mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 08:36:12 +01:00 
			
		
		
		
	fix: reimplementing isPrivilegedOrSelfAndPasswordMatch
This commit is contained in:
		| @@ -36,16 +36,14 @@ usersAPI.update = async function (caller, data) { | |||||||
| 		throw new Error('[[error:invalid-data]]'); | 		throw new Error('[[error:invalid-data]]'); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	const [isAdminOrGlobalMod, canEdit, hasPassword, passwordMatch] = await Promise.all([ | 	const [isAdminOrGlobalMod, canEdit] = await Promise.all([ | ||||||
| 		user.isAdminOrGlobalMod(caller.uid), | 		user.isAdminOrGlobalMod(caller.uid), | ||||||
| 		privileges.users.canEdit(caller.uid, data.uid), | 		privileges.users.canEdit(caller.uid, data.uid), | ||||||
| 		user.hasPassword(data.uid), |  | ||||||
| 		data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false, |  | ||||||
| 	]); | 	]); | ||||||
|  |  | ||||||
| 	// Changing own email/username requires password confirmation | 	// Changing own email/username requires password confirmation | ||||||
| 	if (['email', 'username'].some(prop => Object.keys(data).includes(prop)) && !isAdminOrGlobalMod && caller.uid === data.uid && hasPassword && !passwordMatch) { | 	if (['email', 'username'].some(prop => Object.keys(data).includes(prop))) { | ||||||
| 		throw new Error('[[error:invalid-password]]'); | 		await isPrivilegedOrSelfAndPasswordMatch(caller, data); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if (!canEdit) { | 	if (!canEdit) { | ||||||
| @@ -189,6 +187,29 @@ usersAPI.unban = async function (caller, data) { | |||||||
| 	}); | 	}); | ||||||
| }; | }; | ||||||
|  |  | ||||||
|  | async function isPrivilegedOrSelfAndPasswordMatch(caller, data) { | ||||||
|  | 	const uid = caller.uid; | ||||||
|  | 	const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10); | ||||||
|  |  | ||||||
|  | 	const [isAdmin, isTargetAdmin, isGlobalMod] = await Promise.all([ | ||||||
|  | 		user.isAdministrator(uid), | ||||||
|  | 		user.isAdministrator(data.uid), | ||||||
|  | 		user.isGlobalModerator(uid), | ||||||
|  | 	]); | ||||||
|  |  | ||||||
|  | 	if ((isTargetAdmin && !isAdmin) || (!isSelf && !(isAdmin || isGlobalMod))) { | ||||||
|  | 		throw new Error('[[error:no-privileges]]'); | ||||||
|  | 	} | ||||||
|  | 	const [hasPassword, passwordMatch] = await Promise.all([ | ||||||
|  | 		user.hasPassword(data.uid), | ||||||
|  | 		data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false, | ||||||
|  | 	]); | ||||||
|  |  | ||||||
|  | 	if (isSelf && hasPassword && !passwordMatch) { | ||||||
|  | 		throw new Error('[[error:invalid-password]]'); | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
| async function processDeletion(uid, caller) { | async function processDeletion(uid, caller) { | ||||||
| 	const isTargetAdmin = await user.isAdministrator(uid); | 	const isTargetAdmin = await user.isAdministrator(uid); | ||||||
| 	const isSelf = parseInt(uid, 10) === caller.uid; | 	const isSelf = parseInt(uid, 10) === caller.uid; | ||||||
|   | |||||||
							
								
								
									
										12
									
								
								test/user.js
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								test/user.js
									
									
									
									
									
								
							| @@ -931,6 +931,18 @@ describe('User', function () { | |||||||
| 			}); | 			}); | ||||||
| 		}); | 		}); | ||||||
|  |  | ||||||
|  | 		it('should not update a user\'s username if a password is not supplied', async () => { | ||||||
|  | 			let _err; | ||||||
|  | 			try { | ||||||
|  | 				await socketUser.updateProfile({ uid: uid }, { uid: uid, username: 'updatedAgain', password: '' }); | ||||||
|  | 			} catch (err) { | ||||||
|  | 				_err = err; | ||||||
|  | 			} | ||||||
|  |  | ||||||
|  | 			assert(_err); | ||||||
|  | 			assert.strictEqual(_err.message, '[[error:invalid-password]]'); | ||||||
|  | 		}); | ||||||
|  |  | ||||||
| 		it('should change email', function (done) { | 		it('should change email', function (done) { | ||||||
| 			User.create({ username: 'pooremailupdate', email: 'poor@update.me', password: '123456' }, function (err, uid) { | 			User.create({ username: 'pooremailupdate', email: 'poor@update.me', password: '123456' }, function (err, uid) { | ||||||
| 				assert.ifError(err); | 				assert.ifError(err); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user