password], true) result = request('/user/edit-supervised-list', { - userIdList: "[30,32,31]", + userIdList: "[31,33,32]", userId: supervisor['id'], csrf_userid: $csrf_userid, csrf_token: $csrf_token @@ -28,7 +28,7 @@ describe '/user/get-supervised-tickets' do Scripts.login('supervisor@opensupports.com', 'passwordOfSupervisor') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[1000,30]", + supervisedUsers: "[1000,31]", showOwnTickets: 1, page: 1, csrf_userid: $csrf_userid, @@ -39,7 +39,7 @@ describe '/user/get-supervised-tickets' do (result['message']).should.equal('INVALID_SUPERVISED_USERS') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[32,30,1]", + supervisedUsers: "[33,31,1]", showOwnTickets: 1, page: 1, csrf_userid: $csrf_userid, @@ -51,7 +51,7 @@ describe '/user/get-supervised-tickets' do result = request('/user/get-supervised-tickets', { - supervisedUsers: "32", + supervisedUsers: "33", showOwnTickets: 1, page: 1, csrf_userid: $csrf_userid, @@ -73,7 +73,7 @@ describe '/user/get-supervised-tickets' do (result['message']).should.equal('INVALID_SUPERVISED_USERS') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[{'id' :29 , 'staff' true}]", + supervisedUsers: "[{'id' :30 , 'staff' true}]", showOwnTickets: 1, page: 1, csrf_userid: $csrf_userid, @@ -86,7 +86,7 @@ describe '/user/get-supervised-tickets' do it 'should return the tickets of the authors searched' do result = request('/user/get-supervised-tickets', { - supervisedUsers: "[30,32,31]", + supervisedUsers: "[31,33,32]", showOwnTickets: 0, page: 1, csrf_userid: $csrf_userid, @@ -101,7 +101,7 @@ describe '/user/get-supervised-tickets' do end it 'should return the tickets of the authors searched including logged user' do result = request('/user/get-supervised-tickets', { - supervisedUsers: "[30,32]", + supervisedUsers: "[31,33]", showOwnTickets: 1, page: 1, csrf_userid: $csrf_userid, @@ -115,7 +115,7 @@ describe '/user/get-supervised-tickets' do (result['data']['tickets'][2]['title']).should.equal(ticketsupervisor['title']) result = request('/user/get-supervised-tickets', { - supervisedUsers: "[30,32,29]", + supervisedUsers: "[31,33,30]", page: 1, csrf_userid: $csrf_userid, csrf_token: $csrf_token @@ -147,7 +147,7 @@ describe '/user/get-supervised-tickets' do supervisor2 = $database.getRow('user', 'supervisor2@opensupports.com', 'email') result = request('/user/edit-supervised-list', { - userIdList: "[30,32,31]", + userIdList: "[31,33,32]", userId: supervisor2['id'], csrf_userid: $csrf_userid, csrf_token: $csrf_token @@ -155,7 +155,7 @@ describe '/user/get-supervised-tickets' do Scripts.login('supervisor@opensupports.com', 'passwordOfSupervisor') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[30,32,31]", + supervisedUsers: "[31,33,32]", showOwnTickets: 0, page: 1, csrf_userid: $csrf_userid, @@ -171,7 +171,7 @@ describe '/user/get-supervised-tickets' do Scripts.login('supervisor2@opensupports.com', 'usersupervised2') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[30,32,31]", + supervisedUsers: "[31,33,32]", showOwnTickets: 0, page: 1, csrf_userid: $csrf_userid, @@ -192,7 +192,7 @@ describe '/user/get-supervised-tickets' do Scripts.login('usersupervised1@opensupports.com', 'usersupervised1') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[29]", + supervisedUsers: "[30]", page: 1, csrf_userid: $csrf_userid, csrf_token: $csrf_token @@ -205,7 +205,7 @@ describe '/user/get-supervised-tickets' do Scripts.login('usersupervised2@opensupports.com', 'usersupervised2') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[29]", + supervisedUsers: "[30]", page: 1, csrf_userid: $csrf_userid, csrf_token: $csrf_token @@ -218,7 +218,7 @@ describe '/user/get-supervised-tickets' do Scripts.login('usersupervised3@opensupports.com', 'usersupervised3') result = request('/user/get-supervised-tickets', { - supervisedUsers: "[29]", + supervisedUsers: "[30]", page: 1, csrf_userid: $csrf_userid, csrf_token: $csrf_token diff --git a/tests/user/get-users-test.rb b/tests/user/get-users-test.rb index 2813e330..d7738ff5 100644 --- a/tests/user/get-users-test.rb +++ b/tests/user/get-users-test.rb @@ -36,7 +36,7 @@ describe '/user/get-users' do }) (result['status']).should.equal('success') - (result['data']['users'].size).should.equal(7) + (result['data']['users'].size).should.equal(8) end it 'should get users with order by tickets and asc' do