From 001dcd328c8d3b1c417fd7c7ee2aa20183b08eef Mon Sep 17 00:00:00 2001 From: TheCatLady <52870424+TheCatLady@users.noreply.github.com> Date: Sun, 14 Mar 2021 00:46:12 -0500 Subject: [PATCH] fix: do not allow editing of user settings under certain conditions (#1168) * fix: do not allow editing of user settings under certain conditions * feat(lang): generate translation keys for new strings * refactor: modify owner check for clarity * fix(ui): hide buttons where appropriate and add missing translation string --- server/routes/user/usersettings.ts | 20 ++++- src/components/UserList/index.tsx | 7 +- .../UserProfile/ProfileHeader/index.tsx | 48 +++++------ .../UserSettings/UserPermissions/index.tsx | 18 +++++ .../UserProfile/UserSettings/index.tsx | 79 ++++++++++++------- src/components/UserProfile/index.tsx | 3 +- src/i18n/locale/en.json | 4 + 7 files changed, 122 insertions(+), 57 deletions(-) diff --git a/server/routes/user/usersettings.ts b/server/routes/user/usersettings.ts index e20ee375..5b62362d 100644 --- a/server/routes/user/usersettings.ts +++ b/server/routes/user/usersettings.ts @@ -73,6 +73,14 @@ userSettingsRoutes.post< return next({ status: 404, message: 'User not found.' }); } + // "Owner" user settings cannot be modified by other users + if (user.id === 1 && req.user?.id !== 1) { + return next({ + status: 403, + message: "You do not have permission to modify this user's settings.", + }); + } + user.username = req.body.username; if (!user.settings) { user.settings = new UserSettings({ @@ -240,6 +248,14 @@ userSettingsRoutes.post< return next({ status: 404, message: 'User not found.' }); } + // "Owner" user settings cannot be modified by other users + if (user.id === 1 && req.user?.id !== 1) { + return next({ + status: 403, + message: "You do not have permission to modify this user's settings.", + }); + } + if (!user.settings) { user.settings = new UserSettings({ user: req.user, @@ -309,8 +325,8 @@ userSettingsRoutes.post< return next({ status: 404, message: 'User not found.' }); } - // Only let the owner user modify themselves - if (user.id === 1 && req.user?.id !== 1) { + // "Owner" user permissions cannot be modified, and users cannot set their own permissions + if (user.id === 1 || req.user?.id === user.id) { return next({ status: 403, message: 'You do not have permission to modify this user', diff --git a/src/components/UserList/index.tsx b/src/components/UserList/index.tsx index a57a9056..d82ab9ff 100644 --- a/src/components/UserList/index.tsx +++ b/src/components/UserList/index.tsx @@ -559,6 +559,7 @@ const UserList: React.FC = () => {