fix: allow admin to change their password

ufosc · Sep 17, 2023 · c98ccef · c98ccef
1 parent a38cef3
commit c98ccef
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/routes/users.js b/routes/users.js
@@ -119,10 +119,10 @@ router.put('/:id', async (req, res, next) => {
     }
   }
 
-  if (userExists.username === 'admin' && (
-    typeof req.body.username !== 'undefined' ||
-      typeof req.body.isAdmin !== 'undefined' ||
-      typeof req.body.role !== 'undefined')) {
+  if (userExists.username === 'admin' &&
+      ((typeof req.body.username !== 'undefined' && req.body.username !== 'admin') ||
+      (typeof req.body.isAdmin !== 'undefined' && req.body.isAdmin !== true) ||
+      (typeof req.body.role !== 'undefined' && req.body.role !== 'admin'))) {
     return res.status(401).send({ error: 'Modifying admin username or role is prohibited' })
   }
 

diff --git a/test/users.spec.js b/test/users.spec.js
@@ -258,12 +258,9 @@ describe('Users Route', () => {
     })
 
     it('Returns an error if user tries to change username to admin', async () => {
-      let users = await helper.get('/api/users/')
-      users = JSON.parse(users.text)
-      const userID = users[0]._id
-
-      const resp = await helper.put(`/api/users/${userID}`, { username: 'admin' })
-      expect(resp.status).to.equal(401)
+      const user = await UserModel.findOne({ username: { $ne: 'admin' } })
+      const resp = await helper.put(`/api/users/${user.id}`, { username: 'admin' })
+      expect(resp.status).to.equal(400)
     })
 
     it('Returns an error if user tries to claim an existing username', async () => {