shpaq/sct-overseerr
1
0
Fork 0
mirror of https://github.com/sct/overseerr.git synced 2025-09-17 17:24:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(frontend): Do not allow user w/ ID 1 to disable 'Admin' permission (#965)

Browse Source
This commit is contained in:
TheCatLady
2021-02-18 20:20:32 -05:00
committed by GitHub
parent bdb3cb2025
commit 77b2d9ea22
5 changed files with 37 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/routes/user/usersettings.ts
View File

@@ -266,6 +266,13 @@ userSettingsRoutes.post<
return next({ status: 404, message: 'User not found.' }); return next({ status: 404, message: 'User not found.' });
} }
if (user.id === 1) {
return next({
status: 500,
message: 'Permissions for user with ID 1 cannot be modified',
});
}
user.permissions = req.body.permissions; user.permissions = req.body.permissions;
await userRepository.save(user); await userRepository.save(user);

9
src/components/PermissionEdit/index.tsx
View File

@@ -53,15 +53,17 @@ export const messages = defineMessages({
}); });
interface PermissionEditProps { interface PermissionEditProps {
actingUser?: User;
currentUser?: User;
currentPermission: number; currentPermission: number;
user?: User;
onUpdate: (newPermissions: number) => void; onUpdate: (newPermissions: number) => void;
} }
export const PermissionEdit: React.FC<PermissionEditProps> = ({ export const PermissionEdit: React.FC<PermissionEditProps> = ({
actingUser,
currentUser,
currentPermission, currentPermission,
onUpdate, onUpdate,
user,
}) => { }) => {
const intl = useIntl(); const intl = useIntl();
@@ -216,7 +218,8 @@ export const PermissionEdit: React.FC<PermissionEditProps> = ({
<PermissionOption <PermissionOption
key={`permission-option-${permissionItem.id}`} key={`permission-option-${permissionItem.id}`}
option={permissionItem} option={permissionItem}
user={user} actingUser={actingUser}
currentUser={currentUser}
currentPermission={currentPermission} currentPermission={currentPermission}
onUpdate={(newPermission) => onUpdate(newPermission)} onUpdate={(newPermission) => onUpdate(newPermission)}
/> />

30
src/components/PermissionOption/index.tsx
View File

@@ -18,17 +18,19 @@ interface PermissionRequirement {
interface PermissionOptionProps { interface PermissionOptionProps {
option: PermissionItem; option: PermissionItem;
actingUser?: User;
currentUser?: User;
currentPermission: number; currentPermission: number;
user?: User;
parent?: PermissionItem; parent?: PermissionItem;
onUpdate: (newPermissions: number) => void; onUpdate: (newPermissions: number) => void;
} }
const PermissionOption: React.FC<PermissionOptionProps> = ({ const PermissionOption: React.FC<PermissionOptionProps> = ({
option, option,
actingUser,
currentUser,
currentPermission, currentPermission,
onUpdate, onUpdate,
user,
parent, parent,
}) => { }) => {
const autoApprovePermissions = [ const autoApprovePermissions = [
@@ -44,15 +46,21 @@ const PermissionOption: React.FC<PermissionOptionProps> = ({
<> <>
<div <div
className={`relative flex items-start first:mt-0 mt-4 ${ className={`relative flex items-start first:mt-0 mt-4 ${
(currentUser && currentUser.id === 1) ||
(option.permission !== Permission.ADMIN && (option.permission !== Permission.ADMIN &&
hasPermission(Permission.ADMIN, currentPermission)) || hasPermission(Permission.ADMIN, currentPermission)) ||
(autoApprovePermissions.includes(option.permission) && (autoApprovePermissions.includes(option.permission) &&
hasPermission(Permission.MANAGE_REQUESTS, currentPermission)) || hasPermission(Permission.MANAGE_REQUESTS, currentPermission)) ||
(!!parent?.permission && (!!parent?.permission &&
hasPermission(parent.permission, currentPermission)) || hasPermission(parent.permission, currentPermission)) ||
(user && user.id !== 1 && option.permission === Permission.ADMIN) || (actingUser &&
(user && !hasPermission(Permission.ADMIN, actingUser.permissions) &&
!hasPermission(Permission.MANAGE_SETTINGS, user.permissions) && option.permission === Permission.ADMIN) ||
(actingUser &&
!hasPermission(
Permission.MANAGE_SETTINGS,
actingUser.permissions
) &&
option.permission === Permission.MANAGE_SETTINGS) || option.permission === Permission.MANAGE_SETTINGS) ||
(option.requires && (option.requires &&
!option.requires.every((requirement) => !option.requires.every((requirement) =>
@@ -70,17 +78,21 @@ const PermissionOption: React.FC<PermissionOptionProps> = ({
name="permissions" name="permissions"
type="checkbox" type="checkbox"
disabled={ disabled={
(currentUser && currentUser.id === 1) ||
(option.permission !== Permission.ADMIN && (option.permission !== Permission.ADMIN &&
hasPermission(Permission.ADMIN, currentPermission)) || hasPermission(Permission.ADMIN, currentPermission)) ||
(autoApprovePermissions.includes(option.permission) && (autoApprovePermissions.includes(option.permission) &&
hasPermission(Permission.MANAGE_REQUESTS, currentPermission)) || hasPermission(Permission.MANAGE_REQUESTS, currentPermission)) ||
(!!parent?.permission && (!!parent?.permission &&
hasPermission(parent.permission, currentPermission)) || hasPermission(parent.permission, currentPermission)) ||
(user && (actingUser &&
user.id !== 1 && !hasPermission(Permission.ADMIN, actingUser.permissions) &&
option.permission === Permission.ADMIN) || option.permission === Permission.ADMIN) ||
(user && (actingUser &&
!hasPermission(Permission.MANAGE_SETTINGS, user.permissions) && !hasPermission(
Permission.MANAGE_SETTINGS,
actingUser.permissions
) &&
option.permission === Permission.MANAGE_SETTINGS) || option.permission === Permission.MANAGE_SETTINGS) ||
(option.requires && (option.requires &&
!option.requires.every((requirement) => !option.requires.every((requirement) =>

2
src/components/UserList/BulkEditModal.tsx
View File

@@ -104,7 +104,7 @@ const BulkEditModal: React.FC<BulkEditProps> = ({
<div className="form-input"> <div className="form-input">
<div className="max-w-lg"> <div className="max-w-lg">
<PermissionEdit <PermissionEdit
user={currentUser} actingUser={currentUser}
currentPermission={currentPermission} currentPermission={currentPermission}
onUpdate={(newPermission) => onUpdate={(newPermission) =>
setCurrentPermission(newPermission) setCurrentPermission(newPermission)

3
src/components/UserProfile/UserSettings/UserPermissions/index.tsx
View File

@@ -86,7 +86,8 @@ const UserPermissions: React.FC = () => {
<div className="form-input"> <div className="form-input">
<div className="max-w-lg"> <div className="max-w-lg">
<PermissionEdit <PermissionEdit
user={currentUser} actingUser={currentUser}
currentUser={user}
currentPermission={values.currentPermissions ?? 0} currentPermission={values.currentPermissions ?? 0}
onUpdate={(newPermission) => onUpdate={(newPermission) =>
setFieldValue('currentPermissions', newPermission) setFieldValue('currentPermissions', newPermission)