Extension on fix for user self assignment, don't allow users to change their admin/builder status.

This commit is contained in:
mike12345567 2022-12-07 12:42:14 +00:00
parent e4b9b01e8c
commit edb3c88a41
3 changed files with 19 additions and 5 deletions

View File

@ -51,6 +51,8 @@ export async function update(ctx: BBContext, next: any) {
}
// disallow updating your own role - always overwrite with DB roles
if (isLoggedInUser(ctx, user)) {
ctx.request.body.builder = user.builder
ctx.request.body.admin = user.admin
ctx.request.body.roles = user.roles
}
const response = await saveGlobalUser(publicApiUserFix(ctx))

View File

@ -24,7 +24,8 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
export const save = async (ctx: any) => {
try {
ctx.body = await sdk.users.save(ctx.request.body)
const currentUserId = ctx.user._id
ctx.body = await sdk.users.save(ctx.request.body, { currentUserId })
} catch (err: any) {
ctx.throw(err.status || 400, err)
}

View File

@ -106,6 +106,7 @@ export const getUser = async (userId: string) => {
interface SaveUserOpts {
hashPassword?: boolean
requirePassword?: boolean
currentUserId?: string
}
const buildUser = async (
@ -170,11 +171,15 @@ const validateUniqueUser = async (email: string, tenantId: string) => {
export const save = async (
user: User,
opts: SaveUserOpts = {
hashPassword: true,
requirePassword: true,
}
opts: SaveUserOpts = {}
): Promise<CreateUserResponse> => {
// default booleans to true
if (opts.hashPassword == null) {
opts.hashPassword = true
}
if (opts.requirePassword == null) {
opts.requirePassword = true
}
const tenantId = tenancy.getTenantId()
const db = tenancy.getGlobalDB()
@ -213,6 +218,12 @@ export const save = async (
await validateUniqueUser(email, tenantId)
let builtUser = await buildUser(user, opts, tenantId, dbUser)
// don't allow a user to update its own roles/perms
if (opts.currentUserId && opts.currentUserId === dbUser?._id) {
builtUser.builder = dbUser.builder
builtUser.admin = dbUser.admin
builtUser.roles = dbUser.roles
}
// make sure we set the _id field for a new user
// Also if this is a new user, associate groups with them