Only allow admin to create new user

2024-10-04 03:54:37 +13:00 · 2022-11-29 11:36:24 +00:00 · 2022-11-29 11:36:24 +00:00 · 376e17cae1
commit 376e17cae1
parent 0b3d84b63d
2 changed files with 6 additions and 2 deletions
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -23,6 +23,10 @@ const MAX_USERS_UPLOAD_LIMIT = 1000

 export const save = async (ctx: any) => {
  try {
+    if (!ctx.request.body._id && !ctx.internal &&
+      (!ctx.user || !ctx.user.admin || !ctx.user.admin.global)) {
+        ctx.throw(403, "Only admin user can create new user.")
+    }
    ctx.body = await sdk.users.save(ctx.request.body)
  } catch (err: any) {
    ctx.throw(err.status || 400, err)
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@ -57,14 +57,14 @@ router
  )
  .post(
    "/api/global/users/bulk",
-    builderOrAdmin,
+    adminOnly,
    users.buildUserBulkUserValidation(),
    controller.bulkUpdate
  )

  .get("/api/global/users", builderOrAdmin, controller.fetch)
  .post("/api/global/users/search", builderOrAdmin, controller.search)
-  .delete("/api/global/users/:id", builderOrAdmin, controller.destroy)
+  .delete("/api/global/users/:id", adminOnly, controller.destroy)
  .get("/api/global/users/count/:appId", builderOrAdmin, controller.countByApp)
  .get("/api/global/roles/:appId")
  .post(