From e08e3feec4b329bd249f595ba807c9fbae3c282d Mon Sep 17 00:00:00 2001 From: Jannik Schönartz Date: Tue, 26 Feb 2019 07:23:12 +0000 Subject: [permissionmanager] Fix security bug: Code was executed weather the user had the permission or not --- server/api/users.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'server/api/users.js') diff --git a/server/api/users.js b/server/api/users.js index a754155..a297033 100644 --- a/server/api/users.js +++ b/server/api/users.js @@ -44,9 +44,8 @@ router.getAsync('/:id', async (req, res) => { // Post request for adding roles to users. router.postAsync('/:id/roles', async (req, res) => { - if (!await req.user.hasPermission('permissions.grantrevoke')) { - res.status(403).end() - } + if (!await req.user.hasPermission('permissions.grantrevoke')) return res.status(403).end() + const id = req.params.id === 'current' ? req.user.id : req.params.id const user = await db.user.findOne({ where: { id } }) if (user) { -- cgit v1.2.3-55-g7522