Merge branch 'development'

coldbox-modules · Mar 10, 2021 · 409ab1b · 409ab1b
2 parents bd4e5e9 + 498e31f
commit 409ab1b
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/box.json b/box.json
@@ -1,6 +1,6 @@
 {
     "name":"ColdBox Security",
-    "version":"2.10.0",
+    "version":"2.11.0",
     "location":"https://downloads.ortussolutions.com/ortussolutions/coldbox-modules/cbsecurity/@build.version@/cbsecurity-@build.version@.zip",
     "author":"Ortus Solutions.com <info@ortussolutions.com>",
     "slug":"cbsecurity",

diff --git a/changelog.md b/changelog.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ----
 
+## [2.11.0] => 2021-MAR-10
+
+### Added
+
+* Add a `secureSameUser` method to throw when passed a different user #29 (https://github.com/coldbox-modules/cbsecurity/pull/29)
+
+----
+
 ## [2.10.0] => 2021-FEB-12
 
 ### Added

diff --git a/models/CBSecurity.cfc b/models/CBSecurity.cfc
@@ -258,9 +258,33 @@ component singleton accessors="true" {
 		}
 		if ( results ) {
 			throw( type = "NotAuthorized", message = arguments.message );
+        }
+        return this;
+    }
+
+	/**
+	 * Verifies that the passed in user object must be the same as the authenticated user.
+	 * Equality is done by evaluating the `getid()` method on both objects.
+	 * If the equality check fails, a `NotAuthorized` exception is thrown.
+	 *
+	 * @throws NoUserLoggedIn
+	 * @throws NotAuthorized
+	 *
+	 * @user The user to test for equality
+	 * @message The error message to throw in the exception
+	 */
+	CBSecurity function secureSameUser(
+		required user,
+		message = variables.DEFAULT_ERROR_MESSAGE
+	){
+		if ( !sameUser( arguments.user ) ) {
+			throw(
+				type    = "NotAuthorized",
+				message = arguments.message
+			);
 		}
 		return this;
-	}
+    }
 
 	/**
 	 * Alias proxy if somebody is coming from cbguard, proxies to the secure() method

diff --git a/test-harness/tests/specs/unit/CBSecurityTest.cfc b/test-harness/tests/specs/unit/CBSecurityTest.cfc
@@ -301,6 +301,22 @@ component extends="coldbox.system.testing.BaseModelTest" model="cbsecurity.model
 						cbsecurity.secureWhen( function( user ){ return false; } );
 					});
 				});
+				describe( "secureSameUser() method", function(){
+					it( "can secure if the logged in user is not the user passed", function(){
+                        mockUser.$( "getId", 1 );
+                        var testUser = createStub().$( "getId", 2 );
+
+						expect( function(){
+							cbsecurity.secureSameUser( testUser );
+						}).toThrow( "NotAuthorized" );
+					});
+
+					it( "can allow if the logged in user is the user passed", function(){
+                        mockUser.$( "getId", 1 );
+                        var testUser = createStub().$( "getId", 1 );
+						cbsecurity.secureSameUser( testUser );
+					});
+				});
 			});
 
 		});