mudhorn/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n.git synced 2025-01-11 12:57:29 -08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix(core): Do not allow admins to generate password-reset links for instance owner (#9488)

Browse source
This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™ 2024-05-22 16:13:56 +02:00 committed by GitHub
parent 8f55bb1457
commit 88b9a4070b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 37 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
packages/cli/src/controllers/users.controller.ts
View file

@ -115,6 +115,10 @@ export class UsersController {
throw new NotFoundError('User not found'); throw new NotFoundError('User not found');
} }
if (req.user.role === 'global:admin' && user.role === 'global:owner') {
throw new ForbiddenError('Admin cannot reset password of global owner');
}
const link = this.authService.generatePasswordResetUrl(user); const link = this.authService.generatePasswordResetUrl(user);
return { link }; return { link };
} }

39
packages/cli/test/integration/users.api.test.ts
View file

@ -35,12 +35,6 @@ const testServer = utils.setupTestServer({
enabledFeatures: ['feat:advancedPermissions'], enabledFeatures: ['feat:advancedPermissions'],
}); });
let projectRepository: ProjectRepository;
beforeAll(() => {
projectRepository = Container.get(ProjectRepository);
});
describe('GET /users', () => { describe('GET /users', () => {
let owner: User; let owner: User;
let member: User; let member: User;
@ -243,6 +237,39 @@ describe('GET /users', () => {
}); });
}); });
describe('GET /users/:id/password-reset-link', () => {
let owner: User;
let admin: User;
let member: User;
beforeAll(async () => {
await testDb.truncate(['User']);
[owner, admin, member] = await Promise.all([createOwner(), createAdmin(), createMember()]);
});
it('should allow owners to generate password reset links for admins and members', async () => {
const ownerAgent = testServer.authAgentFor(owner);
await ownerAgent.get(`/users/${owner.id}/password-reset-link`).expect(200);
await ownerAgent.get(`/users/${admin.id}/password-reset-link`).expect(200);
await ownerAgent.get(`/users/${member.id}/password-reset-link`).expect(200);
});
it('should allow admins to generate password reset links for admins and members, but not owners', async () => {
const adminAgent = testServer.authAgentFor(admin);
await adminAgent.get(`/users/${owner.id}/password-reset-link`).expect(403);
await adminAgent.get(`/users/${admin.id}/password-reset-link`).expect(200);
await adminAgent.get(`/users/${member.id}/password-reset-link`).expect(200);
});
it('should not allow members to generate password reset links for anyone', async () => {
const memberAgent = testServer.authAgentFor(member);
await memberAgent.get(`/users/${owner.id}/password-reset-link`).expect(403);
await memberAgent.get(`/users/${admin.id}/password-reset-link`).expect(403);
await memberAgent.get(`/users/${member.id}/password-reset-link`).expect(403);
});
});
describe('DELETE /users/:id', () => { describe('DELETE /users/:id', () => {
let owner: User; let owner: User;
let ownerAgent: SuperAgentTest; let ownerAgent: SuperAgentTest;