Extension on fix for user self assignment, don't allow users to change their admin/builder status.

This commit is contained in:
mike12345567 2022-12-07 12:42:14 +00:00
parent e4b9b01e8c
commit edb3c88a41
3 changed files with 19 additions and 5 deletions

View File

@ -51,6 +51,8 @@ export async function update(ctx: BBContext, next: any) {
} }
// disallow updating your own role - always overwrite with DB roles // disallow updating your own role - always overwrite with DB roles
if (isLoggedInUser(ctx, user)) { if (isLoggedInUser(ctx, user)) {
ctx.request.body.builder = user.builder
ctx.request.body.admin = user.admin
ctx.request.body.roles = user.roles ctx.request.body.roles = user.roles
} }
const response = await saveGlobalUser(publicApiUserFix(ctx)) const response = await saveGlobalUser(publicApiUserFix(ctx))

View File

@ -24,7 +24,8 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
export const save = async (ctx: any) => { export const save = async (ctx: any) => {
try { try {
ctx.body = await sdk.users.save(ctx.request.body) const currentUserId = ctx.user._id
ctx.body = await sdk.users.save(ctx.request.body, { currentUserId })
} catch (err: any) { } catch (err: any) {
ctx.throw(err.status || 400, err) ctx.throw(err.status || 400, err)
} }

View File

@ -106,6 +106,7 @@ export const getUser = async (userId: string) => {
interface SaveUserOpts { interface SaveUserOpts {
hashPassword?: boolean hashPassword?: boolean
requirePassword?: boolean requirePassword?: boolean
currentUserId?: string
} }
const buildUser = async ( const buildUser = async (
@ -170,11 +171,15 @@ const validateUniqueUser = async (email: string, tenantId: string) => {
export const save = async ( export const save = async (
user: User, user: User,
opts: SaveUserOpts = { opts: SaveUserOpts = {}
hashPassword: true,
requirePassword: true,
}
): Promise<CreateUserResponse> => { ): Promise<CreateUserResponse> => {
// default booleans to true
if (opts.hashPassword == null) {
opts.hashPassword = true
}
if (opts.requirePassword == null) {
opts.requirePassword = true
}
const tenantId = tenancy.getTenantId() const tenantId = tenancy.getTenantId()
const db = tenancy.getGlobalDB() const db = tenancy.getGlobalDB()
@ -213,6 +218,12 @@ export const save = async (
await validateUniqueUser(email, tenantId) await validateUniqueUser(email, tenantId)
let builtUser = await buildUser(user, opts, tenantId, dbUser) let builtUser = await buildUser(user, opts, tenantId, dbUser)
// don't allow a user to update its own roles/perms
if (opts.currentUserId && opts.currentUserId === dbUser?._id) {
builtUser.builder = dbUser.builder
builtUser.admin = dbUser.admin
builtUser.roles = dbUser.roles
}
// make sure we set the _id field for a new user // make sure we set the _id field for a new user
// Also if this is a new user, associate groups with them // Also if this is a new user, associate groups with them