Extension on fix for user self assignment, don't allow users to change their admin/builder status.
This commit is contained in:
parent
e4b9b01e8c
commit
edb3c88a41
|
@ -51,6 +51,8 @@ export async function update(ctx: BBContext, next: any) {
|
||||||
}
|
}
|
||||||
// disallow updating your own role - always overwrite with DB roles
|
// disallow updating your own role - always overwrite with DB roles
|
||||||
if (isLoggedInUser(ctx, user)) {
|
if (isLoggedInUser(ctx, user)) {
|
||||||
|
ctx.request.body.builder = user.builder
|
||||||
|
ctx.request.body.admin = user.admin
|
||||||
ctx.request.body.roles = user.roles
|
ctx.request.body.roles = user.roles
|
||||||
}
|
}
|
||||||
const response = await saveGlobalUser(publicApiUserFix(ctx))
|
const response = await saveGlobalUser(publicApiUserFix(ctx))
|
||||||
|
|
|
@ -24,7 +24,8 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
|
||||||
|
|
||||||
export const save = async (ctx: any) => {
|
export const save = async (ctx: any) => {
|
||||||
try {
|
try {
|
||||||
ctx.body = await sdk.users.save(ctx.request.body)
|
const currentUserId = ctx.user._id
|
||||||
|
ctx.body = await sdk.users.save(ctx.request.body, { currentUserId })
|
||||||
} catch (err: any) {
|
} catch (err: any) {
|
||||||
ctx.throw(err.status || 400, err)
|
ctx.throw(err.status || 400, err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,6 +106,7 @@ export const getUser = async (userId: string) => {
|
||||||
interface SaveUserOpts {
|
interface SaveUserOpts {
|
||||||
hashPassword?: boolean
|
hashPassword?: boolean
|
||||||
requirePassword?: boolean
|
requirePassword?: boolean
|
||||||
|
currentUserId?: string
|
||||||
}
|
}
|
||||||
|
|
||||||
const buildUser = async (
|
const buildUser = async (
|
||||||
|
@ -170,11 +171,15 @@ const validateUniqueUser = async (email: string, tenantId: string) => {
|
||||||
|
|
||||||
export const save = async (
|
export const save = async (
|
||||||
user: User,
|
user: User,
|
||||||
opts: SaveUserOpts = {
|
opts: SaveUserOpts = {}
|
||||||
hashPassword: true,
|
|
||||||
requirePassword: true,
|
|
||||||
}
|
|
||||||
): Promise<CreateUserResponse> => {
|
): Promise<CreateUserResponse> => {
|
||||||
|
// default booleans to true
|
||||||
|
if (opts.hashPassword == null) {
|
||||||
|
opts.hashPassword = true
|
||||||
|
}
|
||||||
|
if (opts.requirePassword == null) {
|
||||||
|
opts.requirePassword = true
|
||||||
|
}
|
||||||
const tenantId = tenancy.getTenantId()
|
const tenantId = tenancy.getTenantId()
|
||||||
const db = tenancy.getGlobalDB()
|
const db = tenancy.getGlobalDB()
|
||||||
|
|
||||||
|
@ -213,6 +218,12 @@ export const save = async (
|
||||||
await validateUniqueUser(email, tenantId)
|
await validateUniqueUser(email, tenantId)
|
||||||
|
|
||||||
let builtUser = await buildUser(user, opts, tenantId, dbUser)
|
let builtUser = await buildUser(user, opts, tenantId, dbUser)
|
||||||
|
// don't allow a user to update its own roles/perms
|
||||||
|
if (opts.currentUserId && opts.currentUserId === dbUser?._id) {
|
||||||
|
builtUser.builder = dbUser.builder
|
||||||
|
builtUser.admin = dbUser.admin
|
||||||
|
builtUser.roles = dbUser.roles
|
||||||
|
}
|
||||||
|
|
||||||
// make sure we set the _id field for a new user
|
// make sure we set the _id field for a new user
|
||||||
// Also if this is a new user, associate groups with them
|
// Also if this is a new user, associate groups with them
|
||||||
|
|
Loading…
Reference in New Issue