Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-31 02:55:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: api bug where user profile editing continued even if not allowed

Browse Source
This commit is contained in:
Julian Lam
2020-10-15 10:23:49 -04:00
parent 205e46647c
commit cc6e995ee2
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/controllers/write/users.js
View File

@@ -35,11 +35,11 @@ Users.update = async (req, res) => {
// Changing own email/username requires password confirmation // Changing own email/username requires password confirmation
if (req.user.uid === req.body.uid && !passwordMatch) { if (req.user.uid === req.body.uid && !passwordMatch) {
helpers.formatApiResponse(403, res, new Error('[[error:invalid-password]]')); return helpers.formatApiResponse(403, res, new Error('[[error:invalid-password]]'));
} }
if (!canEdit) { if (!canEdit) {
helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]')); return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
} }
if (!isAdminOrGlobalMod && meta.config['username:disableEdit']) { if (!isAdminOrGlobalMod && meta.config['username:disableEdit']) {
@@ -79,19 +79,24 @@ Users.delete = async (req, res) => {
}; };
Users.deleteMany = async (req, res) => { Users.deleteMany = async (req, res) => {
await canDeleteUids(req.body.uids, res); if (await canDeleteUids(req.body.uids, res)) {
await Promise.all(req.body.uids.map(uid => processDeletion(uid, req, res))); await Promise.all(req.body.uids.map(uid => processDeletion(uid, req, res)));
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}
}; };
async function canDeleteUids(uids, res) { async function canDeleteUids(uids, res) {
if (!Array.isArray(uids)) { if (!Array.isArray(uids)) {
helpers.formatApiResponse(400, res, new Error('[[error:invalid-data]]')); helpers.formatApiResponse(400, res, new Error('[[error:invalid-data]]'));
return false;
} }
const isMembers = await groups.isMembers(uids, 'administrators'); const isMembers = await groups.isMembers(uids, 'administrators');
if (isMembers.includes(true)) { if (isMembers.includes(true)) {
helpers.formatApiResponse(403, res, new Error('[[error:cant-delete-other-admins]]')); helpers.formatApiResponse(403, res, new Error('[[error:cant-delete-other-admins]]'));
return false;
} }
return true;
} }
async function processDeletion(uid, req, res) { async function processDeletion(uid, req, res) {