jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Do not allow an admin remove itself from admins group

Browse Source
This commit is contained in:
Johannes Zellner
2016-02-11 11:29:04 +01:00
parent 0ea89fccb8
commit 5fce9c8d1f
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/routes/test/user-test.js
View File

@@ -271,6 +271,16 @@ describe('User API', function () {
});
});
it('remove itself from admins fails', function (done) {
superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/set_groups')
.query({ access_token: token })
.send({ groupIds: [ 'somegroupid' ] })
.end(function (err, res) {
expect(res.statusCode).to.equal(403);
done();
});
});
it('create user missing username fails', function (done) {
superagent.post(SERVER_URL + '/api/v1/users')
.query({ access_token: token })

3
src/routes/user.js
View File

@@ -230,6 +230,9 @@ function setGroups(req, res, next) {
if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
// this route is only allowed for admins, so req.user has to be an admin
if (req.user.id === req.params.userId && req.body.groupIds.indexOf(groups.ADMIN_GROUP_ID) === -1) return next(new HttpError(403, 'Admin removing itself from admins is not allowed'));
user.setGroups(req.params.userId, req.body.groupIds, function (error) {
if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'One or more groups not found'));
if (error && error.reason === UserError.NOT_ALLOWED) return next(new HttpError(403, 'Last admin'));