Ver código fonte

Prevent new users from being administrators

Secures the user registration endpoint.
master
Immanuel Onyeka 1 ano atrás
pai
commit
826a356432
4 arquivos alterados com 39 adições e 12 exclusões
  1. +1
    -1
      grav-admin/user/data/feed/21232f297a57a5a743894a0e4a801fc3.yaml
  2. +3
    -2
      grav-admin/user/js/registration/account.vue
  3. +1
    -1
      grav-admin/user/js/registration/registration.vue
  4. +34
    -8
      skouter.go

+ 1
- 1
grav-admin/user/data/feed/21232f297a57a5a743894a0e4a801fc3.yaml Ver arquivo

@@ -1,4 +1,4 @@
last_checked: 1705009681
last_checked: 1705024218
data: data:
- -
title: 'macOS 14.0 Sonoma Apache Setup: Upgrading Homebrew' title: 'macOS 14.0 Sonoma Apache Setup: Upgrading Homebrew'


+ 3
- 2
grav-admin/user/js/registration/account.vue Ver arquivo

@@ -22,7 +22,7 @@
<div> <div>
<label>Country</label> <label>Country</label>
<select name="country">
<select name="country" v-model="user.country">
<option value="USA">USA</option> <option value="USA">USA</option>
<option value="Canada">Canada</option> <option value="Canada">Canada</option>
</select> </select>
@@ -30,7 +30,8 @@
<div class="address-entry"> <div class="address-entry">
<label for="">Address</label> <label for="">Address</label>
<input type="text" @input="searchLocation" :value="address.full">
<input
type="text" @input="searchLocation" v-model="address.full">
<dropdown v-if="addresses && addresses.length" <dropdown v-if="addresses && addresses.length"
:entries="addresses.map(a => ({text: a.full_address, value: a}))" :entries="addresses.map(a => ({text: a.full_address, value: a}))"
@select="setAddress" @select="setAddress"


+ 1
- 1
grav-admin/user/js/registration/registration.vue Ver arquivo

@@ -16,7 +16,7 @@ function create(user) {


<style scoped> <style scoped>
section { section {
max-width: 350px;
max-width: 400px;
margin: auto; margin: auto;
} }
</style> </style>

+ 34
- 8
skouter.go Ver arquivo

@@ -1392,17 +1392,43 @@ func deleteUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {
} }
} }


// Checks if a user's entries are reasonable before database insertion.
// This function is very important because it is the only thing preventing
// anyone from creating an admin user.
func (user *User) validate() error {
_, err := mail.ParseAddress(user.Email)
if err != nil { errors.New("Invalid email.") }
if roles[user.Role] == 0 {
errors.New("Invalid role.")
}
if roles[user.Role] == roles["Admin"] {
errors.New("New user cannot be an Admin.")
}
if user.FirstName == "" {
errors.New("Given name cannot be empty.")
}
if user.LastName == "" {
errors.New("Surname cannot be empty.")
}
if user.Password == "" {
errors.New("User must have a password.")
}
return nil
}

func createUser(w http.ResponseWriter, db *sql.DB, r *http.Request) { func createUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {
var user User var user User
err := json.NewDecoder(r.Body).Decode(&user) err := json.NewDecoder(r.Body).Decode(&user)
if err != nil { http.Error(w, "Invalid fields.", 422); return } if err != nil { http.Error(w, "Invalid fields.", 422); return }

_, err = mail.ParseAddress(user.Email)
if err != nil { http.Error(w, "Invalid email.", 422); return }

if roles[user.Role] == 0 {
http.Error(w, "Invalid role.", 422)
}
err = user.validate()
if err != nil { http.Error(w, err.Error(), 422); return }


user, err = insertUser(db, user) user, err = insertUser(db, user)
if err != nil { http.Error(w, "Error creating user.", 422); return } if err != nil { http.Error(w, "Error creating user.", 422); return }
@@ -2512,7 +2538,7 @@ func api(w http.ResponseWriter, r *http.Request) {
getUser(w, db, r) getUser(w, db, r)
case match(p, "/api/user", &args) && case match(p, "/api/user", &args) &&
r.Method == http.MethodPost && r.Method == http.MethodPost &&
guard(r, 3):
guard(r, 1):
createUser(w, db, r) createUser(w, db, r)
case match(p, "/api/user", &args) && case match(p, "/api/user", &args) &&
r.Method == http.MethodPatch && r.Method == http.MethodPatch &&


Carregando…
Cancelar
Salvar