[DEV-205] Users/Staffs should not be able to change the email for one already used by another user/staff (#1121)

* add verification of email on staffs * add email verification users * fix inviteStaff ruby test function * add edit staff ruby tests * add edit user ruby tests * update other ruby tests
2021-12-28 00:26:55 -03:00 · 2021-12-28 00:26:55 -03:00 · b9f5f7fcf1
parent fe1dd1bd48
commit b9f5f7fcf1
9 changed files with 186 additions and 21 deletions
--- a/server/controllers/staff/edit.php
+++ b/server/controllers/staff/edit.php
@ -85,7 +85,11 @@ class EditStaffController extends Controller {
    private function editInformation() {
        if(Controller::request('email')) {
-            $this->staffInstance->email = Controller::request('email');
+            $newEmail = Controller::request('email');
            $this->verifyEmail($newEmail);
            $this->staffInstance->email = $newEmail;
        }
        if(Controller::request('password')) {
@ -131,6 +135,19 @@ class EditStaffController extends Controller {
        $this->staffInstance->store();
    }
    private function verifyEmail($email){
        $staff = Staff::getDataStore($email,'email');
        $user = User::getDataStore($email,'email');
        if($user->email == $email){
            throw new RequestException(ERRORS::INVALID_EMAIL);
        }
        if($staff->email == $email && $this->staffInstance->email != $email){
            throw new RequestException(ERRORS::INVALID_EMAIL);
        }
    }
    private function getDepartmentList() {
        $listDepartments = new DataStoreList();
--- a/server/controllers/user/edit-email.php
+++ b/server/controllers/user/edit-email.php
@ -42,7 +42,11 @@ class EditEmail extends Controller{
        $newEmail = Controller::request('newEmail');
        $user = Controller::getLoggedUser();
        $oldEmail = $user->email;
        $this->verifyEmail($newEmail, $user);
        $user->email = $newEmail;
        $user->store();
        $mailSender = MailSender::getInstance();
@ -55,4 +59,18 @@ class EditEmail extends Controller{
        Response::respondSuccess();
    }
    private function verifyEmail($email, $logedUser){
        $staff = Staff::getDataStore($email,'email');
        $user = User::getDataStore($email,'email');
        if($user->email == $email && $logedUser->email != $email){
            throw new RequestException(ERRORS::INVALID_EMAIL);
        }
        if($staff->email == $email){
            throw new RequestException(ERRORS::INVALID_EMAIL);
        }
    }
 }
--- a/tests/scripts.rb
+++ b/tests/scripts.rb
@ -28,7 +28,7 @@ class Scripts
            :name => name,
            :email => email,
            :level => level,
-            :departments => departments.to_string
+            :departments => departments.to_str
        })
    end
--- a/tests/staff/delete.rb
+++ b/tests/staff/delete.rb
@ -16,7 +16,7 @@ describe'/staff/delete' do
        (row).should.equal(nil)
        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal(4)
+        (row['owners']).should.equal(6)
    end
@ -31,6 +31,6 @@ describe'/staff/delete' do
        (result['message']).should.equal('INVALID_STAFF')
        row = $database.getRow('department', 1, 'id')
-        (row['owners']).should.equal(4)
+        (row['owners']).should.equal(6)
    end
 end
--- a/tests/staff/edit.rb
+++ b/tests/staff/edit.rb
@ -107,4 +107,73 @@ describe'/staff/edit' do
        (result['status']).should.equal('fail')
        (result['message']).should.equal('NO_PERMISSION')
    end
    it 'should success if email selected is used by himself' do
        Scripts.login($staff[:email], $staff[:password], true)
        result = request('/staff/invite', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'sellamamarlos',
            email: 'dalas@os4.com',
            level: 2,
            profilePic: '',
            departments: '[1]'
        })
        row = $database.getRow('staff', 'dalas@os4.com', 'email')
        result = request('/staff/edit', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            staffId: row['id'],
            email:  row['email']
        })
        (result['status']).should.equal('success')
        staffRow = $database.getRow('staff', 'dalas@os4.com', 'email')
        (staffRow['email']).should.equal('dalas@os4.com')
    end
    it 'should fail if  email selected is already used' do
        staffRow = $database.getRow('staff', 'dalas@os4.com', 'email')
        result = request('/staff/invite', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            name: 'sellamamarlos',
            email: 'dalas2@os4.com',
            level: 2,
            profilePic: '',
            departments: '[1]'
        })
        staffRow2 = $database.getRow('staff', 'dalas2@os4.com', 'email')
        userRow = $database.getRow('user', 'miare@os4.com', 'email')
        result = request('/staff/edit', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            staffId: staffRow['id'],
            email:  staffRow2['email'],
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_EMAIL')
        result = request('/staff/edit', {
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token,
            staffId: staffRow['id'],
            email:  userRow['email'],
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_EMAIL')
    end
 end
--- a/tests/user/edit-email.rb
+++ b/tests/user/edit-email.rb
@ -42,4 +42,65 @@ describe '/user/edit-email' do
            csrf_token: $csrf_token
        })
    end
    it 'should success if email selected is used by himself' do
        Scripts.logout()
        Scripts.createUser('miare@os4.com','sellamamarlos', 'maria')
        result = request('/user/login', {
            email: 'miare@os4.com',
            password: 'sellamamarlos'
        })
        (result['status']).should.equal('success')
        $csrf_userid = result['data']['userId']
        $csrf_token = result['data']['token']
        row = $database.getRow('user', 'miare@os4.com', 'email')
        result = request('/user/edit-email', {
            newEmail: row['email'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('success')
        row = $database.getRow('user', 'miare@os4.com', 'email')
        (row['email']).should.equal('miare@os4.com')
    end
    it 'should fail if  email selected is already used' do
        staffRow = $database.getRow('staff', 1, 'id')
        userRow = $database.getRow('user', 1, 'id')
        result = request('/user/edit-email', {
            newEmail: staffRow['email'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_EMAIL')
        row = $database.getRow('user', 'miare@os4.com', 'email')
        (row['email']).should.equal('miare@os4.com')
        result = request('/user/edit-email', {
            newEmail: userRow['email'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
        })
        (result['status']).should.equal('fail')
        (result['message']).should.equal('INVALID_EMAIL')
        row = $database.getRow('user', 'miare@os4.com', 'email')
        (row['email']).should.equal('miare@os4.com')
    end
 end
--- a/tests/user/edit-supervised-list.rb
+++ b/tests/user/edit-supervised-list.rb
@ -117,7 +117,7 @@ describe '/staff/supervisor-user-list' do
        Scripts.login($staff[:email], $staff[:password], true)
        result = request('/user/edit-supervised-list', {
-            userIdList: "[30,31,32]",
+            userIdList: "[31,32,33]",
            userId:  supervisor['id'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
@ -164,7 +164,7 @@ describe '/staff/supervisor-user-list' do
        Scripts.login($staff[:email], $staff[:password], true)
        request('/user/edit-supervised-list', {
-            userIdList: "[30]",
+            userIdList: "[31]",
            userId:  supervisor['id'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
--- a/tests/user/get-supervised-tickets.rb
+++ b/tests/user/get-supervised-tickets.rb
@ -16,7 +16,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login($staff[:email], $staff[:password], true)
        result = request('/user/edit-supervised-list', {
-            userIdList: "[30,32,31]",
+            userIdList: "[31,33,32]",
            userId:  supervisor['id'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
@ -28,7 +28,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login('supervisor@opensupports.com', 'passwordOfSupervisor')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[1000,30]",
+            supervisedUsers: "[1000,31]",
            showOwnTickets: 1,
            page: 1,
            csrf_userid: $csrf_userid,
@ -39,7 +39,7 @@ describe '/user/get-supervised-tickets' do
        (result['message']).should.equal('INVALID_SUPERVISED_USERS')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[32,30,1]",
+            supervisedUsers: "[33,31,1]",
            showOwnTickets: 1,
            page: 1,
            csrf_userid: $csrf_userid,
@ -51,7 +51,7 @@ describe '/user/get-supervised-tickets' do
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "32",
+            supervisedUsers: "33",
            showOwnTickets: 1,
            page: 1,
            csrf_userid: $csrf_userid,
@ -73,7 +73,7 @@ describe '/user/get-supervised-tickets' do
        (result['message']).should.equal('INVALID_SUPERVISED_USERS')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[{'id' :29 , 'staff' true}]",
+            supervisedUsers: "[{'id' :30 , 'staff' true}]",
            showOwnTickets: 1,
            page: 1,
            csrf_userid: $csrf_userid,
@ -86,7 +86,7 @@ describe '/user/get-supervised-tickets' do
    it 'should return the tickets of the authors searched' do
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[30,32,31]",
+            supervisedUsers: "[31,33,32]",
            showOwnTickets: 0,
            page: 1,
            csrf_userid: $csrf_userid,
@ -101,7 +101,7 @@ describe '/user/get-supervised-tickets' do
    end
    it 'should return the tickets of the authors searched including logged user' do
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[30,32]",
+            supervisedUsers: "[31,33]",
            showOwnTickets: 1,
            page: 1,
            csrf_userid: $csrf_userid,
@ -115,7 +115,7 @@ describe '/user/get-supervised-tickets' do
        (result['data']['tickets'][2]['title']).should.equal(ticketsupervisor['title']) 
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[30,32,29]",
+            supervisedUsers: "[31,33,30]",
            page: 1,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
@ -147,7 +147,7 @@ describe '/user/get-supervised-tickets' do
        supervisor2 = $database.getRow('user', 'supervisor2@opensupports.com', 'email')
        result = request('/user/edit-supervised-list', {
-            userIdList: "[30,32,31]",
+            userIdList: "[31,33,32]",
            userId:  supervisor2['id'],
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
@ -155,7 +155,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login('supervisor@opensupports.com', 'passwordOfSupervisor')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[30,32,31]",
+            supervisedUsers: "[31,33,32]",
            showOwnTickets: 0,
            page: 1,
            csrf_userid: $csrf_userid,
@ -171,7 +171,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login('supervisor2@opensupports.com', 'usersupervised2')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[30,32,31]",
+            supervisedUsers: "[31,33,32]",
            showOwnTickets: 0,
            page: 1,
            csrf_userid: $csrf_userid,
@ -192,7 +192,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login('usersupervised1@opensupports.com', 'usersupervised1')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[29]",
+            supervisedUsers: "[30]",
            page: 1,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
@ -205,7 +205,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login('usersupervised2@opensupports.com', 'usersupervised2')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[29]",
+            supervisedUsers: "[30]",
            page: 1,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
@ -218,7 +218,7 @@ describe '/user/get-supervised-tickets' do
        Scripts.login('usersupervised3@opensupports.com', 'usersupervised3')
        result = request('/user/get-supervised-tickets', {
-            supervisedUsers: "[29]",
+            supervisedUsers: "[30]",
            page: 1,
            csrf_userid: $csrf_userid,
            csrf_token: $csrf_token
--- a/tests/user/get-users-test.rb
+++ b/tests/user/get-users-test.rb
@ -36,7 +36,7 @@ describe '/user/get-users' do
        })
        (result['status']).should.equal('success')
-        (result['data']['users'].size).should.equal(7)
+        (result['data']['users'].size).should.equal(8)
    end
    it 'should get users with order by tickets and asc' do