Disallow users from deleting themselves

iansltx · iansltx · commit ab054a860203 · 2019-02-06T15:40:11.000-06:00
We didn't display this in the web UI, and we shouldn't have the API
loophole if we're serious about folks not being able to disappear on
their own.
diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php
@@ -393,7 +393,7 @@ public function deleteUser(Request $request, PDO $db)
 
         $user_mapper = $this->getUserMapper($db, $request);
 
-        $is_admin = $user_mapper->thisUserHasAdminOn($user_id);
+        $is_admin = $user_mapper->isSiteAdmin($user_id);
         if (! $is_admin) {
             throw new Exception("You do not have permission to do that", 403);
         }
diff --git a/tests/controllers/UsersControllerTest.php b/tests/controllers/UsersControllerTest.php
@@ -50,7 +50,7 @@ public function testDeleteUserWithNonAdminIdThrowsException()
 
         $userMapper
             ->expects($this->once())
-            ->method('thisUserHasAdminOn')
+            ->method('isSiteAdmin')
             ->will($this->returnValue(false));
 
         $usersController->setUserMapper($userMapper);
@@ -67,7 +67,7 @@ public function testDeleteUserWithNonAdminIdThrowsException()
      * @expectedException        \Exception
      * @expectedExceptionMessage There was a problem trying to delete the user
      */
-    public function testDeleteUserWithAdminAccessThowsExceptionOnFailedDelete()
+    public function testDeleteUserWithAdminAccessThrowsExceptionOnFailedDelete()
     {
         $request = new \Request([], ['REQUEST_URI' => "http://api.dev.joind.in/v2.1/users/3", 'REQUEST_METHOD' => 'DELETE']);
         $request->user_id = 1;
@@ -82,7 +82,7 @@ public function testDeleteUserWithAdminAccessThowsExceptionOnFailedDelete()
 
         $userMapper
             ->expects($this->once())
-            ->method('thisUserHasAdminOn')
+            ->method('isSiteAdmin')
             ->will($this->returnValue(true));
 
         $userMapper
@@ -101,7 +101,7 @@ public function testDeleteUserWithAdminAccessThowsExceptionOnFailedDelete()
      *
      * @return void
      */
-    public function testDeleteUserWithAdminAccessDeletesSuccesfully()
+    public function testDeleteUserWithAdminAccessDeletesSuccessfully()
     {
         $request = new \Request([], ['REQUEST_URI' => "http://api.dev.joind.in/v2.1/users/3", 'REQUEST_METHOD' => 'DELETE']);
         $request->user_id = 1;
@@ -116,7 +116,7 @@ public function testDeleteUserWithAdminAccessDeletesSuccesfully()
 
         $userMapper
             ->expects($this->once())
-            ->method('thisUserHasAdminOn')
+            ->method('isSiteAdmin')
             ->will($this->returnValue(true));
 
         $userMapper

Original file line number	Diff line number	Diff line change
`@@ -393,7 +393,7 @@ public function deleteUser(Request $request, PDO $db)`
`393`	`393`
`394`	`394`	`$user_mapper = $this->getUserMapper($db, $request);`
`395`	`395`
`396`		`- $is_admin = $user_mapper->thisUserHasAdminOn($user_id);`
	`396`	`+ $is_admin = $user_mapper->isSiteAdmin($user_id);`
`397`	`397`	`if (! $is_admin) {`
`398`	`398`	`throw new Exception("You do not have permission to do that", 403);`
`399`	`399`	`}`