[backend] tests (#13901)

Archidoit · Archidoit · commit 4bd6a25b38e8 · 2026-01-07T12:01:06.000+01:00
diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -534,7 +534,7 @@ const loadUserToUpdateWithAccessCheck = async (context, user, userId) => {
     // Check in an organization admin edits a user that's not in its administrated organizations
     if (isOnlyOrgaAdmin(user)) {
       const myAdministratedOrganizationsIds = user.administrated_organizations.map((orga) => orga.id);
-      if (!userToUpdate[RELATION_PARTICIPATE_TO].find((orga) => myAdministratedOrganizationsIds.includes(orga))) {
+      if (!userToUpdate[RELATION_PARTICIPATE_TO]?.find((orga) => myAdministratedOrganizationsIds.includes(orga))) {
         throw ForbiddenAccess();
       }
     } else {
diff --git a/opencti-platform/opencti-graphql/tests/03-integration/02-resolvers/user-test.ts b/opencti-platform/opencti-graphql/tests/03-integration/02-resolvers/user-test.ts
@@ -19,7 +19,8 @@ import {
   TESTING_USERS,
   USER_CONNECTOR,
   USER_DISINFORMATION_ANALYST,
-  USER_EDITOR
+  USER_EDITOR,
+  USER_SECURITY,
 } from '../../utils/testQuery';
 import { ENTITY_TYPE_IDENTITY_ORGANIZATION } from '../../../src/modules/organization/organization-types';
 import { VIRTUAL_ORGANIZATION_ADMIN } from '../../../src/utils/access';
@@ -31,7 +32,7 @@ import {
   queryAsAdminWithSuccess,
   queryAsUserIsExpectedError,
   queryAsUserIsExpectedForbidden,
-  queryAsUserWithSuccess
+  queryAsUserWithSuccess,
 } from '../../utils/testQueryHelper';
 import { OPENCTI_ADMIN_UUID } from '../../../src/schema/general';
 import type { Capability, Member, UserAddInput } from '../../../src/generated/graphql';
@@ -307,7 +308,7 @@ describe('User resolver standard behavior', () => {
         user_confidence_level: {
           max_confidence: 50,
           overrides: [{ entity_type: 'Report', max_confidence: 80 }],
-        }
+        },
       },
     };
     const user2 = await adminQuery({
@@ -432,7 +433,7 @@ describe('User resolver standard behavior', () => {
       query: UPDATE_QUERY,
       variables: {
         id: userInternalId,
-        input: { key: 'user_confidence_level', value: { max_confidence: 33, overrides: [] } }
+        input: { key: 'user_confidence_level', value: { max_confidence: 33, overrides: [] } },
       },
     });
     expect(queryResult.data.userEdit.fieldPatch.user_confidence_level.max_confidence).toEqual(33);
@@ -480,7 +481,7 @@ describe('User resolver standard behavior', () => {
         group_confidence_level: {
           max_confidence: 60,
           overrides: [],
-        }
+        },
       },
     };
     const group = await adminQuery({
@@ -543,7 +544,7 @@ describe('User resolver standard behavior', () => {
       query: UPDATE_QUERY,
       variables: {
         id: userInternalId,
-        input: { key: 'user_confidence_level', value: [null] }
+        input: { key: 'user_confidence_level', value: [null] },
       },
     });
     const { userEdit } = queryResult.data;
@@ -748,6 +749,7 @@ describe('User list members query behavior', () => {
   it('Should user lists all members', async () => {
     const queryResult = await editorQuery({ query: LIST_MEMBERS_QUERY });
     const usersEdges = queryResult.data.members.edges as { node: Member }[];
+    expect(usersEdges.map((n) => n.node)).toEqual('test');
     expect(usersEdges.length).toEqual(25);
     expect(usersEdges.filter(({ node: { entity_type } }) => entity_type === ENTITY_TYPE_USER).length).toEqual(TESTING_USERS.length + 1); // +1 = Plus admin user
     expect(usersEdges.filter(({ node: { entity_type } }) => entity_type === ENTITY_TYPE_GROUP).length).toEqual(entitiesCounter.Group);
@@ -796,7 +798,7 @@ describe('User has no capability query behavior', () => {
       query: GROUP_UPDATE_QUERY,
       variables: {
         id: 'group--a7991a4f-6192-59a4-87d3-d006d2c41cc8',
-        input: { key: 'default_assignation', value: [false] }
+        input: { key: 'default_assignation', value: [false] },
       },
     });
     // Create the user
@@ -829,7 +831,7 @@ describe('User has no capability query behavior', () => {
       query: GROUP_UPDATE_QUERY,
       variables: {
         id: 'group--a7991a4f-6192-59a4-87d3-d006d2c41cc8',
-        input: { key: 'default_assignation', value: [true] }
+        input: { key: 'default_assignation', value: [true] },
       },
     });
   });
@@ -979,6 +981,18 @@ describe('User has no settings capability and is organization admin query behavi
     });
     expect(queryResult.data.userEdit.fieldPatch.account_status).toEqual('Inactive');
   });
+  it('should not update user with no organization', async () => {
+    await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
+      query: UPDATE_QUERY,
+      variables: { id: ADMIN_USER.id, input: { key: 'account_status', value: ['Inactive'] } },
+    });
+  });
+  it('should not update user from an other organization', async () => {
+    await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
+      query: UPDATE_QUERY,
+      variables: { id: USER_SECURITY.id, input: { key: 'account_status', value: ['Inactive'] } },
+    });
+  });
   it('should not add organization to user if not admin', async () => {
     platformOrganizationId = await getOrganizationIdByName(PLATFORM_ORGANIZATION.name);
     await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
@@ -989,6 +1003,15 @@ describe('User has no settings capability and is organization admin query behavi
       },
     });
   });
+  it('should not add organization to user if user is not in its own organization', async () => {
+    await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
+      query: ORGANIZATION_ADD_QUERY,
+      variables: {
+        id: ADMIN_USER.id,
+        organizationId: testOrganizationId,
+      },
+    });
+  });
   it('should administrate more than 1 organization', async () => {
     // Need to add granted_groups to PLATFORM_ORGANIZATION because of line 533 in domain/user.js
     const grantableGroupQueryResult = await adminQuery({
@@ -1087,7 +1110,7 @@ describe('meUser specific resolvers', async () => {
       password: USER_EDITOR.password,
       input: [
         { key: 'language', value: 'fr-fr' },
-      ]
+      ],
     };
     const queryResult = await queryAsUserWithSuccess(USER_EDITOR.client, {
       query: ME_EDIT,
@@ -1100,7 +1123,7 @@ describe('meUser specific resolvers', async () => {
       password: USER_EDITOR.password,
       input: [
         { key: 'api_token', value: 'd434ce02-e58e-4cac-8b4c-42bf16748e84' },
-      ]
+      ],
     };
     await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
       query: ME_EDIT,
@@ -1113,7 +1136,7 @@ describe('meUser specific resolvers', async () => {
       input: [
         { key: 'language', value: 'en-us' },
         { key: 'theme', value: 'dark' },
-      ]
+      ],
     };
     const queryResult = await queryAsUserWithSuccess(USER_EDITOR.client, {
       query: ME_EDIT,
@@ -1127,7 +1150,7 @@ describe('meUser specific resolvers', async () => {
       input: [
         { key: 'language', value: 'fr-fr' },
         { key: 'api_token', value: 'd434ce02-e58e-4cac-8b4c-42bf16748e84' },
-      ]
+      ],
     };
     await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
       query: ME_EDIT,
@@ -1139,7 +1162,7 @@ describe('meUser specific resolvers', async () => {
       password: 'incorrect_current_password',
       input: [
         { key: 'password', value: 'new_password' },
-      ]
+      ],
     };
     await queryAsUserIsExpectedError(USER_EDITOR.client, {
       query: ME_EDIT,
@@ -1241,7 +1264,7 @@ describe('Service account User coverage', async () => {
       query: UPDATE_QUERY,
       variables: {
         id: userInternalId,
-        input: { key: 'user_service_account', value: [false] }
+        input: { key: 'user_service_account', value: [false] },
       },
     });
     const { userEdit } = queryResult.data;
@@ -1255,7 +1278,7 @@ describe('Service account User coverage', async () => {
       query: UPDATE_QUERY,
       variables: {
         id: userInternalId,
-        input: [{ key: 'user_service_account', value: [true] }, { key: 'password', value: ['toto'] }]
+        input: [{ key: 'user_service_account', value: [true] }, { key: 'password', value: ['toto'] }],
       },
     });
     const { userEdit } = queryResult.data;
@@ -1269,7 +1292,7 @@ describe('Service account User coverage', async () => {
       query: UPDATE_QUERY,
       variables: {
         id: userInternalId,
-        input: [{ key: 'password', value: ['toto'] }]
+        input: [{ key: 'password', value: ['toto'] }],
       },
     }, 'Cannot update password for Service account');
   });

Original file line number	Diff line number	Diff line change
`@@ -534,7 +534,7 @@ const loadUserToUpdateWithAccessCheck = async (context, user, userId) => {`
`534`	`534`	`// Check in an organization admin edits a user that's not in its administrated organizations`
`535`	`535`	`if (isOnlyOrgaAdmin(user)) {`
`536`	`536`	`const myAdministratedOrganizationsIds = user.administrated_organizations.map((orga) => orga.id);`
`537`		`- if (!userToUpdate[RELATION_PARTICIPATE_TO].find((orga) => myAdministratedOrganizationsIds.includes(orga))) {`
	`537`	`+ if (!userToUpdate[RELATION_PARTICIPATE_TO]?.find((orga) => myAdministratedOrganizationsIds.includes(orga))) {`
`538`	`538`	`throw ForbiddenAccess();`
`539`	`539`	`}`
`540`	`540`	`} else {`