diff --git a/lib/routes/admin-api/strategy.js b/lib/routes/admin-api/strategy.js index 252aa585da..0bb8d7b7fc 100644 --- a/lib/routes/admin-api/strategy.js +++ b/lib/routes/admin-api/strategy.js @@ -85,14 +85,18 @@ class StrategyController extends Controller { async deprecateStrategy(req, res) { const userName = extractUser(req); const { strategyName } = req.params; - try { - await this.strategyService.deprecateStrategy( - strategyName, - userName, - ); - res.status(200).end(); - } catch (error) { - handleErrors(res, this.logger, error); + if (strategyName === 'default') { + res.status(403).end(); + } else { + try { + await this.strategyService.deprecateStrategy( + strategyName, + userName, + ); + res.status(200).end(); + } catch (error) { + handleErrors(res, this.logger, error); + } } } diff --git a/lib/routes/admin-api/strategy.test.js b/lib/routes/admin-api/strategy.test.js index 2be10cdfd0..a99677ef51 100644 --- a/lib/routes/admin-api/strategy.test.js +++ b/lib/routes/admin-api/strategy.test.js @@ -248,3 +248,11 @@ test('reactivating a non-existent strategy yields 404', t => { .post(`${base}/api/admin/strategies/non-existent-strategy/reactivate`) .expect(404); }); +test(`deprecating 'default' strategy will yield 403`, t => { + t.plan(0); + const { request, base, perms } = getSetup(); + perms.withPermissions(UPDATE_STRATEGY); + return request + .post(`${base}/api/admin/strategies/default/deprecate`) + .expect(403); +}); diff --git a/test/e2e/api/admin/strategy.e2e.test.js b/test/e2e/api/admin/strategy.e2e.test.js index f1e35cf112..d522928c16 100644 --- a/test/e2e/api/admin/strategy.e2e.test.js +++ b/test/e2e/api/admin/strategy.e2e.test.js @@ -166,3 +166,9 @@ test.serial('can reactivate a deprecated strategy', async t => { .expect(200) .expect(res => t.is(res.body.deprecated, false)); }); + +test.serial('cannot deprecate default strategy', async t => { + t.plan(0); + const request = await setupApp(stores); + await request.post('/api/admin/strategies/default/deprecate').expect(403); +});