jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fix incorrect role comparison

Browse Source
This commit is contained in:
Girish Ramakrishnan
2020-03-15 15:56:06 -07:00
parent 2ac0fe21c6
commit 7e0ef60305
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/routes/users.js
View File

@@ -71,6 +71,8 @@ function update(req, res, next) {
if ('role' in req.body) {
if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
}
if ('active' in req.body) {
@@ -78,7 +80,7 @@ function update(req, res, next) {
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
}
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
if (error) return next(BoxError.toHttpError(error));