Browse Source

fix: don't allow to remove root user

pull/1224/merge
Oleg Lobanov 1 year ago
parent
commit
019ce80fc5
No known key found for this signature in database GPG Key ID: 7CC64E41212621B0
  1. 1
      errors/errors.go
  2. 4
      frontend/src/utils/vue.js
  3. 2
      frontend/src/views/settings/User.vue
  4. 4
      http/users.go
  5. 2
      http/utils.go
  6. 20
      users/storage.go

1
errors/errors.go

@ -17,4 +17,5 @@ var (
ErrPermissionDenied = errors.New("permission denied")
ErrInvalidRequestParams = errors.New("invalid request params")
ErrSourceIsParent = errors.New("source is parent")
ErrRootUserDeletion = errors.New("user with id 1 can't be deleted")
)

4
frontend/src/utils/vue.js

@ -26,14 +26,14 @@ Vue.prototype.$showSuccess = (message) => {
})).show()
}
Vue.prototype.$showError = (error) => {
Vue.prototype.$showError = (error, displayReport = true) => {
let btns = [
Noty.button(i18n.t('buttons.close'), '', function () {
n.close()
})
]
if (!disableExternal) {
if (!disableExternal && displayReport) {
btns.unshift(Noty.button(i18n.t('buttons.reportIssue'), '', function () {
window.open('https://github.com/filebrowser/filebrowser/issues/new/choose')
}))

2
frontend/src/views/settings/User.vue

@ -115,7 +115,7 @@ export default {
this.$router.push({ path: '/settings/users' })
this.$showSuccess(this.$t('settings.userDeleted'))
} catch (e) {
this.$showError(e)
(e.message === "403") ? this.$showError(this.$t("errors.forbidden"), false) : this.$showError(e)
}
},
async save (event) {

4
http/users.go

@ -99,8 +99,8 @@ var userGetHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request
var userDeleteHandler = withSelfOrAdmin(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
err := d.store.Users.Delete(d.raw.(uint))
if err == errors.ErrNotExist {
return http.StatusNotFound, err
if err != nil {
return errToStatus(err), err
}
return http.StatusOK, nil

2
http/utils.go

@ -40,6 +40,8 @@ func errToStatus(err error) int {
return http.StatusForbidden
case errors.Is(err, libErrors.ErrInvalidRequestParams):
return http.StatusBadRequest
case errors.Is(err, libErrors.ErrRootUserDeletion):
return http.StatusForbidden
default:
return http.StatusInternalServerError
}

20
users/storage.go

@ -92,17 +92,25 @@ func (s *Storage) Save(user *User) error {
// Delete allows you to delete a user by its name or username. The provided
// id must be a string for username lookup or a uint for id lookup. If id
// is neither, a ErrInvalidDataType will be returned.
func (s *Storage) Delete(id interface{}) (err error) {
func (s *Storage) Delete(id interface{}) error {
switch id := id.(type) {
case string:
err = s.back.DeleteByUsername(id)
user, err := s.back.GetBy(id)
if err != nil {
return err
}
if user.ID == 1 {
return errors.ErrRootUserDeletion
}
return s.back.DeleteByUsername(id)
case uint:
err = s.back.DeleteByID(id)
if id == 1 {
return errors.ErrRootUserDeletion
}
return s.back.DeleteByID(id)
default:
err = errors.ErrInvalidDataType
return errors.ErrInvalidDataType
}
return
}
// LastUpdate gets the timestamp for the last update of an user.

Loading…
Cancel
Save