fix: prohibit Apps to use admin/moderator permission

This commit is contained in:
mei23 2023-12-27 01:30:47 +09:00 committed by naskya
parent f7a36bf836
commit 4a659e131a
No known key found for this signature in database
GPG key ID: 712D413B3A9FED5C
2 changed files with 15 additions and 3 deletions

View file

@ -130,6 +130,18 @@ export default async (
}); });
} }
if (token && ep.meta.requireAdmin) {
throw new ApiError(accessDenied, {
reason: "Apps cannot use admin privileges.",
});
}
if (token && ep.meta.requireModerator) {
throw new ApiError(accessDenied, {
reason: "Apps cannot use moderator privileges.",
});
}
// Cast non JSON input // Cast non JSON input
if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) { if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) {
for (const k of Object.keys(ep.params.properties)) { for (const k of Object.keys(ep.params.properties)) {

View file

@ -30,14 +30,14 @@ export const paramDef = {
required: ["username", "password"], required: ["username", "password"],
} as const; } as const;
export default define(meta, paramDef, async (ps, _me) => { export default define(meta, paramDef, async (ps, _me, token) => {
const me = _me ? await Users.findOneByOrFail({ id: _me.id }) : null; const me = _me ? await Users.findOneByOrFail({ id: _me.id }) : null;
const noUsers = const noUsers =
(await Users.countBy({ (await Users.countBy({
host: IsNull(), host: IsNull(),
isAdmin: true,
})) === 0; })) === 0;
if (!(noUsers || me?.isAdmin)) throw new Error("access denied"); if (!noUsers && !me?.isAdmin) throw new Error("access denied");
if (token) throw new Error("access denied");
const { account, secret } = await signup({ const { account, secret } = await signup({
username: ps.username, username: ps.username,