diff --git a/src/api/handlers/groups.ts b/src/api/handlers/groups.ts index 3380211..dbef10f 100644 --- a/src/api/handlers/groups.ts +++ b/src/api/handlers/groups.ts @@ -65,7 +65,7 @@ export function listMembers(model: Model): IMiddleware { } if (!owner) { - ctx.status = 401; + ctx.status = 403; return; } @@ -108,7 +108,7 @@ export function listPending(model: Model): IMiddleware { } if (!owner) { - ctx.status = 401; + ctx.status = 403; return; } @@ -180,7 +180,7 @@ export function acceptGroup(model: Model): IMiddleware { const owner = await model.groups.checkOwner(tr, group.idx, ctx.state.userIdx); if (!owner) { - ctx.status = 401; + ctx.status = 403; return; } @@ -224,7 +224,7 @@ export function rejectGroup(model: Model): IMiddleware { const owner = await model.groups.checkOwner(tr, group.idx, ctx.state.userIdx); if (!owner) { - ctx.status = 401; + ctx.status = 403; return; } diff --git a/test/api/groups.test.ts b/test/api/groups.test.ts index 6892ace..62614ca 100644 --- a/test/api/groups.test.ts +++ b/test/api/groups.test.ts @@ -144,7 +144,7 @@ test('pending listing', async t => { t.is(response.status, 200); response = await agent.get(`/api/group/${groupIdx}/pending`); - t.is(response.status, 401); + t.is(response.status, 403); await model.pgDo(async tr => { await model.users.addUserMembership(tr, userIdx, groupIdx); @@ -236,6 +236,13 @@ test('accept group requests', async t => { let response; response = await agent.post(`/api/group/${groupIdx}/accept`).send([]); + t.is(response.status, 400); + + await model.pgDo(async tr => { + await model.users.addPendingUserMembership(tr, memberIdx, groupIdx); + }); + + response = await agent.post(`/api/group/${groupIdx}/accept`).send([memberIdx]); t.is(response.status, 401); response = await agent.post('/api/login').send({ @@ -244,20 +251,13 @@ test('accept group requests', async t => { }); t.is(response.status, 200); - response = await agent.post(`/api/group/${groupIdx}/accept`).send([]); - t.is(response.status, 401); + response = await agent.post(`/api/group/${groupIdx}/accept`).send([memberIdx]); + t.is(response.status, 403); await model.pgDo(async tr => { await model.groups.setOwnerGroup(tr, groupIdx, ownerGroupIdx); }); - response = await agent.post(`/api/group/${groupIdx}/accept`).send([]); - t.is(response.status, 200); - - await model.pgDo(async tr => { - await model.users.addPendingUserMembership(tr, memberIdx, groupIdx); - }); - response = await agent.post(`/api/group/${groupIdx}/accept`).send([memberIdx]); t.is(response.status, 200); @@ -288,6 +288,13 @@ test('reject group requests', async t => { let response; response = await agent.post(`/api/group/${groupIdx}/reject`).send([]); + t.is(response.status, 400); + + await model.pgDo(async tr => { + await model.users.addPendingUserMembership(tr, memberIdx, groupIdx); + }); + + response = await agent.post(`/api/group/${groupIdx}/reject`).send([memberIdx]); t.is(response.status, 401); response = await agent.post('/api/login').send({ @@ -296,20 +303,13 @@ test('reject group requests', async t => { }); t.is(response.status, 200); - response = await agent.post(`/api/group/${groupIdx}/reject`).send([]); - t.is(response.status, 401); + response = await agent.post(`/api/group/${groupIdx}/reject`).send([memberIdx]); + t.is(response.status, 403); await model.pgDo(async tr => { await model.groups.setOwnerGroup(tr, groupIdx, ownerGroupIdx); }); - response = await agent.post(`/api/group/${groupIdx}/reject`).send([]); - t.is(response.status, 200); - - await model.pgDo(async tr => { - await model.users.addPendingUserMembership(tr, memberIdx, groupIdx); - }); - response = await agent.post(`/api/group/${groupIdx}/reject`).send([memberIdx]); t.is(response.status, 200); diff --git a/test/api/users.test.ts b/test/api/users.test.ts index c72a050..11075f7 100644 --- a/test/api/users.test.ts +++ b/test/api/users.test.ts @@ -44,7 +44,7 @@ test('create user step by step', async t => { studentNumbers, }); // request without session token will be fail - t.is(response.status, 401); + t.is(response.status, 400); response = await agent.post('/api/email/check-token').send({ token,