search

alkem-io / server

Core server in the Alkemio platform, offering a GraphQL api for interacting with the logical domain model.
http://alkem.io
European Union Public License 1.2
24 stars 4 forks source link

BUG: User not part of ecoverse, doesn't have right to update its profile #866

Closed Comoque1 closed 3 years ago

Comoque1 commented 3 years ago

Describe the bug User not part of ecoverse, doesn't have right to update its profile.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://dev.cherrytwist.org/graphql
  2. Get the token for user: non-ecoverse@cherrytwist.com
  3. Use it in the following mutation: 
    mutation updateProfile($profileData: ProfileInput!, $ID: Float!) {
  updateProfile(profileData: $profileData, ID: $ID)}
    {
"ID": 58,
"profileData": {
  "description": "123",
  "avatar": "https://avatar.com",
  "referencesData": {
    "name": "xxx",
    "description": "000"
  }
}
}
  4. User is forbidden to perform update to its profile. image.png

Expected behavior User not part of ecoverse, must have right to update its profile.

techsmyth commented 3 years ago

Interesting one...

A user can update their own profile via the updateUser mutation - they just cannot invoke the updateProfile method, they have to go via the updateUser mutation. Not sure we should fix this one, and it is not easy.