liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: prevent manage system assignment from manage groups permission

Browse Source
This commit is contained in:
NGPixel 2022-05-09 21:36:13 -04:00
parent a06201aaf5
commit 78d02dc8e5
No known key found for this signature in database
GPG Key ID: 8FDA2F1757F60D63
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/graph/resolvers/group.js
View File

@ -173,6 +173,14 @@ module.exports = {
throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.') throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.')
} }
// Check assigned permissions for manage:groups
if (
WIKI.auth.checkExclusiveAccess(req.user, ['manage:groups'], ['manage:system']) &&
args.permissions.some(p => _.last(p.split(':')) === 'system')
) {
throw new gql.GraphQLError('You are not authorized to manage this group or assign the manage:system permissions.')
}
// Update group // Update group
await WIKI.models.groups.query().patch({ await WIKI.models.groups.query().patch({
name: args.name, name: args.name,