1
0
mirror of https://github.com/laurent22/joplin.git synced 2025-01-17 18:44:45 +02:00

Server: Fixed issue with user not being able to modify own profile

This commit is contained in:
Laurent Cozic 2021-06-16 14:34:58 +01:00
parent 9e1e144311
commit 3c181906c2
3 changed files with 10 additions and 4 deletions

View File

@ -94,7 +94,8 @@ export default class UserModel extends BaseModel<User> {
if (!user.is_admin && resource.id !== user.id) throw new ErrorForbidden('non-admin user cannot modify another user');
if (!user.is_admin && 'is_admin' in resource) throw new ErrorForbidden('non-admin user cannot make themselves an admin');
if (user.is_admin && user.id === resource.id && 'is_admin' in resource && !resource.is_admin) throw new ErrorForbidden('admin user cannot make themselves a non-admin');
if (!user.is_admin && resource.max_item_size !== previousResource.max_item_size) throw new ErrorForbidden('non-admin user cannot change max_item_size');
if ('max_item_size' in resource && !user.is_admin && resource.max_item_size !== previousResource.max_item_size) throw new ErrorForbidden('non-admin user cannot change max_item_size');
if ('can_share' in resource && !user.is_admin && resource.can_share !== previousResource.can_share) throw new ErrorForbidden('non-admin user cannot change can_share');
}
if (action === AclAction.Delete) {

View File

@ -123,7 +123,7 @@ describe('index_users', function() {
});
test('should change user properties', async function() {
const { user, session } = await createUserAndSession(1, true);
const { user, session } = await createUserAndSession(1, false);
const userModel = models().user();
@ -298,7 +298,11 @@ describe('index_users', function() {
await expectHttpError(async () => execRequest(adminSession.id, 'POST', `users/${admin.id}`, { delete_button: true }), ErrorForbidden.httpCode);
// non-admin cannot change max_item_size
await expectHttpError(async () => patchUser(session1.id, { id: admin.id, max_item_size: 1000 }), ErrorForbidden.httpCode);
await expectHttpError(async () => patchUser(session1.id, { id: user1.id, max_item_size: 1000 }), ErrorForbidden.httpCode);
// non-admin cannot change can_share
await models().user().save({ id: user1.id, can_share: 0 });
await expectHttpError(async () => patchUser(session1.id, { id: user1.id, can_share: 1 }), ErrorForbidden.httpCode);
});

View File

@ -35,7 +35,7 @@ function makeUser(isNew: boolean, fields: any): User {
if ('full_name' in fields) user.full_name = fields.full_name;
if ('is_admin' in fields) user.is_admin = fields.is_admin;
if ('max_item_size' in fields) user.max_item_size = fields.max_item_size || 0;
user.can_share = fields.can_share ? 1 : 0;
if ('can_share' in fields) user.can_share = fields.can_share ? 1 : 0;
const password = checkPassword(fields, false);
if (password) user.password = password;
@ -48,6 +48,7 @@ function makeUser(isNew: boolean, fields: any): User {
function defaultUser(): User {
return {
can_share: 1,
max_item_size: 0,
};
}