Fix role permissions

2024-08-30 18:23:09 +00:00 · 2024-05-10 22:56:50 -04:00 · 2024-05-10 22:56:50 -04:00 · b1a7142dc0
commit b1a7142dc0
parent 88fd46282d
2 changed files with 16 additions and 7 deletions
--- a/app/classes/web/routes/api/roles/role/index.py
+++ b/app/classes/web/routes/api/roles/role/index.py
@ -131,8 +131,16 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
            _,
        ) = auth_data

-        if not superuser:
-            return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})
+        role = self.controller.roles.get_role(role_id)
+        if not superuser and user["user_id"] != role["manager"]:
+            return self.finish_json(
+                400,
+                {
+                    "status": "error",
+                    "error": "NOT_AUTHORIZED",
+                    "error_data": "Not Authorized",
+                },
+            )

        try:
            data = orjson.loads(self.request.body)
--- a/app/classes/web/routes/api/users/index.py
+++ b/app/classes/web/routes/api/users/index.py
@ -151,11 +151,12 @@ class ApiUsersIndexHandler(BaseApiHandler):
                400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"}
            )

-        if len(roles) != 0 and not superuser:
-            # HACK: This should check if the user has the roles or something
-            return self.finish_json(
-                400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
-            )
+        for role in roles:
+            role = self.controller.roles.get_role(role)
+            if int(role["manager"]) != int(auth_data[4]["user_id"]) and not superuser:
+                return self.finish_json(
+                    400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
+                )

        # TODO: do this in the most efficient way
        user_id = self.controller.users.add_user(