fix: prevent manage system assignment from manage groups permission

e5cbf6b9 · NGPixel · Nicolas Giard · 7715dc6f · e5cbf6b9
Commit e5cbf6b9 authored May 09, 2022 by NGPixel Committed by Nicolas Giard May 20, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

group.js server/graph/resolvers/group.js +8 -0

No files found.
--- a/server/graph/resolvers/group.js
+++ b/server/graph/resolvers/group.js
@@ -167,6 +167,14 @@ module.exports = {
        throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.')
      }

+      // Check assigned permissions for manage:groups
+      if (
+        WIKI.auth.checkExclusiveAccess(req.user, ['manage:groups'], ['manage:system']) &&
+        args.permissions.some(p => _.last(p.split(':')) === 'system')
+      ) {
+        throw new gql.GraphQLError('You are not authorized to manage this group or assign the manage:system permissions.')
+      }
+
      // Update group
      await WIKI.models.groups.query().patch({
        name: args.name,