fix vuln for elevated privileges at create

UserService.create was adapted a while back to accomodate imports, and was honoring a field named `isAdmin` and/or `isModerator` during create to set the value of `flags.isAdmin` and `flags.isModerator`. This change breaks that importer but stops people from being able to "sign up" with Admin privileges.
2 years ago · 5e58e98bd8
1 changed files with 9 additions and 9 deletions
--- a/app/services/user.js
+++ b/app/services/user.js
@ -106,21 +106,21 @@ class UserService extends SiteService {
      user.password = maskedPassword;

      user.flags = {
-        isAdmin: userDefinition.isAdmin || false,
-        isModerator: userDefinition.isModerator || false,
-        isEmailVerified: userDefinition.isEmailVerified || false,
+        isAdmin: false,
+        isModerator: false,
+        isEmailVerified: false,
      };

      user.permissions = {
-        canLogin: userDefinition.canLogin || true,
-        canChat: userDefinition.canChat || true,
-        canComment: userDefinition.canComment || true,
-        canReport: userDefinition.canReport || true,
+        canLogin: true,
+        canChat: true,
+        canComment: true,
+        canReport: true,
      };

      user.optIn = {
-        system: userDefinition.optInSystem || true,
-        marketing: userDefinition.optInMarketing || false,
+        system: true,
+        marketing: false,
      };

      this.log.info('creating new user account', { email: userDefinition.email });