sup39/firefish
1
0
Fork 0
Code Issues Pull requests Activity

fix: prohibit Apps to use admin/moderator permission

Browse source
This commit is contained in:
mei23 2023-12-27 01:30:47 +09:00 committed by naskya
parent fa257be0fe
commit 240c43060e
Signed by: naskya
GPG key ID: 712D413B3A9FED5C
2 changed files with 15 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
packages/backend/src/server/api/call.ts
View file

@ -130,6 +130,18 @@ export default async (
}); });
} }
if (token && ep.meta.requireAdmin) {
throw new ApiError(accessDenied, {
reason: "Apps cannot use admin privileges.",
});
}
if (token && ep.meta.requireModerator) {
throw new ApiError(accessDenied, {
reason: "Apps cannot use moderator privileges.",
});
}
// Cast non JSON input // Cast non JSON input
if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) { if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) {
for (const k of Object.keys(ep.params.properties)) { for (const k of Object.keys(ep.params.properties)) {

6
packages/backend/src/server/api/endpoints/admin/accounts/create.ts
View file

@ -30,14 +30,14 @@ export const paramDef = {
required: ["username", "password"], required: ["username", "password"],
} as const; } as const;
export default define(meta, paramDef, async (ps, _me) => { export default define(meta, paramDef, async (ps, _me, token) => {
const me = _me ? await Users.findOneByOrFail({ id: _me.id }) : null; const me = _me ? await Users.findOneByOrFail({ id: _me.id }) : null;
const noUsers = const noUsers =
(await Users.countBy({ (await Users.countBy({
host: IsNull(), host: IsNull(),
isAdmin: true,
})) === 0; })) === 0;
if (!(noUsers || me?.isAdmin)) throw new Error("access denied"); if (!noUsers && !me?.isAdmin) throw new Error("access denied");
if (token) throw new Error("access denied");
const { account, secret } = await signup({ const { account, secret } = await signup({
username: ps.username, username: ps.username,