From 3ab33a44f19d17940ec09f9d2a40a1d493100ce3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= <wolle.huss@pjannto.com>
Date: Tue, 23 Aug 2022 05:21:53 +0200
Subject: [PATCH] Check permission not given for resolver
 `ChangeGroupMemberRole` if admin will change their own member role in group
 already at the beginning of 'isAllowedToChangeGroupMemberRole'

Co-Authored-By: Mogge <moriz.wahl@gmx.de>
---
 backend/src/middleware/permissionsMiddleware.js | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js
index a3935872e..a92aacbba 100644
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@@ -55,8 +55,7 @@ const isMySocialMedia = rule({
 const isAllowedSeeingMembersOfGroup = rule({
   cache: 'no_cache',
 })(async (_parent, args, { user, driver }) => {
-  // Wolle: may have a look to 'isAuthenticated'
-  if (!user) return false
+  if (!(user && user.id)) return false
   const { id: groupId } = args
   // Wolle: console.log('groupId: ', groupId)
   // console.log('user.id: ', user.id)
@@ -94,13 +93,13 @@ const isAllowedSeeingMembersOfGroup = rule({
   }
 })
 
-const isAllowedToSwitchGroupMemberRole = rule({
+const isAllowedToChangeGroupMemberRole = rule({
   cache: 'no_cache',
 })(async (_parent, args, { user, driver }) => {
-  // Wolle: may have a look to 'isAuthenticated'
-  if (!user) return false
+  if (!(user && user.id)) return false
   const adminId = user.id
   const { id: groupId, userId, roleInGroup } = args
+  if (adminId === userId) return false
   // Wolle:
   // console.log('adminId: ', adminId)
   // console.log('groupId: ', groupId)
@@ -151,7 +150,6 @@ const isAllowedToSwitchGroupMemberRole = rule({
       !!group &&
       !!admin &&
       !!member &&
-      adminId !== userId &&
       // Wolle: member.myRoleInGroup === roleInGroup &&
       ((['admin'].includes(admin.myRoleInGroup) &&
         !['owner'].includes(member.myRoleInGroup) &&
@@ -259,7 +257,7 @@ export default shield(
       UpdateUser: onlyYourself,
       CreateGroup: isAuthenticated,
       JoinGroup: isAuthenticated, // Wolle: can not be correct
-      ChangeGroupMemberRole: isAllowedToSwitchGroupMemberRole,
+      ChangeGroupMemberRole: isAllowedToChangeGroupMemberRole,
       CreatePost: isAuthenticated,
       UpdatePost: isAuthor,
       DeletePost: isAuthor,