nikdoof/pocket-id
1
0
Fork 0
mirror of https://github.com/nikdoof/pocket-id.git synced 2025-12-14 07:12:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: a non admin user was able to make himself an admin

Browse Source
This commit is contained in:
Elias Schneider
2024-08-13 20:18:41 +02:00
parent 7b4418958e
commit df0cd38dee
2 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
backend/internal/handler/user.go
View File

@@ -117,11 +117,11 @@ func createUserHandler(c *gin.Context) {
} }
func updateUserHandler(c *gin.Context) { func updateUserHandler(c *gin.Context) {
updateUser(c, c.Param("id")) updateUser(c, c.Param("id"), false)
} }
func updateCurrentUserHandler(c *gin.Context) { func updateCurrentUserHandler(c *gin.Context) {
updateUser(c, c.GetString("userID")) updateUser(c, c.GetString("userID"), true)
} }
func createOneTimeAccessTokenHandler(c *gin.Context) { func createOneTimeAccessTokenHandler(c *gin.Context) {
@@ -222,7 +222,7 @@ func getSetupAccessTokenHandler(c *gin.Context) {
c.JSON(http.StatusOK, user) c.JSON(http.StatusOK, user)
} }
func updateUser(c *gin.Context, userID string) { func updateUser(c *gin.Context, userID string, updateOwnUser bool) {
var user model.User var user model.User
if err := common.DB.Where("id = ?", userID).First(&user).Error; err != nil { if err := common.DB.Where("id = ?", userID).First(&user).Error; err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) { if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -232,14 +232,22 @@ func updateUser(c *gin.Context, userID string) {
utils.UnknownHandlerError(c, err) utils.UnknownHandlerError(c, err)
return return
} }
var updatedUser model.User var updatedUser model.User
if err := c.ShouldBindJSON(&updatedUser); err != nil { if err := c.ShouldBindJSON(&updatedUser); err != nil {
utils.HandlerError(c, http.StatusBadRequest, "invalid request body") utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
return return
} }
if err := common.DB.Model(&user).Updates(&updatedUser).Error; err != nil { user.FirstName = updatedUser.FirstName
user.LastName = updatedUser.LastName
user.Email = updatedUser.Email
user.Username = updatedUser.Username
user.Username = updatedUser.Username
if !updateOwnUser {
user.IsAdmin = updatedUser.IsAdmin
}
if err := common.DB.Save(user).Error; err != nil {
if errors.Is(err, gorm.ErrDuplicatedKey) { if errors.Is(err, gorm.ErrDuplicatedKey) {
if err := checkDuplicatedFields(user); err != nil { if err := checkDuplicatedFields(user); err != nil {
utils.HandlerError(c, http.StatusBadRequest, err.Error()) utils.HandlerError(c, http.StatusBadRequest, err.Error())
@@ -250,8 +258,7 @@ func updateUser(c *gin.Context, userID string) {
return return
} }
} }
c.JSON(http.StatusOK, user)
c.JSON(http.StatusOK, updatedUser)
} }
func checkDuplicatedFields(user model.User) error { func checkDuplicatedFields(user model.User) error {

2
backend/internal/model/webauthn.go
View File

@@ -21,7 +21,7 @@ type WebauthnCredential struct {
Name string `json:"name"` Name string `json:"name"`
CredentialID string `json:"credentialID"` CredentialID string `json:"credentialID"`
PublicKey []byte `json:"publicKey"` PublicKey []byte `json:"-"`
AttestationType string `json:"attestationType"` AttestationType string `json:"attestationType"`
Transport AuthenticatorTransportList `json:"-"` Transport AuthenticatorTransportList `json:"-"`