From 54b6f7d726e0bd9dbc573dec677f47586f21b630 Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Fri, 24 Sep 2021 22:40:33 +0200 Subject: [PATCH] graphql: Add guardrails to prevent deleting all the admins --- server/src/infra/graphql/mutation.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/server/src/infra/graphql/mutation.rs b/server/src/infra/graphql/mutation.rs index c8cabb4..f9e71dd 100644 --- a/server/src/infra/graphql/mutation.rs +++ b/server/src/infra/graphql/mutation.rs @@ -110,6 +110,9 @@ impl Mutation { if !context.validation_result.is_admin { return Err("Unauthorized group update".into()); } + if group.id == 1 { + return Err("Cannot change admin group details".into()); + } context .handler .update_group(UpdateGroupRequest { @@ -143,6 +146,9 @@ impl Mutation { if !context.validation_result.is_admin { return Err("Unauthorized group membership modification".into()); } + if context.validation_result.user == user_id && group_id == 1 { + return Err("Cannot remove admin rights for current user".into()); + } context .handler .remove_user_from_group(&user_id, GroupId(group_id)) @@ -154,6 +160,9 @@ impl Mutation { if !context.validation_result.is_admin { return Err("Unauthorized user deletion".into()); } + if context.validation_result.user == user_id { + return Err("Cannot delete current user".into()); + } context.handler.delete_user(&user_id).await?; Ok(Success::new()) } @@ -162,6 +171,9 @@ impl Mutation { if !context.validation_result.is_admin { return Err("Unauthorized group deletion".into()); } + if group_id == 1 { + return Err("Cannot delete admin group".into()); + } context.handler.delete_group(GroupId(group_id)).await?; Ok(Success::new()) }