Prevent from remove admin capabilities by yourself (#804)

CERT-Polska · Apr 26, 2023 · ca23750 · ca23750
1 parent 940725d
commit ca23750
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/mwdb/resources/group.py b/mwdb/resources/group.py
@@ -227,6 +227,9 @@ def put(self, name):
         group = (
             db.session.query(Group).filter(Group.name == group_name_obj["name"]).first()
         )
+
+        user = g.auth_user
+
         if group is None:
             raise NotFound("No such group")
 
@@ -240,6 +243,13 @@ def put(self, name):
             group.name = obj["name"]
 
         if obj["capabilities"] is not None:
+            if (
+                user.login == group.name
+                and Capabilities.manage_users not in obj["capabilities"]
+            ):
+                raise Forbidden(
+                    f"Can't remove '{Capabilities.manage_users }', yourself"
+                )
             group.capabilities = obj["capabilities"]
 
         if obj["default"] is not None:

diff --git a/mwdb/web/src/components/Profile/Views/ProfileCapabilities.jsx b/mwdb/web/src/components/Profile/Views/ProfileCapabilities.jsx
@@ -1,11 +1,15 @@
-import React, { useState, useCallback, useEffect } from "react";
+import React, { useState, useCallback, useEffect, useContext } from "react";
 import { useOutletContext } from "react-router-dom";
 import { Link } from "react-router-dom";
 import { faTimes, faSave } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { find, isNil, isEmpty } from "lodash";
 import { api } from "@mwdb-web/commons/api";
-import { capabilitiesList, Capability } from "@mwdb-web/commons/auth";
+import {
+    capabilitiesList,
+    Capability,
+    AuthContext,
+} from "@mwdb-web/commons/auth";
 import {
     GroupBadge,
     BootstrapSelect,
@@ -15,6 +19,7 @@ import {
 import { useCheckCapabilities } from "@mwdb-web/commons/hooks";
 
 function CapabilitiesTable({ profile }) {
+    const { user } = useContext(AuthContext);
     const { userHasCapabilities } = useCheckCapabilities();
     const { setCapabilitiesToDelete } = useOutletContext();
 
@@ -27,6 +32,11 @@ function CapabilitiesTable({ profile }) {
     }
 
     function isDeleteButtonRender(cap) {
+        const userOrGroupName = profile.name || profile.login;
+        const isManageUsersCapability = cap === Capability.manageUsers;
+        if (isManageUsersCapability && userOrGroupName === user.login) {
+            return false;
+        }
         return !isNil(profile.login) ? isUserDeleteButtonRender(cap) : true;
     }