jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Only allow impersonation for equal or less powerful roles

Browse Source
This commit is contained in:
Johannes Zellner
2022-02-28 20:30:20 +01:00
parent aab6f222b3
commit 71dac64c4c
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/users.js
+1
View File
@@ -180,6 +180,7 @@ async function setGhost(req, res, next) {
if (typeof req.body.password !== 'string' || !req.body.password) return next(new HttpError(400, 'password must be non-empty string'));
if ('expiresAt' in req.body && typeof req.body.password !== 'number') return next(new HttpError(400, 'expiresAt must be a number'));
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
const [error] = await safe(users.setGhost(req.resource, req.body.password, req.body.expiresAt || 0));
if (error) return next(BoxError.toHttpError(error));