Fix non-owner not able to delete their membership

2024-09-29 08:51:28 +13:00 · 2021-12-07 00:01:09 -08:00 · 2021-12-07 00:01:09 -08:00 · 88f43c32a4
commit 88f43c32a4
parent fb2ec0355a
2 changed files with 73 additions and 7 deletions
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@ -16,6 +16,7 @@ use Utopia\Validator\ArrayList;
 use Utopia\Validator\WhiteList;
 use Utopia\Database\Database;
 use Utopia\Database\Document;
+use Utopia\Database\Exception\Authorization as AuthorizationException;
 use Utopia\Database\Exception\Duplicate;
 use Utopia\Database\Query;
 use Utopia\Database\Validator\Authorization;
@ -761,7 +762,11 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
            throw new Exception('Team not found', 404);
        }

-        if (!$dbForProject->deleteDocument('memberships', $membership->getId())) {
+        try {
+            $dbForProject->deleteDocument('memberships', $membership->getId());
+        } catch (AuthorizationException $exception) {
+            throw new Exception('Unauthorized permissions', 401);
+        } catch (\Exception $exception) {
            throw new Exception('Failed to remove membership from DB', 500);
        }

@ -782,7 +787,7 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')

        if ($membership->getAttribute('confirm')) { // Count only confirmed members
            $team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0));
-            $team = $dbForProject->updateDocument('teams', $team->getId(), $team);
+            Authorization::skip(fn() => $dbForProject->updateDocument('teams', $team->getId(), $team));
        }

        $audits
--- a/tests/e2e/Services/Teams/TeamsBaseClient.php
+++ b/tests/e2e/Services/Teams/TeamsBaseClient.php
@ -391,11 +391,75 @@ trait TeamsBaseClient
    {
        $teamUid = $data['teamUid'] ?? '';
        $membershipUid = $data['membershipUid'] ?? '';
+        $session = $data['session'] ?? '';
+
+        $response = $this->client->call(Client::METHOD_GET, '/teams/'.$teamUid.'/memberships', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()));
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+        $this->assertEquals(2, $response['body']['sum']);
        
+        $ownerMembershipUid = $response['body']['memberships'][0]['$id'];
+
+        /**
+         * Test for FAILURE
+         */
+
+        /**
+         * Test deleting a membership that does not exists
+         */
+        $response = $this->client->call(Client::METHOD_DELETE, '/teams/'.$teamUid.'/memberships/dne', [
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'='.$session,
+        ]);
+        
+        $this->assertEquals(404, $response['headers']['status-code']);
+
+        /**
+         * Test deleting another user's membership
+         */
+        $response = $this->client->call(Client::METHOD_DELETE, '/teams/'.$teamUid.'/memberships/'.$ownerMembershipUid, [
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'='.$session,
+        ]);
+        
+        $this->assertEquals(401, $response['headers']['status-code']);
+
        /**
         * Test for SUCCESS
         */
-        $response = $this->client->call(Client::METHOD_DELETE, '/teams/'.$teamUid.'/memberships/'.$membershipUid, array_merge([
+
+        /**
+         * Test for when a user other than the owner tries to delete their membership
+         */
+        $response = $this->client->call(Client::METHOD_DELETE, '/teams/'.$teamUid.'/memberships/'.$membershipUid, [
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'='.$session,
+        ]);
+        
+        $this->assertEquals(204, $response['headers']['status-code']);
+        $this->assertEmpty($response['body']);
+
+        $response = $this->client->call(Client::METHOD_GET, '/teams/'.$teamUid.'/memberships', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()));
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+        $this->assertEquals(1, $response['body']['sum']);
+
+        /**
+         * Test for when the owner tries to delete their membership
+         */
+        $response = $this->client->call(Client::METHOD_DELETE, '/teams/'.$teamUid.'/memberships/'.$ownerMembershipUid, array_merge([
            'origin' => 'http://localhost',
            'content-type' => 'application/json',
            'x-appwrite-project' => $this->getProject()['$id'],
@ -404,10 +468,7 @@ trait TeamsBaseClient
        $this->assertEquals(204, $response['headers']['status-code']);
        $this->assertEmpty($response['body']);

-        /**
-         * Test for FAILURE
-         */
-        $response = $this->client->call(Client::METHOD_GET, '/teams/'.$teamUid.'/memberships/'.$membershipUid, array_merge([
+        $response = $this->client->call(Client::METHOD_GET, '/teams/'.$teamUid.'/memberships/'.$ownerMembershipUid, array_merge([
            'origin' => 'http://localhost',
            'content-type' => 'application/json',
            'x-appwrite-project' => $this->getProject()['$id'],