Prevent new users from being administrators

Secures the user registration endpoint.

grav-admin/user/data/feed/21232f297a57a5a743894a0e4a801fc3.yaml

@@ -1,4 +1,4 @@
-last_checked: 1705009681
+last_checked: 1705024218
 data:
   -
     title: 'macOS 14.0 Sonoma Apache Setup: Upgrading Homebrew'

grav-admin/user/js/registration/account.vue

@@ -22,7 +22,7 @@
 	
 	<div>
 	<label>Country</label>
-	<select name="country">
+	<select name="country" v-model="user.country">
   <option value="USA">USA</option>
   <option value="Canada">Canada</option>
   </select>
@@ -30,7 +30,8 @@
   
   <div class="address-entry">
   <label for="">Address</label>
-  <input type="text" @input="searchLocation" :value="address.full">
+  <input
+  type="text" @input="searchLocation" v-model="address.full">
   <dropdown v-if="addresses && addresses.length"
   :entries="addresses.map(a => ({text: a.full_address, value: a}))"
   @select="setAddress"

grav-admin/user/js/registration/registration.vue

@@ -16,7 +16,7 @@ function create(user) {
 
 <style scoped>
 section {
-	max-width: 350px;
+	max-width: 400px;
 	margin: auto;
 }
 </style>

skouter.go

@@ -1392,17 +1392,43 @@ func deleteUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {
 	}
 }
 
+// Checks if a user's entries are reasonable before database insertion.
+// This function is very important because it is the only thing preventing
+// anyone from creating an admin user.
+func (user *User) validate() error {
+	_, err := mail.ParseAddress(user.Email)
+	if err != nil { errors.New("Invalid email.") }
+	
+	if roles[user.Role] == 0 {
+		errors.New("Invalid role.")
+	}
+	
+	if roles[user.Role] == roles["Admin"] {
+		errors.New("New user cannot be an Admin.")
+	}
+	
+	if user.FirstName == "" {
+		errors.New("Given name cannot be empty.")
+	}
+	
+	if user.LastName == "" {
+		errors.New("Surname cannot be empty.")
+	}
+	
+	if user.Password == "" {
+		errors.New("User must have a password.")
+	}
+	
+	return nil
+}
+
 func createUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {
 	var user User
 	err := json.NewDecoder(r.Body).Decode(&user)
 	if err != nil { http.Error(w, "Invalid fields.", 422); return }
-
-	_, err = mail.ParseAddress(user.Email)
-	if err != nil { http.Error(w, "Invalid email.", 422); return }
-
-	if roles[user.Role] == 0 {
-		http.Error(w, "Invalid role.", 422)
-	}
+	
+	err = user.validate()
+	if err != nil { http.Error(w, err.Error(), 422); return }
 
 	user, err = insertUser(db, user)
 	if err != nil { http.Error(w, "Error creating user.", 422); return }
@@ -2512,7 +2538,7 @@ func api(w http.ResponseWriter, r *http.Request) {
 		getUser(w, db, r)
 	case match(p, "/api/user", &args) &&
 	r.Method == http.MethodPost &&
-	guard(r, 3):
+	guard(r, 1):
 		createUser(w, db, r)
 	case match(p, "/api/user", &args) &&
 	r.Method == http.MethodPatch &&