fix(striker-ui-api): protect mod user endpoints based on account

main
Tsu-ba-me 2 years ago
parent a9d0ae4ae7
commit 710f076d04
  1. 7
      striker-ui-api/src/lib/request_handlers/user/createUser.ts
  2. 3
      striker-ui-api/src/lib/request_handlers/user/deleteUser.ts
  3. 4
      striker-ui-api/src/lib/request_handlers/user/updateUser.ts

@ -12,7 +12,12 @@ export const createUser: RequestHandler<
CreateUserResponseBody, CreateUserResponseBody,
CreateUserRequestBody CreateUserRequestBody
> = async (request, response) => { > = async (request, response) => {
const { body: { password: rPassword, userName: rUserName } = {} } = request; const {
body: { password: rPassword, userName: rUserName } = {},
user: { name: sessionUserName } = {},
} = request;
if (sessionUserName !== 'admin') return response.status(401).send();
const password = sanitize(rPassword, 'string', { const password = sanitize(rPassword, 'string', {
fallback: openssl('rand', '-base64', '12').trim().replaceAll('/', '!'), fallback: openssl('rand', '-base64', '12').trim().replaceAll('/', '!'),

@ -16,8 +16,11 @@ export const deleteUser: RequestHandler<
const { const {
body: { uuids: rawUserUuidList } = {}, body: { uuids: rawUserUuidList } = {},
params: { userUuid }, params: { userUuid },
user: { name: sessionUserName } = {},
} = request; } = request;
if (sessionUserName !== 'admin') return response.status(401).send();
const userUuidList = sanitize(rawUserUuidList, 'string[]'); const userUuidList = sanitize(rawUserUuidList, 'string[]');
const ulist = userUuidList.length > 0 ? userUuidList : [userUuid]; const ulist = userUuidList.length > 0 ? userUuidList : [userUuid];

@ -15,8 +15,12 @@ export const updateUser: RequestHandler<
const { const {
body: { password: rPassword, userName: rUserName } = {}, body: { password: rPassword, userName: rUserName } = {},
params: { userUuid }, params: { userUuid },
user: { name: sessionUserName, uuid: sessionUserUuid } = {},
} = request; } = request;
if (sessionUserName !== 'admin' && userUuid !== sessionUserUuid)
return response.status(401).send();
const password = sanitize(rPassword, 'string'); const password = sanitize(rPassword, 'string');
const userName = sanitize(rUserName, 'string', { modifierType: 'sql' }); const userName = sanitize(rUserName, 'string', { modifierType: 'sql' });

Loading…
Cancel
Save