homelab/kener
1
0
Fork 0
mirror of https://github.com/rajnandan1/kener.git synced 2026-06-23 04:10:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: Update ManualUpdateUserData to include user ID and validate roles

Browse Source
This commit is contained in:
Raj Nandan Sharma
2026-02-26 22:14:58 +05:30
parent d8ae54da53
commit 0896aed91e
2 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
migrations/20260226120000_add_is_owner_to_users.ts
+7 -5
View File
@@ -6,12 +6,14 @@ export async function up(knex: Knex): Promise<void> {
await knex.schema.alterTable("users", (table) => {
table.string("is_owner").defaultTo("NO").notNullable();
});
}
// Set the first user (by id) as owner, if any users exist
const firstUser = await knex("users").orderBy("id", "asc").first();
if (firstUser) {
await knex("users").where("id", firstUser.id).update({ is_owner: "YES" });
// Set the first user (by id) as owner, if any users exist.
// This only runs when the column has just been added to avoid
// overwriting an existing owner on migration re-run.
const firstUser = await knex("users").orderBy("id", "asc").first();
if (firstUser) {
await knex("users").where("id", firstUser.id).update({ is_owner: "YES" });
}
}
}
src/lib/server/controllers/userController.ts
+10 -3
View File
@@ -229,8 +229,10 @@ export const UpdatePassword = async (data: PasswordUpdateInput): Promise<number>
});
};
const VALID_ROLES = ["admin", "editor", "member"] as const;
export const ManualUpdateUserData = async (
byUser: { role: string; is_owner: string },
byUser: { id: number; role: string; is_owner: string },
forUserId: number,
data: ManualUserUpdateInput,
): Promise<number | undefined> => {
@@ -242,12 +244,15 @@ export const ManualUpdateUserData = async (
if (byUser.role !== "admin") {
throw new Error("You do not have permission to update user");
}
// non-owner admins cannot modify other admins
if (forUser.role === "admin" && byUser.is_owner !== "YES") {
// non-owner admins cannot modify other admins (self-updates are allowed)
if (forUser.role === "admin" && byUser.is_owner !== "YES" && forUser.id !== byUser.id) {
throw new Error("Only the owner can modify other admins");
}
if (data.updateType == "role") {
if (!data.role) throw new Error("Role is required");
if (!VALID_ROLES.includes(data.role as (typeof VALID_ROLES)[number])) {
throw new Error(`Invalid role. Must be one of: ${VALID_ROLES.join(", ")}`);
}
return await db.updateUserRole(forUser.id, data.role);
} else if (data.updateType == "is_active") {
if (data.is_active === undefined) throw new Error("is_active is required");
@@ -259,6 +264,8 @@ export const ManualUpdateUserData = async (
newPassword: data.password,
newPlainPassword: data.passwordPlain,
});
} else {
throw new Error(`Unsupported update type: ${data.updateType}`);
}
};