mirror of
https://github.com/flarum/core.git
synced 2025-08-01 14:10:37 +02:00
fix(regression): cannot delete users (#3746)
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
This commit is contained in:
Sami Mazouz
GitHub
@@ -99,7 +99,7 @@ return function (RouteCollection $map, RouteHandlerFactory $route) {
|
|||||||
$map->delete(
|
$map->delete(
|
||||||
'/users/{id}',
|
'/users/{id}',
|
||||||
'users.delete',
|
'users.delete',
|
||||||
$route->toController(Controller\DeleteAccessTokenController::class)
|
$route->toController(Controller\DeleteUserController::class)
|
||||||
);
|
);
|
||||||
|
|
||||||
// Upload avatar
|
// Upload avatar
|
||||||
|
|||||||
89
framework/core/tests/integration/api/users/DeleteTest.php
Normal file
89
framework/core/tests/integration/api/users/DeleteTest.php
Normal file
@@ -0,0 +1,89 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is part of Flarum.
|
||||||
|
*
|
||||||
|
* For detailed copyright and license information, please view the
|
||||||
|
* LICENSE file that was distributed with this source code.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace integration\api\users;
|
||||||
|
|
||||||
|
use Flarum\Testing\integration\RetrievesAuthorizedUsers;
|
||||||
|
use Flarum\Testing\integration\TestCase;
|
||||||
|
use Flarum\User\User;
|
||||||
|
|
||||||
|
class DeleteTest extends TestCase
|
||||||
|
{
|
||||||
|
use RetrievesAuthorizedUsers;
|
||||||
|
|
||||||
|
protected function setUp(): void
|
||||||
|
{
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
$this->prepareDatabase([
|
||||||
|
'users' => [
|
||||||
|
$this->normalUser(),
|
||||||
|
['id' => 3, 'username' => 'ken', 'is_email_confirmed' => 1],
|
||||||
|
],
|
||||||
|
'group_user' => [
|
||||||
|
['group_id' => 3, 'user_id' => 2],
|
||||||
|
['group_id' => 3, 'user_id' => 3],
|
||||||
|
]
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider authorizedUsersProvider
|
||||||
|
* @test
|
||||||
|
*/
|
||||||
|
public function can_delete_user(int $actorId, int $userId)
|
||||||
|
{
|
||||||
|
$this->database()->table('group_permission')->insert([
|
||||||
|
'permission' => 'user.delete',
|
||||||
|
'group_id' => 3,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$response = $this->send(
|
||||||
|
$this->request('DELETE', "/api/users/$userId", [
|
||||||
|
'authenticatedAs' => $actorId,
|
||||||
|
])
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertEquals(204, $response->getStatusCode());
|
||||||
|
$this->assertNull(User::find($userId));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function authorizedUsersProvider()
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
'admin can delete user' => [1, 2],
|
||||||
|
'user with permission can delete self' => [2, 2],
|
||||||
|
'user with permission can delete other users' => [2, 3],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider unauthorizedUsersProvider
|
||||||
|
* @test
|
||||||
|
*/
|
||||||
|
public function cannot_delete_user(int $actorId, int $userId)
|
||||||
|
{
|
||||||
|
$response = $this->send(
|
||||||
|
$this->request('DELETE', "/api/users/$userId", [
|
||||||
|
'authenticatedAs' => $actorId,
|
||||||
|
])
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertEquals(403, $response->getStatusCode());
|
||||||
|
$this->assertNotNull(User::find($userId));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function unauthorizedUsersProvider()
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
'user without permission cannot delete self' => [2, 2],
|
||||||
|
'user without permission cannot delete other users' => [2, 3],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user