fix(user): correctly change image of another user (#1042)

* fix(user): correctly change image of another user

* chore(image-tests): add more tests for changing other user

* chore(image-tests): add more more assertions for changing other user

Author: LeonVreling

lib/imageserv.js

@@ -42,7 +42,7 @@ const upload = multer({
 const uploadAsync = util.promisify(upload);
 
 exports.uploadImage = async (req, res) => {
-    const oldimg = req.user.image;
+    const oldimg = req.currentUser.image;
 
     // If upload folder doesn't exists, create it.
     if (!fs.existsSync(uploadFolderName)) {
@@ -72,7 +72,7 @@ exports.uploadImage = async (req, res) => {
         return errors.makeValidationError(res, 'Malformed file content.');
     }
 
-    await req.user.update({
+    await req.currentUser.update({
         image: req.file.filename
     });
 
@@ -84,24 +84,24 @@ exports.uploadImage = async (req, res) => {
     return res.json({
         success: true,
         message: 'File uploaded successfully',
-        data: req.user.image,
+        data: req.currentUser.image,
     });
 };
 
 exports.removeImage = async (req, res) => {
-    if (!req.user.image) {
+    if (!req.currentUser.image) {
         return errors.makeValidationError(res, 'No image is specified for the user.');
     }
 
-    await fs.promises.unlink(path.join(uploadFolderName, req.user.image));
+    await fs.promises.unlink(path.join(uploadFolderName, req.currentUser.image));
 
-    await req.user.update({
+    await req.currentUser.update({
         image: null
     });
 
     return res.json({
         success: true,
         message: 'File removed successfully',
-        data: req.user.image
+        data: req.currentUser.image
     });
 };

test/api/users-image-remove.test.js

@@ -71,4 +71,61 @@ describe('Users image remove', () => {
         userFromDb = await User.findByPk(user.id);
         expect(userFromDb.image).toEqual(null);
     });
+
+    it('should remove a file of another user', async () => {
+        const admin = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken(admin);
+
+        const user = await generator.createUser();
+
+        const firstRequest = await request({
+            uri: '/members/' + admin.id + '/upload',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            formData: {
+                head_image: fs.createReadStream('./test/assets/valid_image.png')
+            }
+        });
+
+        expect(firstRequest.statusCode).toEqual(200);
+
+        const adminFromDbBeforeChange = await User.findByPk(admin.id);
+
+        const secondRequest = await request({
+            uri: '/members/' + user.id + '/upload',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            formData: {
+                head_image: fs.createReadStream('./test/assets/valid_second_image.PNG')
+            }
+        });
+
+        expect(secondRequest.statusCode).toEqual(200);
+
+        let userFromDb = await User.findByPk(user.id);
+
+        const res = await request({
+            uri: '/members/' + user.id + '/image',
+            method: 'DELETE',
+            headers: { 'X-Auth-Token': token.value }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).toHaveProperty('message');
+
+        const oldImgPath = path.join(__dirname, '..', '..', config.media_dir, 'headimages', userFromDb.image);
+        expect(fs.existsSync(oldImgPath)).toEqual(false);
+
+        userFromDb = await User.findByPk(user.id);
+        expect(userFromDb.image).toEqual(null);
+
+        const adminFromDb = await User.findByPk(admin.id);
+
+        expect(adminFromDb.image).not.toEqual(null);
+        expect(adminFromDbBeforeChange.image).toEqual(adminFromDb.image);
+
+        const adminImgPath = path.join(__dirname, '..', '..', config.media_dir, 'headimages', adminFromDb.image);
+        expect(fs.existsSync(adminImgPath)).toEqual(true);
+    });
 });

test/api/users-image-upload.test.js

@@ -178,4 +178,49 @@ describe('Users image upload', () => {
         const oldImgPath = path.join(__dirname, '..', '..', config.media_dir, 'headimages', userFromDb.image);
         expect(fs.existsSync(oldImgPath)).toEqual(false);
     });
+
+    it('should update a valid image to only another user if other user is selected', async () => {
+        const admin = await generator.createUser({ superadmin: true });
+        const token = await generator.createAccessToken(admin);
+
+        const user = await generator.createUser();
+
+        const firstRequest = await request({
+            uri: '/members/' + admin.id + '/upload',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            formData: {
+                head_image: fs.createReadStream('./test/assets/valid_image.png')
+            }
+        });
+
+        expect(firstRequest.statusCode).toEqual(200);
+
+        const adminFromDbBeforeChange = await User.findByPk(admin.id);
+
+        const res = await request({
+            uri: '/members/' + user.id + '/upload',
+            method: 'POST',
+            headers: { 'X-Auth-Token': token.value },
+            formData: {
+                head_image: fs.createReadStream('./test/assets/valid_second_image.PNG')
+            }
+        });
+
+        expect(res.statusCode).toEqual(200);
+        expect(res.body.success).toEqual(true);
+        expect(res.body).toHaveProperty('message');
+
+        const userFromDb = await User.findByPk(user.id);
+
+        const imgPath = path.join(__dirname, '..', '..', config.media_dir, 'headimages', userFromDb.image);
+        expect(fs.existsSync(imgPath)).toEqual(true);
+
+        const adminFromDb = await User.findByPk(admin.id);
+
+        expect(adminFromDbBeforeChange.image).toEqual(adminFromDb.image);
+
+        const adminImgPath = path.join(__dirname, '..', '..', config.media_dir, 'headimages', adminFromDb.image);
+        expect(fs.existsSync(adminImgPath)).toEqual(true);
+    });
 });