[DEV-205] Users/Staffs should not be able to change the email for one already used by another user/staff (#1121)

* add verification of email on staffs

* add email verification users

* fix inviteStaff ruby test function

* add edit staff ruby tests

* add edit user ruby tests

* update other ruby tests
This commit is contained in:
Guillermo Giuliana 2021-12-28 00:26:55 -03:00 committed by GitHub
parent fe1dd1bd48
commit b9f5f7fcf1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 186 additions and 21 deletions

View File

@ -85,7 +85,11 @@ class EditStaffController extends Controller {
private function editInformation() {
if(Controller::request('email')) {
$this->staffInstance->email = Controller::request('email');
$newEmail = Controller::request('email');
$this->verifyEmail($newEmail);
$this->staffInstance->email = $newEmail;
}
if(Controller::request('password')) {
@ -131,6 +135,19 @@ class EditStaffController extends Controller {
$this->staffInstance->store();
}
private function verifyEmail($email){
$staff = Staff::getDataStore($email,'email');
$user = User::getDataStore($email,'email');
if($user->email == $email){
throw new RequestException(ERRORS::INVALID_EMAIL);
}
if($staff->email == $email && $this->staffInstance->email != $email){
throw new RequestException(ERRORS::INVALID_EMAIL);
}
}
private function getDepartmentList() {
$listDepartments = new DataStoreList();

View File

@ -42,7 +42,11 @@ class EditEmail extends Controller{
$newEmail = Controller::request('newEmail');
$user = Controller::getLoggedUser();
$oldEmail = $user->email;
$this->verifyEmail($newEmail, $user);
$user->email = $newEmail;
$user->store();
$mailSender = MailSender::getInstance();
@ -55,4 +59,18 @@ class EditEmail extends Controller{
Response::respondSuccess();
}
private function verifyEmail($email, $logedUser){
$staff = Staff::getDataStore($email,'email');
$user = User::getDataStore($email,'email');
if($user->email == $email && $logedUser->email != $email){
throw new RequestException(ERRORS::INVALID_EMAIL);
}
if($staff->email == $email){
throw new RequestException(ERRORS::INVALID_EMAIL);
}
}
}

View File

@ -28,7 +28,7 @@ class Scripts
:name => name,
:email => email,
:level => level,
:departments => departments.to_string
:departments => departments.to_str
})
end

View File

@ -16,7 +16,7 @@ describe'/staff/delete' do
(row).should.equal(nil)
row = $database.getRow('department', 1, 'id')
(row['owners']).should.equal(4)
(row['owners']).should.equal(6)
end
@ -31,6 +31,6 @@ describe'/staff/delete' do
(result['message']).should.equal('INVALID_STAFF')
row = $database.getRow('department', 1, 'id')
(row['owners']).should.equal(4)
(row['owners']).should.equal(6)
end
end

View File

@ -107,4 +107,73 @@ describe'/staff/edit' do
(result['status']).should.equal('fail')
(result['message']).should.equal('NO_PERMISSION')
end
it 'should success if email selected is used by himself' do
Scripts.login($staff[:email], $staff[:password], true)
result = request('/staff/invite', {
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
name: 'sellamamarlos',
email: 'dalas@os4.com',
level: 2,
profilePic: '',
departments: '[1]'
})
row = $database.getRow('staff', 'dalas@os4.com', 'email')
result = request('/staff/edit', {
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
staffId: row['id'],
email: row['email']
})
(result['status']).should.equal('success')
staffRow = $database.getRow('staff', 'dalas@os4.com', 'email')
(staffRow['email']).should.equal('dalas@os4.com')
end
it 'should fail if email selected is already used' do
staffRow = $database.getRow('staff', 'dalas@os4.com', 'email')
result = request('/staff/invite', {
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
name: 'sellamamarlos',
email: 'dalas2@os4.com',
level: 2,
profilePic: '',
departments: '[1]'
})
staffRow2 = $database.getRow('staff', 'dalas2@os4.com', 'email')
userRow = $database.getRow('user', 'miare@os4.com', 'email')
result = request('/staff/edit', {
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
staffId: staffRow['id'],
email: staffRow2['email'],
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_EMAIL')
result = request('/staff/edit', {
csrf_userid: $csrf_userid,
csrf_token: $csrf_token,
staffId: staffRow['id'],
email: userRow['email'],
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_EMAIL')
end
end

View File

@ -42,4 +42,65 @@ describe '/user/edit-email' do
csrf_token: $csrf_token
})
end
it 'should success if email selected is used by himself' do
Scripts.logout()
Scripts.createUser('miare@os4.com','sellamamarlos', 'maria')
result = request('/user/login', {
email: 'miare@os4.com',
password: 'sellamamarlos'
})
(result['status']).should.equal('success')
$csrf_userid = result['data']['userId']
$csrf_token = result['data']['token']
row = $database.getRow('user', 'miare@os4.com', 'email')
result = request('/user/edit-email', {
newEmail: row['email'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
})
(result['status']).should.equal('success')
row = $database.getRow('user', 'miare@os4.com', 'email')
(row['email']).should.equal('miare@os4.com')
end
it 'should fail if email selected is already used' do
staffRow = $database.getRow('staff', 1, 'id')
userRow = $database.getRow('user', 1, 'id')
result = request('/user/edit-email', {
newEmail: staffRow['email'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_EMAIL')
row = $database.getRow('user', 'miare@os4.com', 'email')
(row['email']).should.equal('miare@os4.com')
result = request('/user/edit-email', {
newEmail: userRow['email'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
})
(result['status']).should.equal('fail')
(result['message']).should.equal('INVALID_EMAIL')
row = $database.getRow('user', 'miare@os4.com', 'email')
(row['email']).should.equal('miare@os4.com')
end
end

View File

@ -117,7 +117,7 @@ describe '/staff/supervisor-user-list' do
Scripts.login($staff[:email], $staff[:password], true)
result = request('/user/edit-supervised-list', {
userIdList: "[30,31,32]",
userIdList: "[31,32,33]",
userId: supervisor['id'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
@ -164,7 +164,7 @@ describe '/staff/supervisor-user-list' do
Scripts.login($staff[:email], $staff[:password], true)
request('/user/edit-supervised-list', {
userIdList: "[30]",
userIdList: "[31]",
userId: supervisor['id'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token

View File

@ -16,7 +16,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login($staff[:email], $staff[:password], true)
result = request('/user/edit-supervised-list', {
userIdList: "[30,32,31]",
userIdList: "[31,33,32]",
userId: supervisor['id'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
@ -28,7 +28,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login('supervisor@opensupports.com', 'passwordOfSupervisor')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[1000,30]",
supervisedUsers: "[1000,31]",
showOwnTickets: 1,
page: 1,
csrf_userid: $csrf_userid,
@ -39,7 +39,7 @@ describe '/user/get-supervised-tickets' do
(result['message']).should.equal('INVALID_SUPERVISED_USERS')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[32,30,1]",
supervisedUsers: "[33,31,1]",
showOwnTickets: 1,
page: 1,
csrf_userid: $csrf_userid,
@ -51,7 +51,7 @@ describe '/user/get-supervised-tickets' do
result = request('/user/get-supervised-tickets', {
supervisedUsers: "32",
supervisedUsers: "33",
showOwnTickets: 1,
page: 1,
csrf_userid: $csrf_userid,
@ -73,7 +73,7 @@ describe '/user/get-supervised-tickets' do
(result['message']).should.equal('INVALID_SUPERVISED_USERS')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[{'id' :29 , 'staff' true}]",
supervisedUsers: "[{'id' :30 , 'staff' true}]",
showOwnTickets: 1,
page: 1,
csrf_userid: $csrf_userid,
@ -86,7 +86,7 @@ describe '/user/get-supervised-tickets' do
it 'should return the tickets of the authors searched' do
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[30,32,31]",
supervisedUsers: "[31,33,32]",
showOwnTickets: 0,
page: 1,
csrf_userid: $csrf_userid,
@ -101,7 +101,7 @@ describe '/user/get-supervised-tickets' do
end
it 'should return the tickets of the authors searched including logged user' do
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[30,32]",
supervisedUsers: "[31,33]",
showOwnTickets: 1,
page: 1,
csrf_userid: $csrf_userid,
@ -115,7 +115,7 @@ describe '/user/get-supervised-tickets' do
(result['data']['tickets'][2]['title']).should.equal(ticketsupervisor['title'])
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[30,32,29]",
supervisedUsers: "[31,33,30]",
page: 1,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
@ -147,7 +147,7 @@ describe '/user/get-supervised-tickets' do
supervisor2 = $database.getRow('user', 'supervisor2@opensupports.com', 'email')
result = request('/user/edit-supervised-list', {
userIdList: "[30,32,31]",
userIdList: "[31,33,32]",
userId: supervisor2['id'],
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
@ -155,7 +155,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login('supervisor@opensupports.com', 'passwordOfSupervisor')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[30,32,31]",
supervisedUsers: "[31,33,32]",
showOwnTickets: 0,
page: 1,
csrf_userid: $csrf_userid,
@ -171,7 +171,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login('supervisor2@opensupports.com', 'usersupervised2')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[30,32,31]",
supervisedUsers: "[31,33,32]",
showOwnTickets: 0,
page: 1,
csrf_userid: $csrf_userid,
@ -192,7 +192,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login('usersupervised1@opensupports.com', 'usersupervised1')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[29]",
supervisedUsers: "[30]",
page: 1,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
@ -205,7 +205,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login('usersupervised2@opensupports.com', 'usersupervised2')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[29]",
supervisedUsers: "[30]",
page: 1,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token
@ -218,7 +218,7 @@ describe '/user/get-supervised-tickets' do
Scripts.login('usersupervised3@opensupports.com', 'usersupervised3')
result = request('/user/get-supervised-tickets', {
supervisedUsers: "[29]",
supervisedUsers: "[30]",
page: 1,
csrf_userid: $csrf_userid,
csrf_token: $csrf_token

View File

@ -36,7 +36,7 @@ describe '/user/get-users' do
})
(result['status']).should.equal('success')
(result['data']['users'].size).should.equal(7)
(result['data']['users'].size).should.equal(8)
end
it 'should get users with order by tickets and asc' do