diff --git a/packages/server/src/api/controllers/public/users.ts b/packages/server/src/api/controllers/public/users.ts index 88dc82ffd2..7192077d04 100644 --- a/packages/server/src/api/controllers/public/users.ts +++ b/packages/server/src/api/controllers/public/users.ts @@ -51,6 +51,8 @@ export async function update(ctx: BBContext, next: any) { } // disallow updating your own role - always overwrite with DB roles if (isLoggedInUser(ctx, user)) { + ctx.request.body.builder = user.builder + ctx.request.body.admin = user.admin ctx.request.body.roles = user.roles } const response = await saveGlobalUser(publicApiUserFix(ctx)) diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts index e913ccee88..27b90cbd56 100644 --- a/packages/worker/src/api/controllers/global/users.ts +++ b/packages/worker/src/api/controllers/global/users.ts @@ -24,7 +24,8 @@ const MAX_USERS_UPLOAD_LIMIT = 1000 export const save = async (ctx: any) => { try { - ctx.body = await sdk.users.save(ctx.request.body) + const currentUserId = ctx.user._id + ctx.body = await sdk.users.save(ctx.request.body, { currentUserId }) } catch (err: any) { ctx.throw(err.status || 400, err) } diff --git a/packages/worker/src/sdk/users/users.ts b/packages/worker/src/sdk/users/users.ts index 539ac21300..132aef4e69 100644 --- a/packages/worker/src/sdk/users/users.ts +++ b/packages/worker/src/sdk/users/users.ts @@ -106,6 +106,7 @@ export const getUser = async (userId: string) => { interface SaveUserOpts { hashPassword?: boolean requirePassword?: boolean + currentUserId?: string } const buildUser = async ( @@ -170,11 +171,15 @@ const validateUniqueUser = async (email: string, tenantId: string) => { export const save = async ( user: User, - opts: SaveUserOpts = { - hashPassword: true, - requirePassword: true, - } + opts: SaveUserOpts = {} ): Promise => { + // default booleans to true + if (opts.hashPassword == null) { + opts.hashPassword = true + } + if (opts.requirePassword == null) { + opts.requirePassword = true + } const tenantId = tenancy.getTenantId() const db = tenancy.getGlobalDB() @@ -213,6 +218,12 @@ export const save = async ( await validateUniqueUser(email, tenantId) let builtUser = await buildUser(user, opts, tenantId, dbUser) + // don't allow a user to update its own roles/perms + if (opts.currentUserId && opts.currentUserId === dbUser?._id) { + builtUser.builder = dbUser.builder + builtUser.admin = dbUser.admin + builtUser.roles = dbUser.roles + } // make sure we set the _id field for a new user // Also if this is a new user, associate groups with them