prevent manager in multi-user from updatingENV via HTTP (#576)

* prevent manager in multi-user from updatingENV via HTTP * remove unneeded args
2024-01-11 12:11:45 -08:00 · 2024-01-11 12:11:45 -08:00 · 7200a06ef0
commit 7200a06ef0
parent 3c859ba303
2 changed files with 8 additions and 0 deletions
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@ -283,6 +283,12 @@ function systemEndpoints(app) {
    [validatedRequest, flexUserRoleValid],
    async (request, response) => {
      try {
+        const user = await userFromSession(request, response);
+        if (!!user && user.role !== "admin") {
+          response.sendStatus(401).end();
+          return;
+        }
+
        const body = reqBody(request);
        const { newValues, error } = updateENV(body);
        if (process.env.NODE_ENV === "production") await dumpENV();
--- a/server/utils/http/index.js
+++ b/server/utils/http/index.js
@ -20,6 +20,8 @@ function makeJWT(info = {}, expiry = "30d") {
  return JWT.sign(info, process.env.JWT_SECRET, { expiresIn: expiry });
 }

+// Note: Only valid for finding users in multi-user mode
+// as single-user mode with password is not a "user"
 async function userFromSession(request, response = null) {
  if (!!response && !!response.locals?.user) {
    return response.locals.user;