banquise/pelican-panel-mirror
8
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-09-20 00:04:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Prevent rootAdmins from having other roles & being deleted via the API (#1699)

Browse Source
This commit is contained in:
MartinOscar 2025-09-11 12:56:21 +02:00 committed by GitHub
parent 61dcb9a3ba
commit 8f1ec20e96
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
app/Http/Controllers/Api/Application/Users/UserController.php
View File

@ -102,12 +102,15 @@ class UserController extends ApplicationApiController
*/ */
public function assignRoles(AssignUserRolesRequest $request, User $user): array public function assignRoles(AssignUserRolesRequest $request, User $user): array
{ {
foreach ($request->input('roles') as $role) { if (!$user->isRootAdmin()) {
if ($role === Role::getRootAdmin()->id) { $rootAdminId = Role::getRootAdmin()->id;
continue; foreach ($request->input('roles') as $role) {
} if ($role === $rootAdminId) {
continue;
}
$user->assignRole($role); $user->assignRole($role);
}
} }
$response = $this->fractal->item($user) $response = $this->fractal->item($user)
@ -125,12 +128,15 @@ class UserController extends ApplicationApiController
*/ */
public function removeRoles(AssignUserRolesRequest $request, User $user): array public function removeRoles(AssignUserRolesRequest $request, User $user): array
{ {
foreach ($request->input('roles') as $role) { if (!$user->isRootAdmin()) {
if ($role === Role::getRootAdmin()->id) { $rootAdminId = Role::getRootAdmin()->id;
continue; foreach ($request->input('roles') as $role) {
} if ($role === $rootAdminId) {
continue;
}
$user->removeRole($role); $user->removeRole($role);
}
} }
$response = $this->fractal->item($user) $response = $this->fractal->item($user)
@ -169,8 +175,12 @@ class UserController extends ApplicationApiController
*/ */
public function delete(DeleteUserRequest $request, User $user): JsonResponse public function delete(DeleteUserRequest $request, User $user): JsonResponse
{ {
$user->delete(); if (!$user->isRootAdmin()) {
$user->delete();
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT); return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
}
return new JsonResponse([], JsonResponse::HTTP_FORBIDDEN);
} }
} }

4
app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
View File

@ -8,8 +8,8 @@ class AssignUserRolesRequest extends StoreUserRequest
public function rules(?array $rules = null): array public function rules(?array $rules = null): array
{ {
return [ return [
'roles' => 'array', 'roles' => 'required|array',
'roles.*' => 'int', 'roles.*' => 'integer|exists:roles,id',
]; ];
} }
} }