From 240c43060e96afef35de3573eb22a67214323e62 Mon Sep 17 00:00:00 2001 From: mei23 Date: Wed, 27 Dec 2023 01:30:47 +0900 Subject: [PATCH] fix: prohibit Apps to use admin/moderator permission --- packages/backend/src/server/api/call.ts | 12 ++++++++++++ .../server/api/endpoints/admin/accounts/create.ts | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/packages/backend/src/server/api/call.ts b/packages/backend/src/server/api/call.ts index 9883f95a..4cb4a51a 100644 --- a/packages/backend/src/server/api/call.ts +++ b/packages/backend/src/server/api/call.ts @@ -130,6 +130,18 @@ export default async ( }); } + if (token && ep.meta.requireAdmin) { + throw new ApiError(accessDenied, { + reason: "Apps cannot use admin privileges.", + }); + } + + if (token && ep.meta.requireModerator) { + throw new ApiError(accessDenied, { + reason: "Apps cannot use moderator privileges.", + }); + } + // Cast non JSON input if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) { for (const k of Object.keys(ep.params.properties)) { diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts index e5972173..c5a990c9 100644 --- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts +++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts @@ -30,14 +30,14 @@ export const paramDef = { required: ["username", "password"], } as const; -export default define(meta, paramDef, async (ps, _me) => { +export default define(meta, paramDef, async (ps, _me, token) => { const me = _me ? await Users.findOneByOrFail({ id: _me.id }) : null; const noUsers = (await Users.countBy({ host: IsNull(), - isAdmin: true, })) === 0; - if (!(noUsers || me?.isAdmin)) throw new Error("access denied"); + if (!noUsers && !me?.isAdmin) throw new Error("access denied"); + if (token) throw new Error("access denied"); const { account, secret } = await signup({ username: ps.username,