banquise/pelican-panel-mirror
8
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-09-19 11:54:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Prevent rootAdmins from having other roles & being deleted via the API (#1699)

Browse Source
This commit is contained in:
MartinOscar 2025-09-11 12:56:21 +02:00 committed by GitHub
parent 61dcb9a3ba
commit 8f1ec20e96
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/Http/Controllers/Api/Application/Users/UserController.php
View File

@ -102,13 +102,16 @@ class UserController extends ApplicationApiController
*/ */
public function assignRoles(AssignUserRolesRequest $request, User $user): array public function assignRoles(AssignUserRolesRequest $request, User $user): array
{ {
if (!$user->isRootAdmin()) {
$rootAdminId = Role::getRootAdmin()->id;
foreach ($request->input('roles') as $role) { foreach ($request->input('roles') as $role) {
if ($role === Role::getRootAdmin()->id) { if ($role === $rootAdminId) {
continue; continue;
} }
$user->assignRole($role); $user->assignRole($role);
} }
}
$response = $this->fractal->item($user) $response = $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class)); ->transformWith($this->getTransformer(UserTransformer::class));
@ -125,13 +128,16 @@ class UserController extends ApplicationApiController
*/ */
public function removeRoles(AssignUserRolesRequest $request, User $user): array public function removeRoles(AssignUserRolesRequest $request, User $user): array
{ {
if (!$user->isRootAdmin()) {
$rootAdminId = Role::getRootAdmin()->id;
foreach ($request->input('roles') as $role) { foreach ($request->input('roles') as $role) {
if ($role === Role::getRootAdmin()->id) { if ($role === $rootAdminId) {
continue; continue;
} }
$user->removeRole($role); $user->removeRole($role);
} }
}
$response = $this->fractal->item($user) $response = $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class)); ->transformWith($this->getTransformer(UserTransformer::class));
@ -169,8 +175,12 @@ class UserController extends ApplicationApiController
*/ */
public function delete(DeleteUserRequest $request, User $user): JsonResponse public function delete(DeleteUserRequest $request, User $user): JsonResponse
{ {
if (!$user->isRootAdmin()) {
$user->delete(); $user->delete();
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT); return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
} }
return new JsonResponse([], JsonResponse::HTTP_FORBIDDEN);
}
} }

4
app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
View File

@ -8,8 +8,8 @@ class AssignUserRolesRequest extends StoreUserRequest
public function rules(?array $rules = null): array public function rules(?array $rules = null): array
{ {
return [ return [
'roles' => 'array', 'roles' => 'required|array',
'roles.*' => 'int', 'roles.*' => 'integer|exists:roles,id',
]; ];
} }
} }