MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Only allow admin to create new user

This commit is contained in:
Mel O'Hagan 2022-11-29 11:36:24 +00:00
parent e0645e0293
commit 2ac638fc26
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/worker/src/api/controllers/global/users.ts
View File

@ -23,6 +23,10 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
export const save = async (ctx: any) => { export const save = async (ctx: any) => {
try { try {
if (!ctx.request.body._id && !ctx.internal &&
(!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
ctx.throw(403, "Only admin user can create new user.")
}
ctx.body = await sdk.users.save(ctx.request.body) ctx.body = await sdk.users.save(ctx.request.body)
} catch (err: any) { } catch (err: any) {
ctx.throw(err.status || 400, err) ctx.throw(err.status || 400, err)

4
packages/worker/src/api/routes/global/users.js
View File

@ -57,14 +57,14 @@ router
) )
.post( .post(
"/api/global/users/bulk", "/api/global/users/bulk",
builderOrAdmin, adminOnly,
users.buildUserBulkUserValidation(), users.buildUserBulkUserValidation(),
controller.bulkUpdate controller.bulkUpdate
) )
.get("/api/global/users", builderOrAdmin, controller.fetch) .get("/api/global/users", builderOrAdmin, controller.fetch)
.post("/api/global/users/search", builderOrAdmin, controller.search) .post("/api/global/users/search", builderOrAdmin, controller.search)
.delete("/api/global/users/:id", builderOrAdmin, controller.destroy) .delete("/api/global/users/:id", adminOnly, controller.destroy)
.get("/api/global/users/count/:appId", builderOrAdmin, controller.countByApp) .get("/api/global/users/count/:appId", builderOrAdmin, controller.countByApp)
.get("/api/global/roles/:appId") .get("/api/global/roles/:appId")
.post( .post(