NuKVM/xen-orchestra
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(user.set): cannot change self permission (#353)

Browse Source
This commit is contained in:
Fabrice Marsaud 2016-06-28 13:28:31 +02:00 committed by Julien Fontanet
parent 1127ec3a90
commit 687809db9d
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/api/user.js
View File

@ -22,7 +22,7 @@ create.params = {
// Deletes an existing user. // Deletes an existing user.
async function delete_ ({id}) { async function delete_ ({id}) {
if (id === this.session.get('user_id')) { if (id === this.session.get('user_id')) {
throw new InvalidParameters('an user cannot delete itself') throw new InvalidParameters('a user cannot delete itself')
} }
await this.deleteUser(id) await this.deleteUser(id)
@ -58,6 +58,9 @@ getAll.permission = 'admin'
// ------------------------------------------------------------------- // -------------------------------------------------------------------
export async function set ({id, email, password, permission}) { export async function set ({id, email, password, permission}) {
if (permission && id === this.session.get('user_id')) {
throw new InvalidParameters('a user cannot change it\'s own permission')
}
await this.updateUser(id, {email, password, permission}) await this.updateUser(id, {email, password, permission})
} }