Change function signature of hasSuperAdminContext
Michael Desa
parent
4c0469cb07
commit
a8a115ec50
|
|
@ -28,17 +28,17 @@ type superAdminKey string
|
|||
|
||||
const SuperAdminKey = superAdminKey("superadmin")
|
||||
|
||||
func hasSuperAdminContext(ctx context.Context) (bool, bool) {
|
||||
func hasSuperAdminContext(ctx context.Context) bool {
|
||||
// prevents panic in case of nil context
|
||||
if ctx == nil {
|
||||
return false, false
|
||||
return false
|
||||
}
|
||||
sa, ok := ctx.Value(SuperAdminKey).(bool)
|
||||
// should never happen
|
||||
if !ok {
|
||||
return false, false
|
||||
return false
|
||||
}
|
||||
return sa, true
|
||||
return sa
|
||||
}
|
||||
|
||||
// TODO: Comment
|
||||
|
|
@ -91,7 +91,7 @@ func (s *Store) Layouts(ctx context.Context) chronograf.LayoutsStore {
|
|||
}
|
||||
|
||||
func (s *Store) Users(ctx context.Context) chronograf.UsersStore {
|
||||
if superAdmin, ok := hasSuperAdminContext(ctx); ok && superAdmin {
|
||||
if superAdmin := hasSuperAdminContext(ctx); superAdmin {
|
||||
return s.UsersStore
|
||||
}
|
||||
if org, ok := hasOrganizationContext(ctx); ok {
|
||||
|
|
|
|||
|
|
@ -196,7 +196,7 @@ func (s *Service) NewUser(w http.ResponseWriter, r *http.Request) {
|
|||
// set the SuperAdmin field.
|
||||
if req.SuperAdmin == true {
|
||||
// Only allow users to set SuperAdmin if they have the superadmin context
|
||||
if isSuperAdmin, ok := hasSuperAdminContext(ctx); !(ok && isSuperAdmin) {
|
||||
if isSuperAdmin := hasSuperAdminContext(ctx); !isSuperAdmin {
|
||||
Error(w, http.StatusBadRequest, "Cannot set SuperAdmin", s.Logger)
|
||||
return
|
||||
}
|
||||
|
|
@ -267,6 +267,19 @@ func (s *Service) UpdateUser(w http.ResponseWriter, r *http.Request) {
|
|||
// ValidUpdate should ensure that req.Roles is not nil
|
||||
u.Roles = req.Roles
|
||||
|
||||
// If req.SuperAdmin has been set, verify that it was done with the superadmin context.
|
||||
// Even though req.SuperAdmin == true is logically equivalent to req.SuperAdmin it is
|
||||
// more clear that this code should only be ran in the case that a user is trying to
|
||||
// set the SuperAdmin field.
|
||||
if req.SuperAdmin == true {
|
||||
// Only allow users to set SuperAdmin if they have the superadmin context
|
||||
if isSuperAdmin := hasSuperAdminContext(ctx); !isSuperAdmin {
|
||||
Error(w, http.StatusBadRequest, "Cannot set SuperAdmin", s.Logger)
|
||||
return
|
||||
}
|
||||
u.SuperAdmin = true
|
||||
}
|
||||
|
||||
err = s.Store.Users(ctx).Update(ctx, u)
|
||||
if err != nil {
|
||||
Error(w, http.StatusBadRequest, err.Error(), s.Logger)
|
||||
|
|
|
|||
Loading…
Reference in New Issue