FEATURE: do not allow moderators to export user list (#6418)

2024-11-22 11:44:49 +08:00 · 2018-09-21 09:07:13 +08:00 · 2018-09-21 09:07:13 +08:00 · 4bb980b9f7
commit 4bb980b9f7
parent 5f042a2c8d
4 changed files with 48 additions and 4 deletions
--- a/app/assets/javascripts/admin/templates/users-list.hbs
+++ b/app/assets/javascripts/admin/templates/users-list.hbs
@ -16,7 +16,9 @@
    {{#unless siteSettings.enable_sso}}
      {{d-button action="sendInvites" title="admin.invite.button_title" icon="user-plus" label="admin.invite.button_text"}}
    {{/unless}}
-    {{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}}
+    {{#if currentUser.admin}}
+      {{d-button action="exportUsers" title="admin.export_csv.button_title.user" icon="download" label="admin.export_csv.button_text"}}
+    {{/if}}
  </div>
    </ul>
  </nav>
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -357,7 +357,8 @@ class Guardian

  def can_export_entity?(entity)
    return false unless @user
-    return true if is_staff?
+    return true if is_admin?
+    return entity != 'user_list' if is_moderator?

    # Regular users can only export their archives
    return false unless entity == "user_archive"
--- a/spec/components/guardian_spec.rb
+++ b/spec/components/guardian_spec.rb
@ -2576,6 +2576,24 @@ describe Guardian do
    end
  end

+  describe '#can_export_entity?' do
+    let(:user_guardian) { Guardian.new(user) }
+    let(:moderator_guardian) { Guardian.new(moderator) }
+    let(:admin_guardian) { Guardian.new(admin) }
+
+    it 'only allows admins to export user_list' do
+      expect(user_guardian.can_export_entity?('user_list')).to be_falsey
+      expect(moderator_guardian.can_export_entity?('user_list')).to be_falsey
+      expect(admin_guardian.can_export_entity?('user_list')).to be_truthy
+    end
+
+    it 'allow moderators to export other admin entities' do
+      expect(user_guardian.can_export_entity?('staff_action')).to be_falsey
+      expect(moderator_guardian.can_export_entity?('staff_action')).to be_truthy
+      expect(admin_guardian.can_export_entity?('staff_action')).to be_truthy
+    end
+  end
+
  describe "#allow_themes?" do
    let(:theme) { Fabricate(:theme) }
    let(:theme2) { Fabricate(:theme) }
--- a/spec/requests/export_csv_controller_spec.rb
+++ b/spec/requests/export_csv_controller_spec.rb
@ -7,7 +7,7 @@ describe ExportCsvController do
    let(:user) { Fabricate(:user) }
    before { sign_in(user) }

-    describe ".export_entity" do
+    describe "#export_entity" do
      it "enqueues export job" do
        post "/export_csv/export_entity.json", params: { entity: "user_archive" }
        expect(response.status).to eq(200)
@ -46,7 +46,7 @@ describe ExportCsvController do
    let(:admin) { Fabricate(:admin) }
    before { sign_in(admin) }

-    describe ".export_entity" do
+    describe "#export_entity" do
      it "enqueues export job" do
        post "/export_csv/export_entity.json", params: { entity: "staff_action" }
        expect(response.status).to eq(200)
@ -78,4 +78,27 @@ describe ExportCsvController do
      end
    end
  end
+
+  context 'while logged in as a moderator' do
+    let(:moderator) { Fabricate(:moderator) }
+
+    before { sign_in(moderator) }
+
+    describe '#export_entity' do
+      it 'does not allow moderators to export user_list' do
+        post '/export_csv/export_entity.json', params: { entity: 'user_list' }
+        expect(response.status).to eq(403)
+      end
+
+      it 'allows moderator to export other entities' do
+        post "/export_csv/export_entity.json", params: { entity: 'staff_action' }
+        expect(response.status).to eq(200)
+        expect(Jobs::ExportCsvFile.jobs.size).to eq(1)
+
+        job_data = Jobs::ExportCsvFile.jobs.first['args'].first
+        expect(job_data['entity']).to eq('staff_action')
+        expect(job_data['user_id']).to eq(moderator.id)
+      end
+    end
+  end
 end