admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 01:56:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Ensure member and admin cannot be promoted to owner (#7830)

Browse Source 
https://linear.app/n8n/issue/PAY-985/add-user-role-modification-endpoint#comment-62355f6b
This commit is contained in:
Iván Ovejero
2023-11-27 17:35:58 +01:00
committed by GitHub
parent ac744d6702
commit 9b87a596ca
2 changed files with 43 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
packages/cli/src/controllers/users.controller.ts
View File

@@ -40,7 +40,7 @@ export class UsersController {
NO_USER: 'Target user not found',
NO_ADMIN_ON_OWNER: 'Admin cannot change role on global owner',
NO_OWNER_ON_OWNER: 'Owner cannot change role on global owner',
NO_ADMIN_TO_OWNER: 'Admin cannot promote user to global owner',
NO_USER_TO_OWNER: 'Cannot promote user to global owner',
},
} as const;
@@ -330,7 +330,7 @@ export class UsersController {
MISSING_NEW_ROLE_KEY,
MISSING_NEW_ROLE_VALUE,
NO_ADMIN_ON_OWNER,
NO_ADMIN_TO_OWNER,
NO_USER_TO_OWNER,
NO_USER,
NO_OWNER_ON_OWNER,
} = UsersController.ERROR_MESSAGES.CHANGE_ROLE;
@@ -349,13 +349,8 @@ export class UsersController {
throw new BadRequestError(MISSING_NEW_ROLE_VALUE);
}
if (
req.user.globalRole.scope === 'global' &&
req.user.globalRole.name === 'admin' &&
newRole.scope === 'global' &&
newRole.name === 'owner'
) {
throw new UnauthorizedError(NO_ADMIN_TO_OWNER);
if (newRole.scope === 'global' && newRole.name === 'owner') {
throw new UnauthorizedError(NO_USER_TO_OWNER);
}
const targetUser = await this.userService.findOne({