Skip to content

Commit

Permalink
impr: dont allow taking blocklisted names via update account name
Browse files Browse the repository at this point in the history 
!nuf
  • Loading branch information
@Miodec
Miodec committed Jan 3, 2025
1 parent 8e38eae commit 2a6af86
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
19 changes: 19 additions & 0 deletions backend/__tests__/api/controllers/user.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -783,6 +783,7 @@ describe("user controller test", () => {
});
});
describe("update name", () => {
const blocklistContainsMock = vi.spyOn(BlocklistDal, "contains");
const getPartialUserMock = vi.spyOn(UserDal, "getPartialUser");
const updateNameMock = vi.spyOn(UserDal, "updateName");
const addImportantLogMock = vi.spyOn(LogDal, "addImportantLog");
Expand All @@ -791,6 +792,7 @@ describe("user controller test", () => {
getPartialUserMock.mockReset();
updateNameMock.mockReset();
addImportantLogMock.mockReset();
blocklistContainsMock.mockReset();
});

it("should update the username", async () => {
Expand Down Expand Up @@ -819,6 +821,23 @@ describe("user controller test", () => {
uid
);
});

it("should fail if username is blocked", async () => {
//GIVEN
blocklistContainsMock.mockResolvedValue(true);

//WHEN
const { body } = await mockApp
.patch("/users/name")
.set("authorization", `Uid ${uid}`)
.send({ name: "newName" })
.expect(409);

//THEN
expect(body.message).toEqual("Username blocked");
expect(updateNameMock).not.toHaveBeenCalled();
});

it("should fail for banned users", async () => {
//GIVEN
getPartialUserMock.mockResolvedValue({ banned: true } as any);
Expand Down
5 changes: 5 additions & 0 deletions backend/src/api/controllers/user.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,11 @@ export async function updateName(
const { uid } = req.ctx.decodedToken;
const { name } = req.body;

const blocklisted = await BlocklistDal.contains({ name });
if (blocklisted) {
throw new MonkeyError(409, "Username blocked");
}

const user = await UserDAL.getPartialUser(uid, "update name", [
"name",
"banned",
Expand Down

0 comments on commit 2a6af86

Please sign in to comment.