jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Check for last admin not required anymore

Browse Source 
This is now prevented by the fact that an admin
cannot remove itself from the admin group. There
remains a race, just like before, where two admins could
trigger an admin group removal of the other admin in parallel
and the calls are in a state after admin flag check of
the used tokens. This can only be prevented with a db constraint
in the end.
This commit is contained in:
Johannes Zellner
2016-02-11 11:30:17 +01:00
parent 5fce9c8d1f
commit 98a7f44dc1
1 changed files with 3 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/user.js
+3 -12
View File
@@ -293,20 +293,11 @@ function setGroups(userId, groupIds, callback) {
assert(Array.isArray(groupIds));
assert.strictEqual(typeof callback, 'function');
userdb.getAllAdmins(function (error, result) {
groups.setGroups(userId, groupIds, function (error) {
if (error && error.reason === GroupError.NOT_FOUND) return callback(new UserError(UserError.NOT_FOUND, 'One or more groups not found'));
if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));
// protect from a system where there is no admin left
if (result.length <= 1 && result[0].id === userId && groupIds.indexOf(groups.ADMIN_GROUP_ID) === -1) {
return callback(new UserError(UserError.NOT_ALLOWED, 'Only admin'));
}
groups.setGroups(userId, groupIds, function (error) {
if (error && error.reason === GroupError.NOT_FOUND) return callback(new UserError(UserError.NOT_FOUND, 'One or more groups not found'));
if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));
callback();
});
callback();
});
}