search

tgstation / Tgstation.Server.ControlPanel

Official client for tgstation-server
GNU General Public License v3.0
7 stars 11 forks source link

3.2.0.0 - Users without WriteUsers can't update their own password due to including the `enabled` field. #86

Open francinum opened 2 years ago

francinum commented 2 years ago 
[13:40:30]: POST https://<ADDRESS>/User => {"password":"********************","oAuthConnections":null,"permissionSet":null,"group":null,"enabled":true,"createdAt":null,"systemIdentifier":null,"name":null,"id":7}
[13:40:30]: HTTP Forbidden: POST https://<ADDRESS>/User

Users without WriteUsers are unable to alter their own profile due to enabled being sent in the request, as it having any value at all without the flag present will immediately drop the request as forbidden.

if ((!canEditAllUsers
    && (model.Id != originalUser.Id
    || model.Enabled.HasValue
    || model.Group != null
    || model.PermissionSet != null
    || model.Name != null))
    || (!passwordEdit && model.Password != null)
    || (!oAuthEdit && model.OAuthConnections != null))
    return Forbid();