From 16cb6d556f68442a716cbecf97de0f18a1c69e92 Mon Sep 17 00:00:00 2001 From: Andrew Kingston Date: Tue, 2 Aug 2022 14:35:32 +0100 Subject: [PATCH 1/3] Prevent deleting yourself from users list page --- .../src/pages/builder/portal/manage/users/index.svelte | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/builder/src/pages/builder/portal/manage/users/index.svelte b/packages/builder/src/pages/builder/portal/manage/users/index.svelte index d18881d1bb..b6cac9ece3 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/index.svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/index.svelte @@ -28,6 +28,7 @@ import ImportUsersModal from "./_components/ImportUsersModal.svelte" import { createPaginationStore } from "helpers/pagination" import { Constants } from "@budibase/frontend-core" + import { get } from "svelte/store" const accessTypes = [ { @@ -198,6 +199,10 @@ const deleteRows = async () => { try { let ids = selectedRows.map(user => user._id) + if (ids.includes(get(auth).user._id)) { + notifications.error("You cannot delete yourself") + return + } await users.bulkDelete(ids) notifications.success(`Successfully deleted ${selectedRows.length} rows`) selectedRows = [] From e2d5a27dac6ed14635c2a60efa8238b5c14a1b0c Mon Sep 17 00:00:00 2001 From: Andrew Kingston Date: Tue, 2 Aug 2022 14:37:18 +0100 Subject: [PATCH 2/3] Prevent deleting yourself or resetting your own password from user details page --- .../portal/manage/users/[userId].svelte | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte index 3e7c64dbec..0f697a5007 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte @@ -237,18 +237,21 @@ -
- - - - - Force Password Reset - Delete - -
+ {#if userId !== $auth.user._id} +
+ + + + + + Force password reset + + + Delete + + +
+ {/if} From b87fcc1f8f0636579bfed7accfa37def3cc99ea5 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Tue, 2 Aug 2022 14:58:18 +0100 Subject: [PATCH 3/3] Adding API checks to stop deletion of self. --- .../src/api/controllers/global/users.ts | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts index 17e655edb3..30bf78efc6 100644 --- a/packages/worker/src/api/controllers/global/users.ts +++ b/packages/worker/src/api/controllers/global/users.ts @@ -3,17 +3,18 @@ import { checkInviteCode } from "../../../utilities/redis" import { sendEmail } from "../../../utilities/email" import { users } from "../../../sdk" import env from "../../../environment" -import { User, CloudAccount } from "@budibase/types" +import { CloudAccount, User } from "@budibase/types" import { - events, - errors, accounts, - users as usersCore, - tenancy, cache, + errors, + events, + tenancy, + users as usersCore, } from "@budibase/backend-core" import { checkAnyUserExists } from "../../../utilities/users" import { groups as groupUtils } from "@budibase/pro" + const MAX_USERS_UPLOAD_LIMIT = 1000 export const save = async (ctx: any) => { @@ -117,8 +118,7 @@ export const adminUser = async (ctx: any) => { export const countByApp = async (ctx: any) => { const appId = ctx.params.appId try { - const response = await users.countUsersByApp(appId) - ctx.body = response + ctx.body = await users.countUsersByApp(appId) } catch (err: any) { ctx.throw(err.status || 400, err) } @@ -126,6 +126,9 @@ export const countByApp = async (ctx: any) => { export const destroy = async (ctx: any) => { const id = ctx.params.id + if (id === ctx.user._id) { + ctx.throw(400, "Unable to delete self.") + } await users.destroy(id, ctx.user) @@ -136,6 +139,10 @@ export const destroy = async (ctx: any) => { export const bulkDelete = async (ctx: any) => { const { userIds } = ctx.request.body + if (userIds?.indexOf(ctx.user._id) !== -1) { + ctx.throw(400, "Unable to delete self.") + } + try { let usersResponse = await users.bulkDelete(userIds)