Browse Source
fix: prevent manage system assignment from manage groups permission
pull/4015/merge
NGPixel
2 years ago
No known key found for this signature in database
GPG Key ID: 8FDA2F1757F60D63
1 changed files with
8 additions and
0 deletions
-
server/graph/resolvers/group.js
|
|
|
@ -173,6 +173,14 @@ module.exports = { |
|
|
|
throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.') |
|
|
|
} |
|
|
|
|
|
|
|
// Check assigned permissions for manage:groups
|
|
|
|
if ( |
|
|
|
WIKI.auth.checkExclusiveAccess(req.user, ['manage:groups'], ['manage:system']) && |
|
|
|
args.permissions.some(p => _.last(p.split(':')) === 'system') |
|
|
|
) { |
|
|
|
throw new gql.GraphQLError('You are not authorized to manage this group or assign the manage:system permissions.') |
|
|
|
} |
|
|
|
|
|
|
|
// Update group
|
|
|
|
await WIKI.models.groups.query().patch({ |
|
|
|
name: args.name, |
|
|
|
|
