Mirrored_Repos/crafty-4
1
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2024-08-30 18:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add more permission validation in user creation

Browse Source
This commit is contained in:
luukas 2022-05-23 22:45:27 +03:00
parent 0d62223982
commit 4c981f50c2
No known key found for this signature in database
GPG Key ID: CC4915E8D71FC044
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
app/classes/web/routes/api/users/index.py
View File

@ -99,7 +99,7 @@ class ApiUsersIndexHandler(BaseApiHandler):
email = data.get("email", "default@example.com") email = data.get("email", "default@example.com")
enabled = data.get("enabled", True) enabled = data.get("enabled", True)
lang = data.get("lang", self.helper.get_setting("language")) lang = data.get("lang", self.helper.get_setting("language"))
superuser = data.get("superuser", False) new_superuser = data.get("superuser", False)
permissions = data.get("permissions", None) permissions = data.get("permissions", None)
roles = data.get("roles", None) roles = data.get("roles", None)
hints = data.get("hints", True) hints = data.get("hints", True)
@ -134,13 +134,24 @@ class ApiUsersIndexHandler(BaseApiHandler):
) )
permissions_mask = "".join(permissions_mask) permissions_mask = "".join(permissions_mask)
if new_superuser and not superuser:
return self.finish_json(
400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"}
)
if len(roles) != 0 and not superuser:
# HACK: This should check if the user has the roles or something
return self.finish_json(
400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
)
# TODO: do this in the most efficient way # TODO: do this in the most efficient way
user_id = self.controller.users.add_user( user_id = self.controller.users.add_user(
username, username,
password, password,
email, email,
enabled, enabled,
superuser, new_superuser,
) )
self.controller.users.update_user( self.controller.users.update_user(
user_id, user_id,