Mirrored_Repos/crafty-4
1
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2024-08-30 18:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix role permissions

Browse Source
This commit is contained in:
--unset 2024-05-10 22:56:50 -04:00
parent 88fd46282d
commit b1a7142dc0
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/classes/web/routes/api/roles/role/index.py
View File

@ -131,8 +131,16 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
_, _,
) = auth_data ) = auth_data
if not superuser: role = self.controller.roles.get_role(role_id)
return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"}) if not superuser and user["user_id"] != role["manager"]:
return self.finish_json(
400,
{
"status": "error",
"error": "NOT_AUTHORIZED",
"error_data": "Not Authorized",
},
)
try: try:
data = orjson.loads(self.request.body) data = orjson.loads(self.request.body)

5
app/classes/web/routes/api/users/index.py
View File

@ -151,8 +151,9 @@ class ApiUsersIndexHandler(BaseApiHandler):
400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"} 400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"}
) )
if len(roles) != 0 and not superuser: for role in roles:
# HACK: This should check if the user has the roles or something role = self.controller.roles.get_role(role)
if int(role["manager"]) != int(auth_data[4]["user_id"]) and not superuser:
return self.finish_json( return self.finish_json(
400, {"status": "error", "error": "INVALID_ROLES_CREATE"} 400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
) )