jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Do not allow an admin remove itself from admins group

Browse Source
This commit is contained in:
Johannes Zellner
2016-02-11 11:29:04 +01:00
parent 0ea89fccb8
commit 5fce9c8d1f
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/user.js
View File

@@ -230,6 +230,9 @@ function setGroups(req, res, next) {
if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
// this route is only allowed for admins, so req.user has to be an admin
if (req.user.id === req.params.userId && req.body.groupIds.indexOf(groups.ADMIN_GROUP_ID) === -1) return next(new HttpError(403, 'Admin removing itself from admins is not allowed'));
user.setGroups(req.params.userId, req.body.groupIds, function (error) {
if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'One or more groups not found'));
if (error && error.reason === UserError.NOT_ALLOWED) return next(new HttpError(403, 'Last admin'));