From 3b50130f40391badd62b6ce733886c02764bf3cb Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Sun, 10 Apr 2022 19:01:53 -0400 Subject: [PATCH] Fix bug - non-super users could not create servers --- app/classes/controllers/users_controller.py | 44 ++++---- app/classes/web/panel_handler.py | 107 ++++++++++---------- 2 files changed, 77 insertions(+), 74 deletions(-) diff --git a/app/classes/controllers/users_controller.py b/app/classes/controllers/users_controller.py index 96169911..2c5a907a 100644 --- a/app/classes/controllers/users_controller.py +++ b/app/classes/controllers/users_controller.py @@ -76,31 +76,31 @@ class Users_Controller: logger.debug(f"user: {user_data} +role:{added_roles} -role:{removed_roles}") for role in added_roles: users_helper.get_or_create(user_id=user_id, role_id=role) - permissions_mask = user_crafty_data.get("permissions_mask", "000") + permissions_mask = user_crafty_data.get("permissions_mask", "000") - if "server_quantity" in user_crafty_data: - limit_server_creation = user_crafty_data["server_quantity"][ - Enum_Permissions_Crafty.Server_Creation.name - ] + if "server_quantity" in user_crafty_data: + limit_server_creation = user_crafty_data["server_quantity"][ + Enum_Permissions_Crafty.Server_Creation.name + ] - limit_user_creation = user_crafty_data["server_quantity"][ - Enum_Permissions_Crafty.User_Config.name - ] - limit_role_creation = user_crafty_data["server_quantity"][ - Enum_Permissions_Crafty.Roles_Config.name - ] - else: - limit_server_creation = 0 - limit_user_creation = 0 - limit_role_creation = 0 + limit_user_creation = user_crafty_data["server_quantity"][ + Enum_Permissions_Crafty.User_Config.name + ] + limit_role_creation = user_crafty_data["server_quantity"][ + Enum_Permissions_Crafty.Roles_Config.name + ] + else: + limit_server_creation = 0 + limit_user_creation = 0 + limit_role_creation = 0 - crafty_permissions.add_or_update_user( - user_id, - permissions_mask, - limit_server_creation, - limit_user_creation, - limit_role_creation, - ) + crafty_permissions.add_or_update_user( + user_id, + permissions_mask, + limit_server_creation, + limit_user_creation, + limit_role_creation, + ) users_helper.delete_user_roles(user_id, removed_roles) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 8175d058..6a15b6f8 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1758,70 +1758,73 @@ class PanelHandler(BaseHandler): superuser = True else: superuser = False + if not exec_user["superuser"]: + if ( + Enum_Permissions_Crafty.User_Config + not in exec_user_crafty_permissions + ): + if str(user_id) != str(exec_user["user_id"]): + self.redirect( + "/panel/error?error=Unauthorized access: not a user editor" + ) + return - if Enum_Permissions_Crafty.User_Config not in exec_user_crafty_permissions: - if str(user_id) != str(exec_user["user_id"]): - self.redirect( - "/panel/error?error=Unauthorized access: not a user editor" + user_data = { + "username": username, + "password": password0, + "email": email, + "lang": lang, + "hints": hints, + } + self.controller.users.update_user(user_id, user_data=user_data) + + self.controller.management.add_to_audit_log( + exec_user["user_id"], + f"Edited user {username} (UID:{user_id}) password", + server_id=0, + source_ip=self.get_remote_ip(), ) + self.redirect("/panel/panel_config") return + elif username is None or username == "": + self.redirect("/panel/error?error=Invalid username") + return + elif user_id is None: + self.redirect("/panel/error?error=Invalid User ID") + return + else: + # does this user id exist? + if not self.controller.users.user_id_exists(user_id): + self.redirect("/panel/error?error=Invalid User ID") + return + else: + if password0 != password1: + self.redirect("/panel/error?error=Passwords must match") + return + + roles = self.get_user_role_memberships() + permissions_mask, server_quantity = self.get_perms_quantity() + + # if email is None or "": + # email = "default@example.com" user_data = { "username": username, "password": password0, "email": email, + "enabled": enabled, + "roles": roles, "lang": lang, + "superuser": superuser, "hints": hints, } - self.controller.users.update_user(user_id, user_data=user_data) - - self.controller.management.add_to_audit_log( - exec_user["user_id"], - f"Edited user {username} (UID:{user_id}) password", - server_id=0, - source_ip=self.get_remote_ip(), + user_crafty_data = { + "permissions_mask": permissions_mask, + "server_quantity": server_quantity, + } + self.controller.users.update_user( + user_id, user_data=user_data, user_crafty_data=user_crafty_data ) - self.redirect("/panel/panel_config") - return - elif username is None or username == "": - self.redirect("/panel/error?error=Invalid username") - return - elif user_id is None: - self.redirect("/panel/error?error=Invalid User ID") - return - else: - # does this user id exist? - if not self.controller.users.user_id_exists(user_id): - self.redirect("/panel/error?error=Invalid User ID") - return - - if password0 != password1: - self.redirect("/panel/error?error=Passwords must match") - return - - roles = self.get_user_role_memberships() - permissions_mask, server_quantity = self.get_perms_quantity() - - # if email is None or "": - # email = "default@example.com" - - user_data = { - "username": username, - "password": password0, - "email": email, - "enabled": enabled, - "roles": roles, - "lang": lang, - "superuser": superuser, - "hints": hints, - } - user_crafty_data = { - "permissions_mask": permissions_mask, - "server_quantity": server_quantity, - } - self.controller.users.update_user( - user_id, user_data=user_data, user_crafty_data=user_crafty_data - ) self.controller.management.add_to_audit_log( exec_user["user_id"],