fix: filter email from user endopints

sidemt · sidemt · commit c4d11bd970ed · 2024-01-30T22:54:17.000+09:00
diff --git a/apps/backend/src/protected-populate/index.json b/apps/backend/src/protected-populate/index.json
@@ -21,7 +21,7 @@
         ],
         "populate": {
           "feature_image": {
-            "fields": ["url", "id"],
+            "fields": ["url", "id", "formats"],
             "populate": {}
           },
           "tags": {
@@ -110,7 +110,7 @@
         ],
         "populate": {
           "feature_image": {
-            "fields": ["url", "id"]
+            "fields": ["url", "id", "formats"]
           },
           "tags": {
             "fields": [
@@ -171,7 +171,7 @@
         ],
         "populate": {
           "feature_image": {
-            "fields": ["url", "id"],
+            "fields": ["url", "id", "formats"],
             "populate": {}
           },
           "tags": {
@@ -260,7 +260,7 @@
         ],
         "populate": {
           "feature_image": {
-            "fields": ["url", "id"]
+            "fields": ["url", "id", "formats"]
           },
           "tags": {
             "fields": [
@@ -684,5 +684,131 @@
         ]
       }
     }
+  },
+  "GET /api/users": {
+    "content-type": "plugin::users-permissions.user",
+    "roles": {
+      "contributor": {
+        "fields": [
+          "provider",
+          "confirmed",
+          "blocked",
+          "slug",
+          "name",
+          "bio",
+          "website",
+          "location",
+          "facebook",
+          "twitter",
+          "last_seen",
+          "ghost_id",
+          "status",
+          "createdAt",
+          "updatedAt",
+          "id"
+        ],
+        "populate": {
+          "role": {
+            "fields": ["name", "type", "id", "description"]
+          },
+          "profile_image": {
+            "fields": ["url"]
+          }
+        }
+      },
+      "authenticated": {
+        "fields": [
+          "email",
+          "provider",
+          "confirmed",
+          "blocked",
+          "slug",
+          "name",
+          "bio",
+          "website",
+          "location",
+          "facebook",
+          "twitter",
+          "last_seen",
+          "ghost_id",
+          "status",
+          "createdAt",
+          "updatedAt",
+          "id"
+        ],
+        "populate": {
+          "profile_image": {
+            "fields": ["url"]
+          },
+          "role": {
+            "fields": ["name", "description", "type", "id"]
+          }
+        }
+      },
+      "public": {}
+    }
+  },
+  "GET /api/users/:id": {
+    "content-type": "plugin::users-permissions.user",
+    "roles": {
+      "contributor": {
+        "fields": [
+          "provider",
+          "confirmed",
+          "blocked",
+          "slug",
+          "name",
+          "bio",
+          "website",
+          "location",
+          "facebook",
+          "twitter",
+          "last_seen",
+          "ghost_id",
+          "status",
+          "createdAt",
+          "updatedAt",
+          "id"
+        ],
+        "populate": {
+          "role": {
+            "fields": ["name", "type", "id", "description"]
+          },
+          "profile_image": {
+            "fields": ["url"]
+          }
+        }
+      },
+      "authenticated": {
+        "fields": [
+          "email",
+          "provider",
+          "confirmed",
+          "blocked",
+          "slug",
+          "name",
+          "bio",
+          "website",
+          "location",
+          "facebook",
+          "twitter",
+          "last_seen",
+          "ghost_id",
+          "status",
+          "createdAt",
+          "updatedAt",
+          "id"
+        ],
+        "populate": {
+          "profile_image": {
+            "fields": ["url"]
+          },
+          "role": {
+            "fields": ["name", "description", "type", "id"]
+          }
+        }
+      },
+      "public": {}
+    }
   }
 }
diff --git a/apps/backend/tests/user/index.js b/apps/backend/tests/user/index.js
@@ -3,6 +3,8 @@ const {
   deleteUser,
   getUserByRole,
   getAllRoles,
+  getUser,
+  getUserJWT,
 } = require("../helpers/helpers");
 
 // user mock data
@@ -15,6 +17,15 @@ const mockUserData = {
   blocked: null,
 };
 
+let contributorJWT = "";
+let editorJWT = "";
+
+beforeAll(async () => {
+  // Prepare user token
+  contributorJWT = await getUserJWT("contributor-user");
+  editorJWT = await getUserJWT("editor-user");
+});
+
 describe("user", () => {
   // Example test taken from https://docs.strapi.io/dev-docs/testing
   // This test should pass if the test environment is set up properly
@@ -55,4 +66,72 @@ describe("user", () => {
       });
     }
   });
+
+  describe("Contributors getting user data", () => {
+    // Due to Strapi's permission system, if we desable the /users or /users/:id endpoint,
+    // it will also disable population of the user data in other endpoints.
+    // (e.g. /posts?populate[0]=author)
+    // Therefore, we are filtering out the email field in the response
+    // instead of disabling the entire endpoint.
+
+    it("GET /users should not return email to contributors", async () => {
+      const response = await request(strapi.server.httpServer)
+        .get(`/api/users`)
+        .set("Content-Type", "application/json")
+        .set("Authorization", `Bearer ${contributorJWT}`)
+        .send();
+
+      expect(response.status).toBe(200);
+      // check that email and username are not present in the response
+      expect(response.body.every((user) => !user.email && !user.username)).toBe(
+        true,
+      );
+    });
+
+    it("GET /users/:id should not return email to contributors", async () => {
+      const editorUser = await getUser("editor-user");
+
+      const response = await request(strapi.server.httpServer)
+        .get(`/api/users/${editorUser.id}`)
+        .set("Content-Type", "application/json")
+        .set("Authorization", `Bearer ${contributorJWT}`)
+        .send();
+
+      expect(response.status).toBe(200);
+
+      // check that email and username are not present in the response
+      expect(response.body).not.toHaveProperty("email");
+      expect(response.body).not.toHaveProperty("username");
+    });
+  });
+
+  describe("Editors getting user data", () => {
+    it("GET /users should return email to editors", async () => {
+      const response = await request(strapi.server.httpServer)
+        .get(`/api/users`)
+        .set("Content-Type", "application/json")
+        .set("Authorization", `Bearer ${editorJWT}`)
+        .send();
+
+      expect(response.status).toBe(200);
+      expect(response.body.every((user) => user.email && !user.username)).toBe(
+        true,
+      );
+    });
+
+    it("GET /users/:id should return email to editors", async () => {
+      const contributorUser = await getUser("contributor-user");
+
+      const response = await request(strapi.server.httpServer)
+        .get(`/api/users/${contributorUser.id}`)
+        .set("Content-Type", "application/json")
+        .set("Authorization", `Bearer ${editorJWT}`)
+        .send();
+
+      expect(response.status).toBe(200);
+
+      expect(response.body).toHaveProperty("email");
+      expect(response.body).not.toHaveProperty("username");
+    });
+  });
 });
