jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Remove any deleted group and user from operators and accessRestriction

Browse Source 
part of #857
This commit is contained in:
Girish Ramakrishnan
2025-10-20 16:37:14 +02:00
parent 2d5e0a51bd
commit 02fd52e366
2 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/users.js
View File

@@ -316,16 +316,22 @@ async function del(user, auditSource) {
if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
const queries = [];
queries.push({ query: 'DELETE FROM groupMembers WHERE userId = ?', args: [ user.id ] });
queries.push({ query: 'DELETE FROM tokens WHERE identifier = ?', args: [ user.id ] });
queries.push({ query: 'DELETE FROM appPasswords WHERE userId = ?', args: [ user.id ] });
queries.push({ query: 'DELETE FROM users WHERE id = ?', args: [ user.id ] });
const arSearch = `JSON_SEARCH(accessRestrictionJson, 'one', ?, NULL, '$.users')`;
const opSearch = `JSON_SEARCH(operatorsJson, 'one', ?, NULL, '$.users')`;
const queries = [
{ query: `UPDATE apps SET accessRestrictionJson=JSON_REMOVE(accessRestrictionJson, REPLACE(${arSearch}, '"', '')) WHERE ${arSearch} IS NOT NULL`, args: [ user.id, user.id ] },
{ query: `UPDATE apps SET operatorsJson=JSON_REMOVE(operatorsJson, REPLACE(${opSearch}, '"', '')) WHERE ${opSearch} IS NOT NULL`, args: [ user.id, user.id ] },
{ query: 'DELETE FROM groupMembers WHERE userId = ?', args: [ user.id ] },
{ query: 'DELETE FROM tokens WHERE identifier = ?', args: [ user.id ] },
{ query: 'DELETE FROM appPasswords WHERE userId = ?', args: [ user.id ] },
{ query: 'DELETE FROM users WHERE id = ?', args: [ user.id ] }, // keep this the last query as we check affectedRows below
];
const [error, result] = await safe(database.transaction(queries));
if (error && error.sqlCode === 'ER_NO_REFERENCED_ROW_2') throw new BoxError(BoxError.NOT_FOUND, error);
if (error) throw error;
if (result[3].affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'User not found');
if (result[queries.length-1].affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'User not found');
await eventlog.add(eventlog.ACTION_USER_REMOVE, auditSource, { userId: user.id, user: removePrivateFields(user) });
}