Merge branch 'develop' into feature/396-localisation

1 year ago · 8ddaee00ca
parent 75471381db f16de9a3f3
commit 8ddaee00ca
7 changed files with 42 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,8 @@
 ### 0.11.2
  - Convert the assets page form handling to the newer checkSchema code.
  - Don't show the "Edit" option in the post dropdowns for public pages.
+  - No longer apply permissions inheritance after editing to prevent confusion.
+  - Improve duplicate checking when editing roles to only explicitly match updated roles rather than applying inheritance first.
  - Bugfix "my permission" page not displaying correctly and board staff permission editing not applying.
  - Improve required parent permission display to show "requires X" in the tooltip of disabled checkboxes.

--- a/controllers/forms/editaccount.js
+++ b/controllers/forms/editaccount.js
@ -5,6 +5,8 @@ const editAccount = require(__dirname+'/../../models/forms/editaccount.js')
 	, dynamicResponse = require(__dirname+'/../../lib/misc/dynamic.js')
 	, paramConverter = require(__dirname+'/../../lib/middleware/input/paramconverter.js')
 	, roleManager = require(__dirname+'/../../lib/permission/rolemanager.js')
+	, { Permissions } = require(__dirname+'/../../lib/permission/permissions.js')
+	, Permission = require(__dirname+'/../../lib/permission/permission.js')
 	, { alphaNumericRegex, checkSchema, lengthBody, inArrayBody, existsBody } = require(__dirname+'/../../lib/input/schema.js');

 module.exports = {
@ -22,12 +24,21 @@ module.exports = {
 			{ result: async () => {
 				res.locals.editingAccount = await Accounts.findOne(req.body.username);
 				return res.locals.editingAccount != null;
-			}, expected: true, error: 'Invalid account username' },
+			}, expected: true, blocking: true, error: 'Invalid account username' },
 			{ result: (res.locals.user.username === req.body.username), expected: false, error: 'You can\'t edit your own permissions' },
 			{ result: !existsBody(req.body.template) //no template, OR the template is a valid one
 				|| inArrayBody(req.body.template, [roleManager.roles.ANON.base64, roleManager.roles.GLOBAL_STAFF.base64,
 					roleManager.roles.ADMIN.base64, roleManager.roles.BOARD_STAFF.base64, roleManager.roles.BOARD_OWNER.base64]),
 			expected: true, error: 'Invalid template selection' },
+			{ result: () => {
+				//not applying a template, OR the user doesn't have root perms, has to be a function to execute after the async result above.
+				if (!existsBody(req.body.template)) {
+					return true;
+				}
+				const editingPermission = new Permission(res.locals.editingAccount.permissions);
+				return !editingPermission.get(Permissions.ROOT);
+			},
+			expected: true, error: 'You can\'t apply template permissions to a ROOT user.' },
 		]);

 		if (errors.length > 0) {
--- a/gulpfile.js
+++ b/gulpfile.js
@ -143,6 +143,9 @@ async function password() {
 	const { Accounts } = require(__dirname+'/db/');
 	const randomPassword = randomBytes(20).toString('base64');
 	await Accounts.changePassword('admin', randomPassword);
+	const ROOT = new Permission();
+	ROOT.setAll(Permission.allPermissions);
+	await Accounts.setAccountPermissions('admin', ROOT);
 	console.log('=====LOGIN DETAILS=====\nusername: admin\npassword:', randomPassword, '\n=======================');
 }

--- a/lib/permission/permission.js
+++ b/lib/permission/permission.js
@ -30,7 +30,7 @@ class Permission extends BigBitfield {
 		const handlingBits = boardOnly ? Permissions._MANAGE_BOARD_BITS : Object.keys(Metadata);
 		for (let bit of handlingBits) {
 			// If perm has no "parent" bit, or current user has the parent permission, set each bit based on the form input
-			const allowedParent = !Metadata[bit].parent
+			const allowedParent = Metadata[bit].parent == null
 				|| editorPermission.get(Metadata[bit].parent);
 			if (allowedParent && !Metadata[bit].block) {
 				this.set(parseInt(bit), (body[`permission_bit_${bit}`] != null));
--- a/lib/permission/permission.test.js
+++ b/lib/permission/permission.test.js
@ -67,6 +67,28 @@ describe('testing permissions', () => {
 		expect(Permission.allPermissions.every(b => NO_PERMISSION.get(b))).toBe(true);
 	});

-	//todo: what othe rpermissions test should be added?
+	test('handleBody() by somebody with editorPermission NOT having Permissions.ROOT cannot set Permissions.ROOT', () => {
+		const TEST_PERMISSION = new Permission();
+		TEST_PERMISSION.handleBody({
+			'permission_bit_0': 0,
+		}, ANON);
+		expect(TEST_PERMISSION.get(0)).toBe(false);
+	});
+
+	test('handleBody() by somebody with editorPermission having Permissions.ROOT CAN set Permissions.ROOT', () => {
+		const TEST_PERMISSION = new Permission();
+		TEST_PERMISSION.handleBody({
+			'permission_bit_0': 0,
+		}, ROOT);
+		expect(TEST_PERMISSION.get(0)).toBe(true);
+	});
+
+	test('handleBody() does not allow setting permission outside of _MANAGE_BOARD_BITS when boardOnly=true, even with permission', () => {
+		const TEST_PERMISSION = new Permission();
+		TEST_PERMISSION.handleBody({
+			'permission_bit_0': 0,
+		}, ROOT, true);
+		expect(TEST_PERMISSION.get(0)).toBe(false);
+	});

 });
--- a/lib/permission/permissions.js
+++ b/lib/permission/permissions.js
@ -50,7 +50,6 @@ const Permissions = Object.seal(Object.freeze(Object.preventExtensions({

 })));

-//todo: make these keyed by the bits? but then how to get the name param for form fields? might change that	
 const Metadata = Object.seal(Object.freeze(Object.preventExtensions({

 	[Permissions.ROOT]: { title: 'Root', label: 'Root', desc: 'Full control. Use with caution!', parent: Permissions.ROOT },
--- a/models/forms/editrole.js
+++ b/models/forms/editrole.js
@ -10,7 +10,7 @@ module.exports = async (req, res) => {

 	let rolePermissions = new Permission(res.locals.editingRole.permissions);
 	rolePermissions.handleBody(req.body, res.locals.permissions);
-	rolePermissions.applyInheritance();
+	// rolePermissions.applyInheritance();

 	const existingRoleName = roleManager.roleNameMap[rolePermissions.base64];
 	if (existingRoleName) {