oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-08-01 17:38:37 +00:00
Code Wiki Activity

Allow regular users to change settings via API

Browse source
This commit is contained in:
Frédéric Guillot 2020-12-22 15:10:42 -08:00 committed by fguillot
parent fd9eaa3e83
commit 651ee02c11
3 changed files with 60 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

17
api/user.go
View file

@ -63,11 +63,6 @@ func (h *handler) createUser(w http.ResponseWriter, r *http.Request) {
}
func (h *handler) updateUser(w http.ResponseWriter, r *http.Request) {
if !request.IsAdminUser(r) {
json.Forbidden(w, r)
return
}
userID := request.RouteInt64Param(r, "userID")
userChanges, err := decodeUserModificationRequest(r.Body)
if err != nil {
@ -86,6 +81,18 @@ func (h *handler) updateUser(w http.ResponseWriter, r *http.Request) {
return
}
if !request.IsAdminUser(r) {
if originalUser.ID != request.UserID(r) {
json.Forbidden(w, r)
return
}
if userChanges.IsAdmin != nil && *userChanges.IsAdmin {
json.BadRequest(w, r, errors.New("Only administrators can change permissions of standard users"))
return
}
}
userChanges.Update(originalUser)
if err := originalUser.ValidateUserModification(); err != nil {
json.BadRequest(w, r, err)