From e8a5b0863c91429ca503aaf15a3b254f01b044ff Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Wed, 5 May 2021 22:06:31 +0100 Subject: [PATCH] do not allow users to initialise again once an admin has been created --- packages/worker/src/api/controllers/admin/users.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/worker/src/api/controllers/admin/users.js b/packages/worker/src/api/controllers/admin/users.js index 9d14861bb3..94c7463690 100644 --- a/packages/worker/src/api/controllers/admin/users.js +++ b/packages/worker/src/api/controllers/admin/users.js @@ -61,6 +61,17 @@ exports.save = async ctx => { } exports.adminUser = async ctx => { + const db = new CouchDB(GLOBAL_DB) + const response = await db.allDocs( + getGlobalUserParams(null, { + include_docs: true, + }) + ) + + if (response.rows.some(row => row.doc.admin)) { + ctx.throw(403, "You cannot initialise once an admin user has been created.") + } + const { email, password } = ctx.request.body ctx.request.body = { email: email,