Merge branch 'fix-accessing-user-with-moderator-rights' into 'main'

include user role in moderator role

Closes #1291

See merge request framasoft/mobilizon!1389

lib/graphql/authorization.ex

@@ -31,13 +31,14 @@ defmodule Mobilizon.GraphQL.Authorization do
   @impl true
   def role_authorized?(_user_role, :all), do: true
   def role_authorized?(role, _allowed_role) when is_super_role(role), do: true
+  def role_authorized?(:moderator, :user), do: true
 
   def role_authorized?(user_role, allowed_role) when is_atom(user_role) and is_atom(allowed_role),
     do: user_role === allowed_role
 
   def role_authorized?(user_role, allowed_roles)
       when is_atom(user_role) and is_list(allowed_roles),
-      do: user_role in allowed_roles
+      do: user_role in allowed_roles or (user_role === :moderator and :user in allowed_roles)
 
   @impl true
   def get_user_role(%ApplicationToken{user: %{role: role}}), do: role

test/graphql/resolvers/user_test.exs

@@ -200,6 +200,34 @@ defmodule Mobilizon.GraphQL.Resolvers.UserTest do
 
       assert res["data"]["loggedUser"]["id"] == to_string(user.id)
     end
+
+    test "get_current_user/3 returns the current logged-in user with moderator role", %{
+      conn: conn
+    } do
+      user = insert(:user, role: :moderator)
+
+      res =
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @logged_user_query,
+          variables: %{}
+        )
+
+      assert res["data"]["loggedUser"] == nil
+
+      assert hd(res["errors"])["message"] ==
+               "You need to be logged in"
+
+      res =
+        conn
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(
+          query: @logged_user_query,
+          variables: %{}
+        )
+
+      assert res["data"]["loggedUser"]["id"] == to_string(user.id)
+    end
   end
 
   describe "Resolver: List users" do