Add tests for admin creation/deletion

Author: nwalters512

src/api/users.js

@@ -1,6 +1,6 @@
 const router = require('express').Router()
 
-const { requireUser, failIfErrors } = require('./util')
+const { requireUser, failIfErrors, ApiError } = require('./util')
 
 const { User, Course } = require('../models')
 
@@ -68,7 +68,13 @@ router.delete(
   '/admins/:userId',
   [requireAdmin, requireUser, failIfErrors],
   safeAsync(async (req, res, _next) => {
+    const { id } = res.locals.userAuthn
     const { user } = res.locals
+    // Prevent user from removing themselves as an admin
+    if (user.id === id) {
+      _next(new ApiError(403, 'You cannot remove yourself'))
+      return
+    }
     if (user.isAdmin) {
       user.isAdmin = false
       await user.save()

src/api/users.test.js

@@ -4,12 +4,12 @@ const app = require('../app')
 const testutil = require('../../test/util')
 const { requestAsUser } = require('../../test/util')
 
-beforeAll(async () => {
+beforeEach(async () => {
   await testutil.setupTestDb()
   await testutil.populateTestDb()
 })
 
-afterAll(async () => {
+afterEach(async () => {
   await testutil.destroyTestDb()
 })
 
@@ -61,6 +61,55 @@ describe('Users API', () => {
     })
   })
 
+  describe('PUT /api/users/admins/:userId', () => {
+    test('succeeds for existing admin', async () => {
+      const request = await requestAsUser(app, 'dev')
+      // make "225staff" an admin
+      const res = await request.put('/api/users/admins/3')
+      expect(res.statusCode).toBe(201)
+      expect(res.body.isAdmin).toBe(true)
+    })
+
+    test('fails for non-admin', async () => {
+      const request = await requestAsUser(app, '241staff')
+      const res = await request.put('/api/users/admins/3')
+      expect(res.statusCode).toBe(403)
+    })
+
+    test('fails for student', async () => {
+      const request = await requestAsUser(app, 'student')
+      const res = await request.put('/api/users/admins/3')
+      expect(res.statusCode).toBe(403)
+    })
+  })
+
+  describe('DELETE /api/users/admins/:userId', () => {
+    test('succeeds for existing admin', async () => {
+      const request = await requestAsUser(app, 'dev')
+      // make "admin" not an admin
+      const res = await request.delete('/api/users/admins/2')
+      expect(res.statusCode).toBe(204)
+    })
+
+    test('fails for self', async () => {
+      const request = await requestAsUser(app, 'dev')
+      const res = await request.delete('/api/users/admins/1')
+      expect(res.statusCode).toBe(403)
+    })
+
+    test('fails for non-admin', async () => {
+      const request = await requestAsUser(app, '241staff')
+      const res = await request.delete('/api/users/admins/2')
+      expect(res.statusCode).toBe(403)
+    })
+
+    test('fails for student', async () => {
+      const request = await requestAsUser(app, 'student')
+      const res = await request.delete('/api/users/admins/2')
+      expect(res.statusCode).toBe(403)
+    })
+  })
+
   describe('GET /api/users', () => {
     test('returns all users for admin', async () => {
       const request = await requestAsUser(app, 'admin')