Merge pull request #306 from systemli/Ensure-only-admins-can-change-d…

…omain-on-tickers 🔒️Ensure only admins can change domain on tickers
systemli · Apr 28, 2024 · 84d3958 · 84d3958
2 parents ced6edc + a9b045e
commit 84d3958
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/internal/api/tickers.go b/internal/api/tickers.go
@@ -360,7 +360,10 @@ func updateTicker(t *storage.Ticker, c *gin.Context) error {
 		return err
 	}
 
-	t.Domain = body.Domain
+	me, _ := helper.Me(c)
+	if me.IsSuperAdmin {
+		t.Domain = body.Domain
+	}
 	t.Title = body.Title
 	t.Description = body.Description
 	t.Active = body.Active

diff --git a/internal/api/tickers_test.go b/internal/api/tickers_test.go
@@ -181,8 +181,26 @@ func (s *TickerTestSuite) TestPutTicker() {
 		s.store.AssertExpectations(s.T())
 	})
 
+	s.Run("user tries to update the domain", func() {
+		s.ctx.Set("ticker", storage.Ticker{Domain: "localhost"})
+		s.cache.Set("response:localhost:/v1/init", true, time.Minute)
+		s.ctx.Set("me", storage.User{IsSuperAdmin: false})
+		body := `{"domain":"new_domain","title":"title","description":"description"}`
+		s.ctx.Request = httptest.NewRequest(http.MethodPut, "/v1/admin/tickers/1", strings.NewReader(body))
+		s.ctx.Request.Header.Add("Content-Type", "application/json")
+		ticker := &storage.Ticker{Domain: "localhost", Title: "title", Description: "description"}
+		s.store.On("SaveTicker", ticker).Return(nil).Once()
+		h := s.handler()
+		h.PutTicker(s.ctx)
+
+		s.Equal(http.StatusOK, s.w.Code)
+		s.Nil(s.cache.Get("response:localhost:/v1/init"))
+		s.store.AssertExpectations(s.T())
+	})
+
 	s.Run("happy path", func() {
 		s.ctx.Set("ticker", storage.Ticker{})
+		s.ctx.Set("me", storage.User{IsSuperAdmin: true})
 		s.cache.Set("response:localhost:/v1/init", true, time.Minute)
 		body := `{"domain":"localhost","title":"title","description":"description"}`
 		s.ctx.Request = httptest.NewRequest(http.MethodPut, "/v1/admin/tickers/1", strings.NewReader(body))