http: GET/PATCH /api/users/{id} with last-admin guard
This commit is contained in:
@@ -104,3 +104,73 @@ func TestAPIUserCreateRejectsDuplicateEnabled(t *testing.T) {
|
||||
t.Errorf("status: got %d want 409", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAPIUserGet(t *testing.T) {
|
||||
t.Parallel()
|
||||
srv, ts, _ := rawTestServerWithUI(t)
|
||||
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
||||
target := makeUser(t, srv, "carol", store.RoleViewer)
|
||||
cookie := loginAs(t, srv, adminID)
|
||||
|
||||
req, _ := stdhttp.NewRequest("GET", ts.URL+"/api/users/"+target, nil)
|
||||
req.AddCookie(cookie)
|
||||
res, err := stdhttp.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("GET: %v", err)
|
||||
}
|
||||
defer res.Body.Close()
|
||||
if res.StatusCode != stdhttp.StatusOK {
|
||||
t.Errorf("status: got %d", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAPIUserPatchRoleAndEmail(t *testing.T) {
|
||||
t.Parallel()
|
||||
srv, ts, _ := rawTestServerWithUI(t)
|
||||
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
||||
target := makeUser(t, srv, "carol", store.RoleViewer)
|
||||
cookie := loginAs(t, srv, adminID)
|
||||
|
||||
body, _ := json.Marshal(map[string]any{
|
||||
"role": "operator", "email": "carol@example.com",
|
||||
})
|
||||
req, _ := stdhttp.NewRequest("PATCH", ts.URL+"/api/users/"+target, bytes.NewReader(body))
|
||||
req.AddCookie(cookie)
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
res, err := stdhttp.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("PATCH: %v", err)
|
||||
}
|
||||
defer res.Body.Close()
|
||||
if res.StatusCode != stdhttp.StatusOK {
|
||||
body, _ := io.ReadAll(res.Body)
|
||||
t.Errorf("status: got %d body=%s", res.StatusCode, body)
|
||||
}
|
||||
got, _ := srv.deps.Store.GetUserByID(t.Context(), target)
|
||||
if got.Role != store.RoleOperator {
|
||||
t.Errorf("role: got %q", got.Role)
|
||||
}
|
||||
if got.Email == nil || *got.Email != "carol@example.com" {
|
||||
t.Errorf("email: got %v", got.Email)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAPIUserPatchRejectsLastAdminDemote(t *testing.T) {
|
||||
t.Parallel()
|
||||
srv, ts, _ := rawTestServerWithUI(t)
|
||||
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
||||
cookie := loginAs(t, srv, adminID)
|
||||
|
||||
body, _ := json.Marshal(map[string]any{"role": "viewer"})
|
||||
req, _ := stdhttp.NewRequest("PATCH", ts.URL+"/api/users/"+adminID, bytes.NewReader(body))
|
||||
req.AddCookie(cookie)
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
res, err := stdhttp.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("PATCH: %v", err)
|
||||
}
|
||||
defer res.Body.Close()
|
||||
if res.StatusCode != stdhttp.StatusConflict {
|
||||
t.Errorf("status: got %d want 409", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user