fix: do not allow editing of user settings under certain conditions (#1168)

* fix: do not allow editing of user settings under certain conditions * feat(lang): generate translation keys for new strings * refactor: modify owner check for clarity * fix(ui): hide buttons where appropriate and add missing translation string
2025-09-17 17:24:35 +02:00 · 2021-03-14 00:46:12 -05:00
parent 0bd0912613
commit 001dcd328c
7 changed files with 122 additions and 57 deletions
--- a/server/routes/user/usersettings.ts
+++ b/server/routes/user/usersettings.ts
@@ -73,6 +73,14 @@ userSettingsRoutes.post<
      return next({ status: 404, message: 'User not found.' });
    }

+    // "Owner" user settings cannot be modified by other users
+    if (user.id === 1 && req.user?.id !== 1) {
+      return next({
+        status: 403,
+        message: "You do not have permission to modify this user's settings.",
+      });
+    }
+
    user.username = req.body.username;
    if (!user.settings) {
      user.settings = new UserSettings({
@@ -240,6 +248,14 @@ userSettingsRoutes.post<
      return next({ status: 404, message: 'User not found.' });
    }

+    // "Owner" user settings cannot be modified by other users
+    if (user.id === 1 && req.user?.id !== 1) {
+      return next({
+        status: 403,
+        message: "You do not have permission to modify this user's settings.",
+      });
+    }
+
    if (!user.settings) {
      user.settings = new UserSettings({
        user: req.user,
@@ -309,8 +325,8 @@ userSettingsRoutes.post<
        return next({ status: 404, message: 'User not found.' });
      }

-      // Only let the owner user modify themselves
-      if (user.id === 1 && req.user?.id !== 1) {
+      // "Owner" user permissions cannot be modified, and users cannot set their own permissions
+      if (user.id === 1 || req.user?.id === user.id) {
        return next({
          status: 403,
          message: 'You do not have permission to modify this user',