mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: cant join system groups
This commit is contained in:
		| @@ -70,7 +70,7 @@ Groups.join = async (req, res) => { | |||||||
|  |  | ||||||
| 	if (!res.locals.privileges.isAdmin) { | 	if (!res.locals.privileges.isAdmin) { | ||||||
| 		// Admin and privilege groups unjoinable client-side | 		// Admin and privilege groups unjoinable client-side | ||||||
| 		if (group.name === 'administrators' || groups.isPrivilegeGroup(group.name)) { | 		if (groups.systemGroups.includes(group.name) || groups.isPrivilegeGroup(group.name)) { | ||||||
| 			throw new Error('[[error:not-allowed]]'); | 			throw new Error('[[error:not-allowed]]'); | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|   | |||||||
| @@ -38,9 +38,9 @@ Groups.getEphemeralGroup = function (groupName) { | |||||||
| 		name: groupName, | 		name: groupName, | ||||||
| 		slug: slugify(groupName), | 		slug: slugify(groupName), | ||||||
| 		description: '', | 		description: '', | ||||||
| 		deleted: '0', | 		deleted: 0, | ||||||
| 		hidden: '0', | 		hidden: 0, | ||||||
| 		system: '1', | 		system: 1, | ||||||
| 	}; | 	}; | ||||||
| }; | }; | ||||||
|  |  | ||||||
|   | |||||||
| @@ -30,7 +30,7 @@ SocketGroups.join = async (socket, data) => { | |||||||
| 		throw new Error('[[error:invalid-group-name]]'); | 		throw new Error('[[error:invalid-group-name]]'); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if (data.groupName === 'administrators' || groups.isPrivilegeGroup(data.groupName)) { | 	if (groups.systemGroups.includes(data.groupName) || groups.isPrivilegeGroup(data.groupName)) { | ||||||
| 		throw new Error('[[error:not-allowed]]'); | 		throw new Error('[[error:not-allowed]]'); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|   | |||||||
| @@ -48,6 +48,16 @@ describe('Groups', function () { | |||||||
| 					disableLeave: 1, | 					disableLeave: 1, | ||||||
| 				}); | 				}); | ||||||
| 			}, | 			}, | ||||||
|  | 			async () => { | ||||||
|  | 				await Groups.create({ | ||||||
|  | 					name: 'Global Moderators', | ||||||
|  | 					userTitle: 'Global Moderator', | ||||||
|  | 					description: 'Forum wide moderators', | ||||||
|  | 					hidden: 0, | ||||||
|  | 					private: 1, | ||||||
|  | 					disableJoinRequests: 1, | ||||||
|  | 				}); | ||||||
|  | 			}, | ||||||
| 			function (next) { | 			function (next) { | ||||||
| 				// Create a new user | 				// Create a new user | ||||||
| 				User.create({ | 				User.create({ | ||||||
| @@ -72,8 +82,8 @@ describe('Groups', function () { | |||||||
| 			}, | 			}, | ||||||
| 		], function (err, results) { | 		], function (err, results) { | ||||||
| 			assert.ifError(err); | 			assert.ifError(err); | ||||||
| 			testUid = results[4]; | 			testUid = results[5]; | ||||||
| 			adminUid = results[5]; | 			adminUid = results[6]; | ||||||
| 			Groups.join('administrators', adminUid, done); | 			Groups.join('administrators', adminUid, done); | ||||||
| 		}); | 		}); | ||||||
| 	}); | 	}); | ||||||
| @@ -699,6 +709,29 @@ describe('Groups', function () { | |||||||
| 				}); | 				}); | ||||||
| 			}); | 			}); | ||||||
| 		}); | 		}); | ||||||
|  |  | ||||||
|  | 		it('should fail to add user to system group', async function () { | ||||||
|  | 			const uid = await User.create({ username: 'eviluser' }); | ||||||
|  | 			const oldValue = meta.config.allowPrivateGroups; | ||||||
|  | 			meta.config.allowPrivateGroups = 0; | ||||||
|  | 			async function test(groupName) { | ||||||
|  | 				let err; | ||||||
|  | 				try { | ||||||
|  | 					await socketGroups.join({ uid: uid }, { groupName: groupName }); | ||||||
|  | 					const isMember = await Groups.isMember(uid, groupName); | ||||||
|  | 					assert.strictEqual(isMember, false); | ||||||
|  | 				} catch (_err) { | ||||||
|  | 					err = _err; | ||||||
|  | 				} | ||||||
|  | 				assert.strictEqual(err.message, '[[error:not-allowed]]'); | ||||||
|  | 			} | ||||||
|  | 			const groups = ['Global Moderators', 'verified-users', 'unverified-users']; | ||||||
|  | 			for (const g of groups) { | ||||||
|  | 				// eslint-disable-next-line no-await-in-loop | ||||||
|  | 				await test(g); | ||||||
|  | 			} | ||||||
|  | 			meta.config.allowPrivateGroups = oldValue; | ||||||
|  | 		}); | ||||||
| 	}); | 	}); | ||||||
|  |  | ||||||
| 	describe('.leave()', function () { | 	describe('.leave()', function () { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user