From 23a2a5c7065536175202d497578e4dfcd20816d7 Mon Sep 17 00:00:00 2001 From: CyberShell Date: Mon, 19 Jun 2023 01:45:12 +0000 Subject: [PATCH] Admin banning/update logic - Deny admin ability to ban himself - Deny admin ability to remove his own admin privileges - Deny admin ability to archive himself --- app/controllers/admin/user.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/app/controllers/admin/user.js b/app/controllers/admin/user.js index dd1cf2d..8687940 100644 --- a/app/controllers/admin/user.js +++ b/app/controllers/admin/user.js @@ -100,10 +100,14 @@ class UserAdminController extends SiteController { user: userService, } = this.dtp.services; try { + const user = await userService.getLocalUserAccount(req.body.userId); if (!user) { throw new SiteError(404, 'User not found'); } + if (req.user && req.user._id.equals(user._id)) { + throw new SiteError(400, "You can't archive yourself"); + } res.locals.job = await userService.archiveLocalUser(user); loganService.sendRequestEvent(module.exports, req, { level: 'info', @@ -138,6 +142,11 @@ class UserAdminController extends SiteController { this.log.debug('local user update', { action: req.body.action }); switch (req.body.action) { case 'update': + if (req.user._id.equals(res.locals.userAccount._id)) { + if (req.user.flags.isAdmin && !(userDefinition.isAdmin === 'on')) { + throw new SiteError(400, "You can't remove your own admin privileges"); + } + } await userService.updateLocalForAdmin(res.locals.userAccount, req.body); loganService.sendRequestEvent(module.exports, req, { level: 'info', @@ -153,6 +162,9 @@ class UserAdminController extends SiteController { break; case 'ban': + if (req.user._id.equals(res.locals.userAccount._id)) { + throw new SiteError(400, "You can't ban yourself"); + } await userService.ban(res.locals.userAccount); loganService.sendRequestEvent(module.exports, req, { level: 'info',