editAccount no longer allows account editors to apply roles to users with root permission

1 year ago · ef4de0fb07
parent f9672375b3
commit ef4de0fb07
1 changed files with 12 additions and 1 deletions
--- a/controllers/forms/editaccount.js
+++ b/controllers/forms/editaccount.js
@ -5,6 +5,8 @@ const editAccount = require(__dirname+'/../../models/forms/editaccount.js')
 	, dynamicResponse = require(__dirname+'/../../lib/misc/dynamic.js')
 	, paramConverter = require(__dirname+'/../../lib/middleware/input/paramconverter.js')
 	, roleManager = require(__dirname+'/../../lib/permission/rolemanager.js')
+	, { Permissions } = require(__dirname+'/../../lib/permission/permissions.js')
+	, Permission = require(__dirname+'/../../lib/permission/permission.js')
 	, { alphaNumericRegex, checkSchema, lengthBody, inArrayBody, existsBody } = require(__dirname+'/../../lib/input/schema.js');

 module.exports = {
@ -22,12 +24,21 @@ module.exports = {
 			{ result: async () => {
 				res.locals.editingAccount = await Accounts.findOne(req.body.username);
 				return res.locals.editingAccount != null;
-			}, expected: true, error: 'Invalid account username' },
+			}, expected: true, blocking: true, error: 'Invalid account username' },
 			{ result: (res.locals.user.username === req.body.username), expected: false, error: 'You can\'t edit your own permissions' },
 			{ result: !existsBody(req.body.template) //no template, OR the template is a valid one
 				|| inArrayBody(req.body.template, [roleManager.roles.ANON.base64, roleManager.roles.GLOBAL_STAFF.base64,
 					roleManager.roles.ADMIN.base64, roleManager.roles.BOARD_STAFF.base64, roleManager.roles.BOARD_OWNER.base64]),
 			expected: true, error: 'Invalid template selection' },
+			{ result: () => {
+				//not applying a template, OR the user doesn't have root perms, has to be a function to execute after the async result above.
+				if (!existsBody(req.body.template)) {
+					return true;
+				}
+				const editingPermission = new Permission(res.locals.editingAccount.permissions);
+				return !editingPermission.get(Permissions.ROOT);
+			},
+			expected: true, error: 'You can\'t apply template permissions to a ROOT user.' },
 		]);

 		if (errors.length > 0) {