From 5e58e98bd8c80aa813aa40a826f7e722e9fcd846 Mon Sep 17 00:00:00 2001
From: rob <rob@digitaltelepresence.com>
Date: Sun, 11 Jun 2023 00:05:42 -0400
Subject: [PATCH] fix vuln for elevated privileges at create

UserService.create was adapted a while back to accomodate imports, and
was honoring a field named `isAdmin` and/or `isModerator` during create
to set the value of `flags.isAdmin` and `flags.isModerator`.

This change breaks that importer but stops people from being able to
"sign up" with Admin privileges.
---
 app/services/user.js | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/app/services/user.js b/app/services/user.js
index 81a96fb..14210cf 100644
--- a/app/services/user.js
+++ b/app/services/user.js
@@ -106,21 +106,21 @@ class UserService extends SiteService {
       user.password = maskedPassword;
 
       user.flags = {
-        isAdmin: userDefinition.isAdmin || false,
-        isModerator: userDefinition.isModerator || false,
-        isEmailVerified: userDefinition.isEmailVerified || false,
+        isAdmin: false,
+        isModerator: false,
+        isEmailVerified: false,
       };
 
       user.permissions = {
-        canLogin: userDefinition.canLogin || true,
-        canChat: userDefinition.canChat || true,
-        canComment: userDefinition.canComment || true,
-        canReport: userDefinition.canReport || true,
+        canLogin: true,
+        canChat: true,
+        canComment: true,
+        canReport: true,
       };
 
       user.optIn = {
-        system: userDefinition.optInSystem || true,
-        marketing: userDefinition.optInMarketing || false,
+        system: true,
+        marketing: false,
       };
 
       this.log.info('creating new user account', { email: userDefinition.email });