From ecda4ad8ad1af57af604e13291cbd33cfa61e284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Wed, 12 Aug 2020 13:42:55 -0400
Subject: [PATCH] feat: tests for password change

---
 test/mocks/databasemock.js |  4 ----
 test/user.js               | 26 ++++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/test/mocks/databasemock.js b/test/mocks/databasemock.js
index 158f105a66..d70ed705d1 100644
--- a/test/mocks/databasemock.js
+++ b/test/mocks/databasemock.js
@@ -105,10 +105,6 @@ winston.info('environment ' + global.env);
 const db = require('../../src/database');
 module.exports = db;
 
-after(async function () {
-	await db.flushdb();
-});
-
 before(async function () {
 	this.timeout(30000);
 	await db.init();
diff --git a/test/user.js b/test/user.js
index 29c44cd806..7c49d1e31c 100644
--- a/test/user.js
+++ b/test/user.js
@@ -824,6 +824,32 @@ describe('User', function () {
 			});
 		});
 
+		it('should not let user change another user\'s password', async function () {
+			const regularUserUid = await User.create({ username: 'regularuserpwdchange', password: 'regularuser1234' });
+			const uid = await User.create({ username: 'changeadminpwd1', password: '123456' });
+			let err;
+			try {
+				await socketUser.changePassword({ uid: uid }, { uid: regularUserUid, newPassword: '654321', currentPassword: '123456' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_privileges]]');
+		});
+
+		it('should not let user change admin\'s password', async function () {
+			const adminUid = await User.create({ username: 'adminpwdchange', password: 'admin1234' });
+			await groups.join('administrators', adminUid);
+			const uid = await User.create({ username: 'changeadminpwd2', password: '123456' });
+
+			let err;
+			try {
+				await socketUser.changePassword({ uid: uid }, { uid: adminUid, newPassword: '654321', currentPassword: '123456' });
+			} catch (_err) {
+				err = _err;
+			}
+			assert.equal(err.message, '[[user:change_password_error_privileges]]');
+		});
+
 		it('should change username', function (done) {
 			socketUser.changeUsernameEmail({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '123456' }, function (err) {
 				assert.ifError(err);