public/mailtrain
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Enforce manageUsers global permission in users model

Browse source
This commit is contained in:
joker-x 2020-08-29 23:56:40 +02:00
parent 630ae7290a
commit 21976bd8f7
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
server/models/users.js
View file

@ -37,6 +37,7 @@ function hash(entity) {
} }
async function _getByTx(tx, context, key, value, extraColumns = []) { async function _getByTx(tx, context, key, value, extraColumns = []) {
shares.enforceGlobalPermission(context, 'manageUsers');
const columns = ['id', 'username', 'name', 'email', 'namespace', 'role', ...extraColumns]; const columns = ['id', 'username', 'name', 'email', 'namespace', 'role', ...extraColumns];
const user = await tx('users').select(columns).where(key, value).first(); const user = await tx('users').select(columns).where(key, value).first();
@ -109,6 +110,7 @@ async function serverValidate(context, data, isOwnAccount) {
} }
async function listDTAjax(context, params) { async function listDTAjax(context, params) {
shares.enforceGlobalPermission(context, 'manageUsers');
return await dtHelpers.ajaxListWithPermissions( return await dtHelpers.ajaxListWithPermissions(
context, context,
[{ entityTypeId: 'namespace', requiredOperations: ['manageUsers'] }], [{ entityTypeId: 'namespace', requiredOperations: ['manageUsers'] }],
@ -165,6 +167,7 @@ async function _validateAndPreprocess(tx, entity, isCreate, isOwnAccount) {
} }
async function create(context, user) { async function create(context, user) {
shares.enforceGlobalPermission(context, 'manageUsers');
let id; let id;
await knex.transaction(async tx => { await knex.transaction(async tx => {
await shares.enforceEntityPermissionTx(tx, context, 'namespace', user.namespace, 'manageUsers'); await shares.enforceEntityPermissionTx(tx, context, 'namespace', user.namespace, 'manageUsers');
@ -192,6 +195,7 @@ async function create(context, user) {
} }
async function updateWithConsistencyCheck(context, user, isOwnAccount) { async function updateWithConsistencyCheck(context, user, isOwnAccount) {
shares.enforceGlobalPermission(context, 'manageUsers');
await knex.transaction(async tx => { await knex.transaction(async tx => {
const existing = await tx('users').where('id', user.id).first(); const existing = await tx('users').where('id', user.id).first();
if (!existing) { if (!existing) {
@ -240,6 +244,7 @@ async function updateWithConsistencyCheck(context, user, isOwnAccount) {
async function remove(context, userId) { async function remove(context, userId) {
enforce(userId !== 1, 'Admin cannot be deleted'); enforce(userId !== 1, 'Admin cannot be deleted');
enforce(context.user.id !== userId, 'User cannot delete himself/herself'); enforce(context.user.id !== userId, 'User cannot delete himself/herself');
shares.enforceGlobalPermission(context, 'manageUsers');
await knex.transaction(async tx => { await knex.transaction(async tx => {
const existing = await tx('users').where('id', userId).first(); const existing = await tx('users').where('id', userId).first();