NuKVM/xen-orchestra
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(user.set): can be used by non admins

Browse Source
This commit is contained in:
Julien Fontanet 2016-08-18 14:16:40 +02:00
parent 70d5c1034d
commit 016037adc1
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/api/user.js
View File

@ -58,15 +58,21 @@ getAll.permission = 'admin'
// ------------------------------------------------------------------- // -------------------------------------------------------------------
export async function set ({id, email, password, permission, preferences}) { export async function set ({id, email, password, permission, preferences}) {
if (permission && id === this.session.get('user_id')) { const isAdmin = this.user && this.user.permission === 'admin'
throw new InvalidParameters('a user cannot change its own permission') if (isAdmin) {
if (permission && id === this.session.get('user_id')) {
throw new InvalidParameters('a user cannot change its own permission')
}
} else if (email || password || permission) {
throw new InvalidParameters('this properties can only changed by an administrator')
} }
await this.updateUser(id, {email, password, permission, preferences}) await this.updateUser(id, {email, password, permission, preferences})
} }
set.description = 'changes the properties of an existing user' set.description = 'changes the properties of an existing user'
set.permission = 'admin' set.permission = ''
set.params = { set.params = {
id: { type: 'string' }, id: { type: 'string' },