Mirror/filesafe
1
0
Fork 0
mirror of https://github.com/BobbyWibowo/lolisafe.git synced 2025-01-18 17:21:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: /users/{delete,disable,edit} API routes

Browse Source 
simplify self.assertPermission function to only assert permission

fixed hard-coded "root" user protection not being asserted first
This commit is contained in:
Bobby Wibowo 2022-08-09 17:51:31 +07:00
parent 0a62002a6e
commit 8142eae9df
No known key found for this signature in database
GPG Key ID: 51C3A1E1E22D26CF
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
controllers/authController.js
View File

@ -230,12 +230,10 @@ self.changePassword = async (req, res) => {
}
self.assertPermission = (user, target) => {
if (!target) {
throw new ClientError('Could not get user with the specified ID.')
if (target.username === 'root') {
throw new ClientError('User "root" may not be tampered with.', { statusCode: 403 })
} else if (!perms.higher(user, target)) {
throw new ClientError('The user is in the same or higher group as you.', { statusCode: 403 })
} else if (target.username === 'root') {
throw new ClientError('Root user may not be tampered with.', { statusCode: 403 })
}
}
@ -319,6 +317,10 @@ self.editUser = async (req, res) => {
.where('id', id)
.first()
if (!target) {
throw new ClientError('Could not get user with the specified ID.')
}
// Ensure this user has permission to tamper with target user
self.assertPermission(req.locals.user, target)
@ -387,6 +389,10 @@ self.deleteUser = async (req, res) => {
.where('id', id)
.first()
if (!target) {
throw new ClientError('Could not get user with the specified ID.')
}
// Ensure this user has permission to tamper with target user
self.assertPermission(req.locals.user, target)