Skip to content

Commit

Permalink
fix(sharing): only item owner, group owner or group admin can unshare
Browse files Browse the repository at this point in the history 
Add additional clause limiting unsharing to item owner, group owner or group admin

AFFECTS PACKAGES:
@esri/arcgis-rest-portal
  • Loading branch information
@dbouwman
dbouwman committed Jan 24, 2020
1 parent 48b67e5 commit d264137
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 7 deletions.
30 changes: 23 additions & 7 deletions packages/arcgis-rest-portal/src/sharing/group-sharing.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,14 +103,30 @@ function changeGroupSharing(
`This item can not be ${requestOptions.action}d by ${username} as they are not a member of the specified group ${requestOptions.groupId}.`
);
} else {
// they are some level of member or org-admin
// but only item owners can share/unshare items w/ shared editing groups
if (isSharedEditingGroup && itemOwner !== username) {
throw Error(
`This item can not be ${requestOptions.action}d to shared editing group ${requestOptions.groupId} by ${username} as they not the item owner.`
);
// ...they are some level of membership or org-admin

// if the current user does not own the item, we had more checks...
if (itemOwner !== username) {
// only item owners can share/unshare items w/ shared editing groups
if (isSharedEditingGroup) {
throw Error(
`This item can not be ${requestOptions.action}d to shared editing group ${requestOptions.groupId} by ${username} as they not the item owner.`
);
}
// only item-owners, group-admin's, group-owners can unshare an item from a normal group
if (
requestOptions.action === "unshare" &&
membership !== "admin" &&
membership !== "owner"
) {
throw Error(
`This item can not be ${requestOptions.action}d from group ${requestOptions.groupId} by ${username} as they not the item owner, group admin or group owner.`
);
}
}
// at this point, the user should be able to share the item to the group

// at this point, the user *should* be able to take the action

// only question is what url to use

// default to the non-owner url...
Expand Down
48 changes: 48 additions & 0 deletions packages/arcgis-rest-portal/test/sharing/group-sharing.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@ export const GroupMemberResponse = {
}
};

export const GroupNonMemberResponse = {
id: "tb6",
title: "fake group",
userMembership: {
memberType: "none"
}
};

export const GroupAdminResponse = {
id: "tb6",
title: "fake group",
Expand Down Expand Up @@ -271,6 +279,46 @@ describe("shareItemWithGroup() ::", () => {
});
});

it("should fail unshare an item with a group by org administrator thats not a group member ", done => {
fetchMock.once(
"https://myorg.maps.arcgis.com/sharing/rest/community/users/jsmith?f=json&token=fake-token",
OrgAdminUserResponse
);

fetchMock.once("https://myorg.maps.arcgis.com/sharing/rest/search", {
total: 1,
results: [
{
id: "n3v"
}
]
});

// called when we determine if the user is a member of the group
fetchMock.get(
"https://myorg.maps.arcgis.com/sharing/rest/community/groups/t6b?f=json&token=fake-token",
GroupNonMemberResponse
);
unshareItemWithGroup({
authentication: MOCK_USER_SESSION,
id: "n3v",
groupId: "t6b",
owner: "vader"
})
.then(_ => {
fail();
})
.catch(e => {
expect(fetchMock.done()).toBeTruthy(
"All fetchMocks should have been called"
);
expect(e.message).toBe(
"This item can not be unshared from group t6b by jsmith as they not the item owner, group admin or group owner."
);
done();
});
});

it("should share an item with a group by group owner/admin", done => {
fetchMock.once(
"https://myorg.maps.arcgis.com/sharing/rest/community/users/jsmith?f=json&token=fake-token",
Expand Down

0 comments on commit d264137

Please sign in to comment.