From 73ddf1cb98900bcc213e2f194e8f82bea437d7ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 9 Jul 2020 18:12:51 -0400
Subject: [PATCH] fix: groups.updateCover

---
 src/socket.io/groups.js | 13 +++++++++++--
 test/groups.js          | 20 +++++++++++++++++---
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/socket.io/groups.js b/src/socket.io/groups.js
index d0b78f2880..3282e76b09 100644
--- a/src/socket.io/groups.js
+++ b/src/socket.io/groups.js
@@ -368,8 +368,15 @@ SocketGroups.cover.update = async (socket, data) => {
 	if (!socket.uid) {
 		throw new Error('[[error:no-privileges]]');
 	}
+	if (data.file || (!data.imageData && !data.position)) {
+		throw new Error('[[error:invalid-data]]');
+	}
 	await canModifyGroup(socket.uid, data.groupName);
-	return await groups.updateCover(socket.uid, data);
+	return await groups.updateCover(socket.uid, {
+		groupName: data.groupName,
+		imageData: data.imageData,
+		position: data.position,
+	});
 };
 
 SocketGroups.cover.remove = async (socket, data) => {
@@ -378,7 +385,9 @@ SocketGroups.cover.remove = async (socket, data) => {
 	}
 
 	await canModifyGroup(socket.uid, data.groupName);
-	await groups.removeCover(data);
+	await groups.removeCover({
+		groupName: data.groupName,
+	});
 };
 
 async function canModifyGroup(uid, groupName) {
diff --git a/test/groups.js b/test/groups.js
index 1e1e794335..a3b6470021 100644
--- a/test/groups.js
+++ b/test/groups.js
@@ -1387,9 +1387,9 @@ describe('Groups', function () {
 		});
 
 		it('should fail if user is not logged in or not owner', function (done) {
-			socketGroups.cover.update({ uid: 0 }, {}, function (err) {
+			socketGroups.cover.update({ uid: 0 }, { imageData: 'asd' }, function (err) {
 				assert.equal(err.message, '[[error:no-privileges]]');
-				socketGroups.cover.update({ uid: regularUid }, { groupName: 'Test' }, function (err) {
+				socketGroups.cover.update({ uid: regularUid }, { groupName: 'Test', imageData: 'asd' }, function (err) {
 					assert.equal(err.message, '[[error:no-privileges]]');
 					done();
 				});
@@ -1404,7 +1404,7 @@ describe('Groups', function () {
 					type: 'image/png',
 				},
 			};
-			socketGroups.cover.update({ uid: adminUid }, data, function (err, data) {
+			Groups.updateCover({ uid: adminUid }, data, function (err, data) {
 				assert.ifError(err);
 				Groups.getGroupFields('Test', ['cover:url'], function (err, groupData) {
 					assert.ifError(err);
@@ -1434,6 +1434,20 @@ describe('Groups', function () {
 			});
 		});
 
+		it('should fail to upload group cover with invalid image', function (done) {
+			var data = {
+				groupName: 'Test',
+				file: {
+					path: imagePath,
+					type: 'image/png',
+				},
+			};
+			socketGroups.cover.update({ uid: adminUid }, data, function (err) {
+				assert.equal(err.message, '[[error:invalid-data]]');
+				done();
+			});
+		});
+
 		it('should fail to upload group cover with invalid image', function (done) {
 			var data = {
 				groupName: 'Test',