mirror/lldap
1
0
Fork 0
mirror of https://github.com/nitnelave/lldap.git synced 2023-04-12 14:25:13 +00:00
Code Issues Projects Releases Wiki Activity

graphql: Add guardrails to prevent deleting all the admins

Browse Source
This commit is contained in:
Valentin Tolmer 2021-09-24 22:40:33 +02:00
parent 89798f0172
commit 72318d8221
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
server/src/infra/graphql/mutation.rs
View File

@ -110,6 +110,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
if !context.validation_result.is_admin { if !context.validation_result.is_admin {
return Err("Unauthorized group update".into()); return Err("Unauthorized group update".into());
} }
if group.id == 1 {
return Err("Cannot change admin group details".into());
}
context context
.handler .handler
.update_group(UpdateGroupRequest { .update_group(UpdateGroupRequest {
@ -143,6 +146,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
if !context.validation_result.is_admin { if !context.validation_result.is_admin {
return Err("Unauthorized group membership modification".into()); return Err("Unauthorized group membership modification".into());
} }
if context.validation_result.user == user_id && group_id == 1 {
return Err("Cannot remove admin rights for current user".into());
}
context context
.handler .handler
.remove_user_from_group(&user_id, GroupId(group_id)) .remove_user_from_group(&user_id, GroupId(group_id))
@ -154,6 +160,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
if !context.validation_result.is_admin { if !context.validation_result.is_admin {
return Err("Unauthorized user deletion".into()); return Err("Unauthorized user deletion".into());
} }
if context.validation_result.user == user_id {
return Err("Cannot delete current user".into());
}
context.handler.delete_user(&user_id).await?; context.handler.delete_user(&user_id).await?;
Ok(Success::new()) Ok(Success::new())
} }
@ -162,6 +171,9 @@ impl<Handler: BackendHandler + Sync> Mutation<Handler> {
if !context.validation_result.is_admin { if !context.validation_result.is_admin {
return Err("Unauthorized group deletion".into()); return Err("Unauthorized group deletion".into());
} }
if group_id == 1 {
return Err("Cannot delete admin group".into());
}
context.handler.delete_group(GroupId(group_id)).await?; context.handler.delete_group(GroupId(group_id)).await?;
Ok(Success::new()) Ok(Success::new())
} }