fix: add correct permission checks to modifying user password/permissions

2026-01-01 12:18:35 -05:00 · 2021-03-02 08:18:31 +00:00
parent 2771376ecc
commit ddfc5e6aa8
4 changed files with 54 additions and 8 deletions
--- a/src/components/UserProfile/UserSettings/UserPasswordChange/index.tsx
+++ b/src/components/UserProfile/UserSettings/UserPasswordChange/index.tsx
@@ -5,7 +5,7 @@ import React from 'react';
 import { defineMessages, useIntl } from 'react-intl';
 import { useToasts } from 'react-toast-notifications';
 import useSWR from 'swr';
-import { useUser } from '../../../../hooks/useUser';
+import { Permission, useUser } from '../../../../hooks/useUser';
 import Error from '../../../../pages/_error';
 import Alert from '../../../Common/Alert';
 import Button from '../../../Common/Button';
@@ -33,6 +33,9 @@ const messages = defineMessages({
  nopasswordsetDescription:
    'This user account currently does not have a password specifically for {applicationTitle}.\
    Configure a password below to enable this account to sign in as a "local user."',
+  nopermission: 'No Permission',
+  nopermissionDescription:
+    "You do not have permission to modify this user's password.",
 });

 const UserPasswordChange: React.FC = () => {
@@ -41,14 +44,14 @@ const UserPasswordChange: React.FC = () => {
  const { addToast } = useToasts();
  const router = useRouter();
  const { user: currentUser } = useUser();
-  const { user } = useUser({ id: Number(router.query.userId) });
+  const { user, hasPermission } = useUser({ id: Number(router.query.userId) });
  const { data, error, revalidate } = useSWR<{ hasPassword: boolean }>(
    user ? `/api/v1/user/${user?.id}/settings/password` : null
  );

  const PasswordChangeSchema = Yup.object().shape({
    currentPassword: Yup.lazy(() =>
-      data?.hasPassword
+      data?.hasPassword && currentUser?.id === user?.id
        ? Yup.string().required(
            intl.formatMessage(messages.validationCurrentPassword)
          )
@@ -73,6 +76,23 @@ const UserPasswordChange: React.FC = () => {
    return <Error statusCode={500} />;
  }

+  if (
+    currentUser?.id !== user?.id &&
+    hasPermission(Permission.ADMIN) &&
+    currentUser?.id !== 1
+  ) {
+    return (
+      <>
+        <div className="mb-6">
+          <h3 className="heading">{intl.formatMessage(messages.password)}</h3>
+        </div>
+        <Alert title={intl.formatMessage(messages.nopermission)} type="error">
+          {intl.formatMessage(messages.nopermissionDescription)}
+        </Alert>
+      </>
+    );
+  }
+
  return (
    <>
      <div className="mb-6">