banquise/pelican-panel-mirror
13
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-11-04 04:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent rootAdmins from having other roles & being deleted via the API (#1699)

Browse Source
This commit is contained in:
MartinOscar 2025-09-11 12:56:21 +02:00 committed by GitHub
parent 61dcb9a3ba
commit 8f1ec20e96
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/Http/Controllers/Api/Application/Users/UserController.php
View File

@ -102,13 +102,16 @@ class UserController extends ApplicationApiController
*/
public function assignRoles(AssignUserRolesRequest $request, User $user): array
{
if (!$user->isRootAdmin()) {
$rootAdminId = Role::getRootAdmin()->id;
foreach ($request->input('roles') as $role) {
if ($role === Role::getRootAdmin()->id) {
if ($role === $rootAdminId) {
continue;
}
$user->assignRole($role);
}
}
$response = $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class));
@ -125,13 +128,16 @@ class UserController extends ApplicationApiController
*/
public function removeRoles(AssignUserRolesRequest $request, User $user): array
{
if (!$user->isRootAdmin()) {
$rootAdminId = Role::getRootAdmin()->id;
foreach ($request->input('roles') as $role) {
if ($role === Role::getRootAdmin()->id) {
if ($role === $rootAdminId) {
continue;
}
$user->removeRole($role);
}
}
$response = $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class));
@ -169,8 +175,12 @@ class UserController extends ApplicationApiController
*/
public function delete(DeleteUserRequest $request, User $user): JsonResponse
{
if (!$user->isRootAdmin()) {
$user->delete();
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
}
return new JsonResponse([], JsonResponse::HTTP_FORBIDDEN);
}
}

4
app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
View File

@ -8,8 +8,8 @@ class AssignUserRolesRequest extends StoreUserRequest
public function rules(?array $rules = null): array
{
return [
'roles' => 'array',
'roles.*' => 'int',
'roles' => 'required|array',
'roles.*' => 'integer|exists:roles,id',
];
}
}