feat: same/higher group warning when editing user

Also Object.freeze() permissions object in permissionController. I don't think it's much to be worried about, as no "set" will be done to it during the service's operation, but oh well, might as well.
2025-01-31 07:11:33 +00:00 · 2021-01-09 02:51:23 +07:00 · 2021-01-09 02:51:23 +07:00 · f52493291a
commit f52493291a
parent 1049f51248
2 changed files with 18 additions and 7 deletions
--- a/controllers/permissionController.js
+++ b/controllers/permissionController.js
@ -1,18 +1,18 @@
 const self = {}

-self.permissions = {
+self.permissions = Object.freeze({
  user: 0, // Upload & delete own files, create & delete albums
  moderator: 50, // Delete other user's files
  admin: 80, // Manage users (disable accounts) & create moderators
  superadmin: 100 // Create admins
  // Groups will inherit permissions from groups which have lower value
-}
+})

 // returns true if user is in the group OR higher
 self.is = (user, group) => {
  // root bypass
  if (user.username === 'root') return true
-
+  if (typeof group !== 'string' || !group) return false
  const permission = user.permission || 0
  return permission >= self.permissions[group]
 }
--- a/src/js/dashboard.js
+++ b/src/js/dashboard.js
@ -2607,12 +2607,17 @@ page.editUser = id => {
  const user = page.cache[id]
  if (!user) return

+  let isHigher = false
  const groupOptions = Object.keys(page.permissions).map((g, i, a) => {
    const selected = g === user.displayGroup
+    if (selected) {
+      isHigher = typeof a[i + 1] !== 'undefined' && page.permissions[a[i + 1]]
+    }
    const disabled = !(a[i + 1] && page.permissions[a[i + 1]])
    return `<option value="${g}"${selected ? ' selected' : ''}${disabled ? ' disabled' : ''}>${g}</option>`
  }).join('\n')

+  const isDisabledHelper = isHigher ? '' : ' disabled'
  const div = document.createElement('div')
  div.innerHTML = `
    <div class="field">
@ -2621,14 +2626,14 @@ page.editUser = id => {
    <div class="field">
      <label class="label">Username</label>
      <div class="controls">
-        <input id="swalUsername" class="input" type="text" value="${user.username || ''}">
+        <input id="swalUsername" class="input" type="text" value="${user.username || ''}"${isDisabledHelper}>
      </div>
    </div>
    <div class="field">
      <label class="label">User group</label>
      <div class="control">
        <div class="select is-fullwidth">
-          <select id="swalGroup">
+          <select id="swalGroup"${isDisabledHelper}>
            ${groupOptions}
          </select>
        </div>
@ -2637,7 +2642,7 @@ page.editUser = id => {
    <div class="field">
      <div class="control">
        <label class="checkbox">
-          <input id="swalEnabled" type="checkbox" ${user.enabled ? 'checked' : ''}>
+          <input id="swalEnabled" type="checkbox"${user.enabled ? ' checked' : ''}${isDisabledHelper}>
          Enabled
        </label>
      </div>
@ -2645,11 +2650,17 @@ page.editUser = id => {
    <div class="field">
      <div class="control">
        <label class="checkbox">
-          <input id="swalResetPassword" type="checkbox">
+          <input id="swalResetPassword" type="checkbox"${isDisabledHelper}>
          Reset password
        </label>
      </div>
    </div>
+    ${isHigher
+      ? ''
+      : `<div class="notification is-danger">
+      You <strong>cannot</strong> modify user in the same or higher group as you.
+    </div>`
+    }
  `

  swal({