FEATURE: do not allow moderators to export user list (#6418)

2025-05-21 18:12:32 +08:00 · 2018-09-21 09:07:13 +08:00
parent 5f042a2c8d
commit 4bb980b9f7
4 changed files with 48 additions and 4 deletions
--- a/spec/requests/export_csv_controller_spec.rb
+++ b/spec/requests/export_csv_controller_spec.rb
@ -7,7 +7,7 @@ describe ExportCsvController do
    let(:user) { Fabricate(:user) }
    before { sign_in(user) }

-    describe ".export_entity" do
+    describe "#export_entity" do
      it "enqueues export job" do
        post "/export_csv/export_entity.json", params: { entity: "user_archive" }
        expect(response.status).to eq(200)
@ -46,7 +46,7 @@ describe ExportCsvController do
    let(:admin) { Fabricate(:admin) }
    before { sign_in(admin) }

-    describe ".export_entity" do
+    describe "#export_entity" do
      it "enqueues export job" do
        post "/export_csv/export_entity.json", params: { entity: "staff_action" }
        expect(response.status).to eq(200)
@ -78,4 +78,27 @@ describe ExportCsvController do
      end
    end
  end
+
+  context 'while logged in as a moderator' do
+    let(:moderator) { Fabricate(:moderator) }
+
+    before { sign_in(moderator) }
+
+    describe '#export_entity' do
+      it 'does not allow moderators to export user_list' do
+        post '/export_csv/export_entity.json', params: { entity: 'user_list' }
+        expect(response.status).to eq(403)
+      end
+
+      it 'allows moderator to export other entities' do
+        post "/export_csv/export_entity.json", params: { entity: 'staff_action' }
+        expect(response.status).to eq(200)
+        expect(Jobs::ExportCsvFile.jobs.size).to eq(1)
+
+        job_data = Jobs::ExportCsvFile.jobs.first['args'].first
+        expect(job_data['entity']).to eq('staff_action')
+        expect(job_data['user_id']).to eq(moderator.id)
+      end
+    end
+  end
 end