Navy.gif/webserver-framework
Template
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

bugfix to accidental privilege escalation

Browse Source
This commit is contained in:
Erik 2024-01-30 11:06:50 +02:00
parent 68a19543b1
commit dddfe6da75
2 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/server/components/UserDatabase.ts
View File

@ -149,18 +149,20 @@ class UserDatabase implements UserDatabaseInterface
return true; return true;
} }
async fetchUsers ({ ids, page, pageSize, name, roleId }: UserQuery = {}): Promise<User[]> async fetchUsers ({ ids, page, pageSize, name, roleId, id }: UserQuery = {}): Promise<User[]>
{ {
const query: Filter<UserData> = {}; const query: Filter<UserData> = {};
if (ids) if (ids)
ids = ids.map(r => typeof r === 'string' ? r : r.id as string); ids = ids.map(r => typeof r === 'string' ? r : r.id as string);
if (ids?.length) if (ids?.length)
query._id = { $in: ids.map(id => new ObjectId(id as string)) }; query._id = { $in: ids.map(i => new ObjectId(i as string)) };
else if (id)
query._id = new ObjectId(id);
// Does not scale, but works for our users collection since it should always remain relatively small // Does not scale, but works for our users collection since it should always remain relatively small
if (name) if (name)
query.name = { $regex: name, $options: 'i' }; query.name = { $regex: `^${name}$`, $options: 'i' };
const findOptions: {limit?: number, skip?: number} = {}; const findOptions: {limit?: number, skip?: number} = {};
if (typeof page !== 'undefined' && typeof pageSize !== 'undefined') if (typeof page !== 'undefined' && typeof pageSize !== 'undefined')
@ -184,7 +186,7 @@ class UserDatabase implements UserDatabaseInterface
{ {
if (user.roles?.length) if (user.roles?.length)
user.roles = roles.filter(r => user.roles?.includes(r.id)); user.roles = roles.filter(r => user.roles?.includes(r.id));
u = this._createUser(user); u = await this._createUser(user);
if (!this.#disableCache) if (!this.#disableCache)
this.#cache.set(u.id, u); this.#cache.set(u.id, u);
} }
@ -607,7 +609,7 @@ class UserDatabase implements UserDatabaseInterface
* @return {User} * @return {User}
* @memberof UserDatabase * @memberof UserDatabase
*/ */
private _createUser (data: UserData & { _id?: ObjectId }): User private async _createUser (data: UserData & { _id?: ObjectId }): Promise<User>
{ {
if (!data) if (!data)
throw new Error('Missing data to create user'); throw new Error('Missing data to create user');
@ -616,9 +618,11 @@ class UserDatabase implements UserDatabaseInterface
if (!data.id) if (!data.id)
data.id = new ObjectId(); data.id = new ObjectId();
// if (data.roles) { if (data.roles?.every(r => typeof r === 'string'))
// data.roles = data.roles.map(role => this.#cache.get(role._id) || this._createRole(role as RoleData)); {
// } const roles = await this.fetchRoles({ ids: data.roles });
data.roles = roles;
}
const user = new User(this.#server, data); const user = new User(this.#server, data);
return user; return user;

1
src/server/interfaces/UserDatabaseInterface.ts
View File

@ -4,6 +4,7 @@ import { Role, User, UserApplication } from '../structures/index.js';
import Entity from './Entity.js'; import Entity from './Entity.js';
export type Query<T, TData> = { export type Query<T, TData> = {
id?: string,
ids?: (string | T | TData)[], ids?: (string | T | TData)[],
page?: number, page?: number,
pageSize?: number, pageSize?: number,