#140 Only allow admins to get another user's boards

cboard-org · Mar 30, 2021 · 8431c1a · 8431c1a
1 parent 0bcbd49
commit 8431c1a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/api/controllers/board.js b/api/controllers/board.js
@@ -41,8 +41,16 @@ async function listBoard(req, res) {
 }
 
 async function getBoardsEmail(req, res) {
-  const { search = '' } = req.query;
   const email = req.swagger.params.email.value;
+
+  if (!req.user.isAdmin && req.user.email !== email) {
+    return res.status(403).json({
+      message: "You are not authorized to get this user's boards."
+    });
+  }
+
+  const { search = '' } = req.query;
+
   const searchFields = ['name', 'author'];
   const query =
     search && search.length ? getORQuery(searchFields, search, true) : {};

diff --git a/test/controllers/board.js b/test/controllers/board.js
@@ -227,4 +227,45 @@ describe('Board API calls', function () {
         done();
       });
   });
+
+  describe('GET /board/byemail/:email', function() {
+    it("only allows an admin to get another user's boards", async function() {
+      const adminEmail = helper.generateEmail();
+      const admin = await helper.prepareUser(server, {
+        role: 'admin',
+        email: adminEmail,
+      });
+
+      const userEmail = helper.generateEmail();
+      const user = await helper.prepareUser(server, {
+        role: 'user',
+        email: userEmail,
+      });
+
+      // Try to get another user's boards as a regular user.
+      // This should fail.
+      await request(server)
+        .get(`/board/byemail/${encodeURI(adminEmail)}`)
+        .set('Authorization', `Bearer ${user.token}`)
+        .expect({
+          message: "You are not authorized to get this user's boards.",
+        })
+        .expect(403);
+
+      // Try to get another user's boards as an admin user.
+      // This should succeed.
+      await request(server)
+        .get(`/board/byemail/${encodeURI(userEmail)}`)
+        .set('Authorization', `Bearer ${admin.token}`)
+        .expect(200);
+
+
+      // Try to get my own boards as a regular user.
+      // This should succeed.
+      await request(server)
+        .get(`/board/byemail/${encodeURI(userEmail)}`)
+        .set('Authorization', `Bearer ${user.token}`)
+        .expect(200);
+    });
+  });
 });