Require admin role for API family reset (#1189)

Prevent non-admin users with read_write API access from triggering family-wide reset jobs via /api/v1/users/reset.
2026-04-11 08:14:49 +00:00 · 2026-03-13 08:07:30 +01:00
parent 80026aeee4
commit 3adc011df0
2 changed files with 26 additions and 0 deletions
--- a/test/controllers/api/v1/users_controller_test.rb
+++ b/test/controllers/api/v1/users_controller_test.rb
@@ -50,6 +50,24 @@ class Api::V1::UsersControllerTest < ActionDispatch::IntegrationTest

  # -- Reset -----------------------------------------------------------------

+
+  test "reset requires admin role" do
+    non_admin_api_key = ApiKey.create!(
+      user: users(:family_member),
+      name: "Member Read-Write Key",
+      scopes: [ "read_write" ],
+      display_key: "test_member_#{SecureRandom.hex(8)}"
+    )
+
+    assert_no_enqueued_jobs only: FamilyResetJob do
+      delete "/api/v1/users/reset", headers: api_headers(non_admin_api_key)
+    end
+
+    assert_response :forbidden
+    body = JSON.parse(response.body)
+    assert_equal "You are not authorized to perform this action", body["message"]
+  end
+
  test "reset enqueues FamilyResetJob and returns 200" do
    assert_enqueued_with(job: FamilyResetJob) do
      delete "/api/v1/users/reset", headers: api_headers(@api_key)