diff --git a/.changeset/dull-plants-create.md b/.changeset/dull-plants-create.md new file mode 100644 index 0000000000..3beedc8f49 --- /dev/null +++ b/.changeset/dull-plants-create.md @@ -0,0 +1,5 @@ +--- +"@medusajs/medusa": patch +--- + +feat(medusa): allow users deletion diff --git a/integration-tests/http/__tests__/user/admin/user.spec.ts b/integration-tests/http/__tests__/user/admin/user.spec.ts index 17ef0fc28e..088df2d553 100644 --- a/integration-tests/http/__tests__/user/admin/user.spec.ts +++ b/integration-tests/http/__tests__/user/admin/user.spec.ts @@ -106,14 +106,25 @@ medusaIntegrationTestRunner({ describe("DELETE /admin/users", () => { it("Deletes a user and updates associated auth identity", async () => { + const userTwoAdminHeaders = { + headers: { "x-medusa-access-token": "test_token" }, + } + + const { user: userTwo, authIdentity: userTwoAuthIdentity } = await createAdminUser( + dbConnection, + userTwoAdminHeaders, + container, + { email: "test@test.com" }, + ) + const response = await api.delete( - `/admin/users/${user.id}`, + `/admin/users/${userTwo.id}`, adminHeaders ) expect(response.status).toEqual(200) expect(response.data).toEqual({ - id: user.id, + id: userTwo.id, object: "user", deleted: true, }) @@ -121,15 +132,15 @@ medusaIntegrationTestRunner({ const authModule: IAuthModuleService = container.resolve(Modules.AUTH) const updatedAuthIdentity = await authModule.retrieveAuthIdentity( - authIdentity.id + userTwoAuthIdentity.id ) // Ensure the auth identity has been updated to not contain the user's id expect(updatedAuthIdentity).toEqual( expect.objectContaining({ - id: authIdentity.id, + id: userTwoAuthIdentity.id, app_metadata: expect.not.objectContaining({ - user_id: user.id, + user_id: userTwo.id, }), }) ) @@ -137,7 +148,7 @@ medusaIntegrationTestRunner({ // Authentication should still succeed const authenticateToken = ( await api.post(`/auth/user/emailpass`, { - email: user.email, + email: userTwo.email, password: "somepassword", }) ).data.token @@ -156,22 +167,14 @@ medusaIntegrationTestRunner({ expect(meResponse.response.status).toEqual(401) }) - it("throws if you attempt to delete another user", async () => { - const userModule = container.resolve(Modules.USER) - - const userTwo = await userModule.createUsers({ - email: "test@test.com", - password: "test", - role: "member", - }) - + it("throws if you attempt to delete your own user", async () => { const error = await api - .delete(`/admin/users/${userTwo.id}`, adminHeaders) + .delete(`/admin/users/${user.id}`, adminHeaders) .catch((e) => e) expect(error.response.status).toEqual(400) expect(error.response.data.message).toEqual( - "You are not allowed to delete other users" + "A user cannot delete itself" ) }) diff --git a/packages/medusa/src/api/admin/users/[id]/route.ts b/packages/medusa/src/api/admin/users/[id]/route.ts index 9b5fca5221..f34596d89b 100644 --- a/packages/medusa/src/api/admin/users/[id]/route.ts +++ b/packages/medusa/src/api/admin/users/[id]/route.ts @@ -78,10 +78,10 @@ export const DELETE = async ( const { id } = req.params const { actor_id } = req.auth_context - if (actor_id !== id) { + if (actor_id === id) { throw new MedusaError( MedusaError.Types.NOT_ALLOWED, - "You are not allowed to delete other users" + "A user cannot delete itself" ) }