fix(striker-ui-api): protect mod user endpoints based on account

2 years ago · 710f076d04
parent a9d0ae4ae7
commit 710f076d04
3 changed files with 13 additions and 1 deletions
--- a/striker-ui-api/src/lib/request_handlers/user/createUser.ts
+++ b/striker-ui-api/src/lib/request_handlers/user/createUser.ts
@ -12,7 +12,12 @@ export const createUser: RequestHandler<
  CreateUserResponseBody,
  CreateUserRequestBody
 > = async (request, response) => {
-  const { body: { password: rPassword, userName: rUserName } = {} } = request;
+  const {
+    body: { password: rPassword, userName: rUserName } = {},
+    user: { name: sessionUserName } = {},
+  } = request;
+
+  if (sessionUserName !== 'admin') return response.status(401).send();

  const password = sanitize(rPassword, 'string', {
    fallback: openssl('rand', '-base64', '12').trim().replaceAll('/', '!'),
--- a/striker-ui-api/src/lib/request_handlers/user/deleteUser.ts
+++ b/striker-ui-api/src/lib/request_handlers/user/deleteUser.ts
@ -16,8 +16,11 @@ export const deleteUser: RequestHandler<
  const {
    body: { uuids: rawUserUuidList } = {},
    params: { userUuid },
+    user: { name: sessionUserName } = {},
  } = request;

+  if (sessionUserName !== 'admin') return response.status(401).send();
+
  const userUuidList = sanitize(rawUserUuidList, 'string[]');

  const ulist = userUuidList.length > 0 ? userUuidList : [userUuid];
--- a/striker-ui-api/src/lib/request_handlers/user/updateUser.ts
+++ b/striker-ui-api/src/lib/request_handlers/user/updateUser.ts
@ -15,8 +15,12 @@ export const updateUser: RequestHandler<
  const {
    body: { password: rPassword, userName: rUserName } = {},
    params: { userUuid },
+    user: { name: sessionUserName, uuid: sessionUserUuid } = {},
  } = request;

+  if (sessionUserName !== 'admin' && userUuid !== sessionUserUuid)
+    return response.status(401).send();
+
  const password = sanitize(rPassword, 'string');
  const userName = sanitize(rUserName, 'string', { modifierType: 'sql' });