fix(members): change getUser for event creation (#232)

* fix(members): change getUser for event creation Members now have the global:view_members:body permission to add organizers from other locals, with this change we also store the correct information when storing the event * chore(member): add test * chore(members): improve test
AEGEE · Feb 13, 2021 · 20c01c3 · 20c01c3
1 parent 16f94fd
commit 20c01c3
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/middlewares/members.js b/middlewares/members.js
@@ -48,6 +48,17 @@ exports.listAllUnconfirmedUsers = async (req, res) => {
 
 exports.getUser = async (req, res) => {
     if (!req.permissions.hasPermission('view:member') && req.user.id !== req.currentUser.id) {
+        if (req.permissions.hasPermission('view_members:body')) {
+            return res.json({
+                success: true,
+                data: {
+                    id: req.currentUser.id,
+                    first_name: req.currentUser.first_name,
+                    last_name: req.currentUser.last_name,
+                    email: req.currentUser.email
+                }
+            });
+        }
         return errors.makeForbiddenError(res, 'Permission view:member is required, but not present.');
     }
 

diff --git a/test/api/users-details.test.js b/test/api/users-details.test.js
@@ -174,6 +174,27 @@ describe('User details', () => {
         expect(res.body.data.id).toEqual(otherUser.id);
     });
 
+    test('should work with global view_members permission', async () => {
+        const user = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken({}, user);
+
+        await generator.createPermission({ scope: 'global', action: 'view_members', object: 'body' });
+
+        const otherUser = await generator.createUser();
+
+        const res = await request({
+            uri: '/members/' + otherUser.id,
+            method: 'GET',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).toHaveProperty('data');
+        expect(res.body).not.toHaveProperty('errors');
+        expect(res.body.data.id).toEqual(otherUser.id);
+    });
+
     test('should fail if no permission', async () => {
         const user = await generator.createUser();
         const token = await generator.createAccessToken({}, user);