From 85dd6f2880606e7014fca8ca99be6715ff3fc9ec Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Wed, 7 Dec 2022 12:42:14 +0000
Subject: [PATCH] Extension on fix for user self assignment, don't allow users
 to change their admin/builder status.

---
 .../src/api/controllers/public/users.ts       |  2 ++
 .../src/api/controllers/global/users.ts       |  3 ++-
 packages/worker/src/sdk/users/users.ts        | 19 +++++++++++++++----
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/packages/server/src/api/controllers/public/users.ts b/packages/server/src/api/controllers/public/users.ts
index 88dc82ffd2..7192077d04 100644
--- a/packages/server/src/api/controllers/public/users.ts
+++ b/packages/server/src/api/controllers/public/users.ts
@@ -51,6 +51,8 @@ export async function update(ctx: BBContext, next: any) {
   }
   // disallow updating your own role - always overwrite with DB roles
   if (isLoggedInUser(ctx, user)) {
+    ctx.request.body.builder = user.builder
+    ctx.request.body.admin = user.admin
     ctx.request.body.roles = user.roles
   }
   const response = await saveGlobalUser(publicApiUserFix(ctx))
diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts
index e913ccee88..27b90cbd56 100644
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@@ -24,7 +24,8 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
 
 export const save = async (ctx: any) => {
   try {
-    ctx.body = await sdk.users.save(ctx.request.body)
+    const currentUserId = ctx.user._id
+    ctx.body = await sdk.users.save(ctx.request.body, { currentUserId })
   } catch (err: any) {
     ctx.throw(err.status || 400, err)
   }
diff --git a/packages/worker/src/sdk/users/users.ts b/packages/worker/src/sdk/users/users.ts
index 539ac21300..132aef4e69 100644
--- a/packages/worker/src/sdk/users/users.ts
+++ b/packages/worker/src/sdk/users/users.ts
@@ -106,6 +106,7 @@ export const getUser = async (userId: string) => {
 interface SaveUserOpts {
   hashPassword?: boolean
   requirePassword?: boolean
+  currentUserId?: string
 }
 
 const buildUser = async (
@@ -170,11 +171,15 @@ const validateUniqueUser = async (email: string, tenantId: string) => {
 
 export const save = async (
   user: User,
-  opts: SaveUserOpts = {
-    hashPassword: true,
-    requirePassword: true,
-  }
+  opts: SaveUserOpts = {}
 ): Promise<CreateUserResponse> => {
+  // default booleans to true
+  if (opts.hashPassword == null) {
+    opts.hashPassword = true
+  }
+  if (opts.requirePassword == null) {
+    opts.requirePassword = true
+  }
   const tenantId = tenancy.getTenantId()
   const db = tenancy.getGlobalDB()
 
@@ -213,6 +218,12 @@ export const save = async (
   await validateUniqueUser(email, tenantId)
 
   let builtUser = await buildUser(user, opts, tenantId, dbUser)
+  // don't allow a user to update its own roles/perms
+  if (opts.currentUserId && opts.currentUserId === dbUser?._id) {
+    builtUser.builder = dbUser.builder
+    builtUser.admin = dbUser.admin
+    builtUser.roles = dbUser.roles
+  }
 
   // make sure we set the _id field for a new user
   // Also if this is a new user, associate groups with them