Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: reimplementing isPrivilegedOrSelfAndPasswordMatch

Browse Source
This commit is contained in:
Julian Lam
2020-10-15 21:45:47 -04:00
parent 84a179f48c
commit e98285dbbb
2 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/api/users.js
View File

@@ -36,16 +36,14 @@ usersAPI.update = async function (caller, data) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
} }
const [isAdminOrGlobalMod, canEdit, hasPassword, passwordMatch] = await Promise.all([ const [isAdminOrGlobalMod, canEdit] = await Promise.all([
user.isAdminOrGlobalMod(caller.uid), user.isAdminOrGlobalMod(caller.uid),
privileges.users.canEdit(caller.uid, data.uid), privileges.users.canEdit(caller.uid, data.uid),
user.hasPassword(data.uid),
data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false,
]); ]);
// Changing own email/username requires password confirmation // Changing own email/username requires password confirmation
if (['email', 'username'].some(prop => Object.keys(data).includes(prop)) && !isAdminOrGlobalMod && caller.uid === data.uid && hasPassword && !passwordMatch) { if (['email', 'username'].some(prop => Object.keys(data).includes(prop))) {
throw new Error('[[error:invalid-password]]'); await isPrivilegedOrSelfAndPasswordMatch(caller, data);
} }
if (!canEdit) { if (!canEdit) {
@@ -189,6 +187,29 @@ usersAPI.unban = async function (caller, data) {
}); });
}; };
async function isPrivilegedOrSelfAndPasswordMatch(caller, data) {
const uid = caller.uid;
const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
const [isAdmin, isTargetAdmin, isGlobalMod] = await Promise.all([
user.isAdministrator(uid),
user.isAdministrator(data.uid),
user.isGlobalModerator(uid),
]);
if ((isTargetAdmin && !isAdmin) || (!isSelf && !(isAdmin || isGlobalMod))) {
throw new Error('[[error:no-privileges]]');
}
const [hasPassword, passwordMatch] = await Promise.all([
user.hasPassword(data.uid),
data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false,
]);
if (isSelf && hasPassword && !passwordMatch) {
throw new Error('[[error:invalid-password]]');
}
}
async function processDeletion(uid, caller) { async function processDeletion(uid, caller) {
const isTargetAdmin = await user.isAdministrator(uid); const isTargetAdmin = await user.isAdministrator(uid);
const isSelf = parseInt(uid, 10) === caller.uid; const isSelf = parseInt(uid, 10) === caller.uid;

12
test/user.js
View File

@@ -931,6 +931,18 @@ describe('User', function () {
}); });
}); });
it('should not update a user\'s username if a password is not supplied', async () => {
let _err;
try {
await socketUser.updateProfile({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '' });
} catch (err) {
_err = err;
}
assert(_err);
assert.strictEqual(_err.message, '[[error:invalid-password]]');
});
it('should change email', function (done) { it('should change email', function (done) {
User.create({ username: 'pooremailupdate', email: 'poor@update.me', password: '123456' }, function (err, uid) { User.create({ username: 'pooremailupdate', email: 'poor@update.me', password: '123456' }, function (err, uid) {
assert.ifError(err); assert.ifError(err);