fix: add correct permission checks to modifying user password/permissions

2025-09-17 17:24:35 +02:00 · 2021-03-02 08:18:31 +00:00
parent 2771376ecc
commit ddfc5e6aa8
4 changed files with 54 additions and 8 deletions
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -167,7 +167,10 @@ router.get<{ id: string }, UserRequestsResponse>(
  }
 );

-const canMakePermissionsChange = (permissions: number, user?: User) =>
+export const canMakePermissionsChange = (
+  permissions: number,
+  user?: User
+): boolean =>
  // Only let the owner grant admin privileges
  !(hasPermission(Permission.ADMIN, permissions) && user?.id !== 1) ||
  // Only let users with the manage settings permission, grant the same permission