fix: roles lookup respects possible undefined roles prop

leaonline · Dec 23, 2022 · bd132ec · bd132ec
1 parent 9e8ca40
commit bd132ec
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/imports/api/accounts/updateUser.js b/imports/api/accounts/updateUser.js
@@ -38,9 +38,10 @@ export const updateUser = (update, original, debug = () => {}) => {
     modifier.$set = modifier.$set || {}
     modifier.$set.institution = update.institution
   }
+
   // take away old roles
   const allRoles = allUserRoles(original._id, original.institution)
-  const rolesToRemove = allRoles.filter(role => institutionChanged || !original.roles.includes(role))
+  const rolesToRemove = allRoles.filter(role => institutionChanged || !original.roles?.includes(role))
 
   if (rolesToRemove.length > 0) {
     debug(original.email, { rolesToRemove, institution: original.institution })

diff --git a/imports/api/admin/Admin.js b/imports/api/admin/Admin.js
@@ -92,14 +92,14 @@ Admin.methods.updateUser = {
         throw new Meteor.Error('errors.permissionDenied', 'errors.docNotFound')
       }
 
-      const isAdmin = userDoc.roles.includes('admin')
+      const isAdmin = userDoc.roles?.includes('admin')
       // no updates on an admin
       if (isAdmin) {
         throw new Meteor.Error('errors.permissionDenied', 'admin.noUpdateOnAdmin')
       }
 
       // no lifting of user to become admin
-      if (!isAdmin && updateDoc.roles.includes('admin')) {
+      if (!isAdmin && updateDoc.roles?.includes('admin')) {
         throw new Meteor.Error('errors.permissionDenied', 'admin.noLifting')
       }
 
@@ -124,7 +124,7 @@ Admin.methods.removeUser = {
         throw new Meteor.Error('errors.permissionDenied', 'errors.docNotFound')
       }
 
-      if (userDoc.roles.includes('admin')) {
+      if (userDoc.roles?.includes('admin')) {
         throw new Meteor.Error('errors.permissionDenied', 'admin.noUpdateOnAdmin')
       }