Extension on fix for user self assignment, don't allow users to change their admin/builder status.

2024-09-30 00:57:16 +13:00 · 2022-12-07 12:42:14 +00:00 · 2022-12-07 12:42:14 +00:00 · 85dd6f2880
commit 85dd6f2880
parent eefba10623
3 changed files with 19 additions and 5 deletions
--- a/packages/server/src/api/controllers/public/users.ts
+++ b/packages/server/src/api/controllers/public/users.ts
@ -51,6 +51,8 @@ export async function update(ctx: BBContext, next: any) {
  }
  // disallow updating your own role - always overwrite with DB roles
  if (isLoggedInUser(ctx, user)) {
+    ctx.request.body.builder = user.builder
+    ctx.request.body.admin = user.admin
    ctx.request.body.roles = user.roles
  }
  const response = await saveGlobalUser(publicApiUserFix(ctx))
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -24,7 +24,8 @@ const MAX_USERS_UPLOAD_LIMIT = 1000

 export const save = async (ctx: any) => {
  try {
-    ctx.body = await sdk.users.save(ctx.request.body)
+    const currentUserId = ctx.user._id
+    ctx.body = await sdk.users.save(ctx.request.body, { currentUserId })
  } catch (err: any) {
    ctx.throw(err.status || 400, err)
  }
--- a/packages/worker/src/sdk/users/users.ts
+++ b/packages/worker/src/sdk/users/users.ts
@ -106,6 +106,7 @@ export const getUser = async (userId: string) => {
 interface SaveUserOpts {
  hashPassword?: boolean
  requirePassword?: boolean
+  currentUserId?: string
 }

 const buildUser = async (
@ -170,11 +171,15 @@ const validateUniqueUser = async (email: string, tenantId: string) => {

 export const save = async (
  user: User,
-  opts: SaveUserOpts = {
-    hashPassword: true,
-    requirePassword: true,
-  }
+  opts: SaveUserOpts = {}
 ): Promise<CreateUserResponse> => {
+  // default booleans to true
+  if (opts.hashPassword == null) {
+    opts.hashPassword = true
+  }
+  if (opts.requirePassword == null) {
+    opts.requirePassword = true
+  }
  const tenantId = tenancy.getTenantId()
  const db = tenancy.getGlobalDB()

@ -213,6 +218,12 @@ export const save = async (
  await validateUniqueUser(email, tenantId)

  let builtUser = await buildUser(user, opts, tenantId, dbUser)
+  // don't allow a user to update its own roles/perms
+  if (opts.currentUserId && opts.currentUserId === dbUser?._id) {
+    builtUser.builder = dbUser.builder
+    builtUser.admin = dbUser.admin
+    builtUser.roles = dbUser.roles
+  }

  // make sure we set the _id field for a new user
  // Also if this is a new user, associate groups with them