From 77b2d9ea22a2f70cff58ac9421f3f6231bc93059 Mon Sep 17 00:00:00 2001 From: TheCatLady <52870424+TheCatLady@users.noreply.github.com> Date: Thu, 18 Feb 2021 20:20:32 -0500 Subject: [PATCH] fix(frontend): Do not allow user w/ ID 1 to disable 'Admin' permission (#965) --- server/routes/user/usersettings.ts | 7 +++++ src/components/PermissionEdit/index.tsx | 9 ++++-- src/components/PermissionOption/index.tsx | 30 +++++++++++++------ src/components/UserList/BulkEditModal.tsx | 2 +- .../UserSettings/UserPermissions/index.tsx | 3 +- 5 files changed, 37 insertions(+), 14 deletions(-) diff --git a/server/routes/user/usersettings.ts b/server/routes/user/usersettings.ts index 011f1eb64..93e7ab2ca 100644 --- a/server/routes/user/usersettings.ts +++ b/server/routes/user/usersettings.ts @@ -266,6 +266,13 @@ userSettingsRoutes.post< return next({ status: 404, message: 'User not found.' }); } + if (user.id === 1) { + return next({ + status: 500, + message: 'Permissions for user with ID 1 cannot be modified', + }); + } + user.permissions = req.body.permissions; await userRepository.save(user); diff --git a/src/components/PermissionEdit/index.tsx b/src/components/PermissionEdit/index.tsx index 455f34e5a..86faa7e20 100644 --- a/src/components/PermissionEdit/index.tsx +++ b/src/components/PermissionEdit/index.tsx @@ -53,15 +53,17 @@ export const messages = defineMessages({ }); interface PermissionEditProps { + actingUser?: User; + currentUser?: User; currentPermission: number; - user?: User; onUpdate: (newPermissions: number) => void; } export const PermissionEdit: React.FC = ({ + actingUser, + currentUser, currentPermission, onUpdate, - user, }) => { const intl = useIntl(); @@ -216,7 +218,8 @@ export const PermissionEdit: React.FC = ({ onUpdate(newPermission)} /> diff --git a/src/components/PermissionOption/index.tsx b/src/components/PermissionOption/index.tsx index 602c27eb1..37c807e8e 100644 --- a/src/components/PermissionOption/index.tsx +++ b/src/components/PermissionOption/index.tsx @@ -18,17 +18,19 @@ interface PermissionRequirement { interface PermissionOptionProps { option: PermissionItem; + actingUser?: User; + currentUser?: User; currentPermission: number; - user?: User; parent?: PermissionItem; onUpdate: (newPermissions: number) => void; } const PermissionOption: React.FC = ({ option, + actingUser, + currentUser, currentPermission, onUpdate, - user, parent, }) => { const autoApprovePermissions = [ @@ -44,15 +46,21 @@ const PermissionOption: React.FC = ({ <>
@@ -70,17 +78,21 @@ const PermissionOption: React.FC = ({ name="permissions" type="checkbox" disabled={ + (currentUser && currentUser.id === 1) || (option.permission !== Permission.ADMIN && hasPermission(Permission.ADMIN, currentPermission)) || (autoApprovePermissions.includes(option.permission) && hasPermission(Permission.MANAGE_REQUESTS, currentPermission)) || (!!parent?.permission && hasPermission(parent.permission, currentPermission)) || - (user && - user.id !== 1 && + (actingUser && + !hasPermission(Permission.ADMIN, actingUser.permissions) && option.permission === Permission.ADMIN) || - (user && - !hasPermission(Permission.MANAGE_SETTINGS, user.permissions) && + (actingUser && + !hasPermission( + Permission.MANAGE_SETTINGS, + actingUser.permissions + ) && option.permission === Permission.MANAGE_SETTINGS) || (option.requires && !option.requires.every((requirement) => diff --git a/src/components/UserList/BulkEditModal.tsx b/src/components/UserList/BulkEditModal.tsx index 65c0261cb..e50824392 100644 --- a/src/components/UserList/BulkEditModal.tsx +++ b/src/components/UserList/BulkEditModal.tsx @@ -104,7 +104,7 @@ const BulkEditModal: React.FC = ({
setCurrentPermission(newPermission) diff --git a/src/components/UserProfile/UserSettings/UserPermissions/index.tsx b/src/components/UserProfile/UserSettings/UserPermissions/index.tsx index 16df9ef07..18e222b35 100644 --- a/src/components/UserProfile/UserSettings/UserPermissions/index.tsx +++ b/src/components/UserProfile/UserSettings/UserPermissions/index.tsx @@ -86,7 +86,8 @@ const UserPermissions: React.FC = () => {
setFieldValue('currentPermissions', newPermission)