fix(regression): cannot delete users (#3746)

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
2024-11-24 06:08:15 +08:00 · 2023-02-24 18:22:12 +01:00 · 2023-02-24 18:22:12 +01:00 · fa30f4f250
commit fa30f4f250
parent 79a9b23096
2 changed files with 90 additions and 1 deletions
--- a/framework/core/src/Api/routes.php
+++ b/framework/core/src/Api/routes.php
@ -99,7 +99,7 @@ return function (RouteCollection $map, RouteHandlerFactory $route) {
    $map->delete(
        '/users/{id}',
        'users.delete',
-        $route->toController(Controller\DeleteAccessTokenController::class)
+        $route->toController(Controller\DeleteUserController::class)
    );

    // Upload avatar
--- a/framework/core/tests/integration/api/users/DeleteTest.php
+++ b/framework/core/tests/integration/api/users/DeleteTest.php
@ -0,0 +1,89 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace integration\api\users;
+
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use Flarum\Testing\integration\TestCase;
+use Flarum\User\User;
+
+class DeleteTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->prepareDatabase([
+            'users' => [
+                $this->normalUser(),
+                ['id' => 3, 'username' => 'ken', 'is_email_confirmed' => 1],
+            ],
+            'group_user' => [
+                ['group_id' => 3, 'user_id' => 2],
+                ['group_id' => 3, 'user_id' => 3],
+            ]
+        ]);
+    }
+
+    /**
+     * @dataProvider authorizedUsersProvider
+     * @test
+     */
+    public function can_delete_user(int $actorId, int $userId)
+    {
+        $this->database()->table('group_permission')->insert([
+            'permission' => 'user.delete',
+            'group_id' => 3,
+        ]);
+
+        $response = $this->send(
+            $this->request('DELETE', "/api/users/$userId", [
+                'authenticatedAs' => $actorId,
+            ])
+        );
+
+        $this->assertEquals(204, $response->getStatusCode());
+        $this->assertNull(User::find($userId));
+    }
+
+    public function authorizedUsersProvider()
+    {
+        return [
+            'admin can delete user' => [1, 2],
+            'user with permission can delete self' => [2, 2],
+            'user with permission can delete other users' => [2, 3],
+        ];
+    }
+
+    /**
+     * @dataProvider unauthorizedUsersProvider
+     * @test
+     */
+    public function cannot_delete_user(int $actorId, int $userId)
+    {
+        $response = $this->send(
+            $this->request('DELETE', "/api/users/$userId", [
+                'authenticatedAs' => $actorId,
+            ])
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+        $this->assertNotNull(User::find($userId));
+    }
+
+    public function unauthorizedUsersProvider()
+    {
+        return [
+            'user without permission cannot delete self' => [2, 2],
+            'user without permission cannot delete other users' => [2, 3],
+        ];
+    }
+}