IT4Change/gradido
3
0
Fork 0
mirror of https://github.com/IT4Change/gradido.git synced 2025-12-13 07:45:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #78 from gradido/login_server_fix

Browse Source 
fix bug with access rights
This commit is contained in:
Ulf Gebhardt 2021-03-24 18:28:14 +01:00 committed by GitHub
commit eb7539d0ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
login_server/src/cpp/JSONInterface/JsonGetUserInfos.cpp
View File

@ -77,11 +77,12 @@ Poco::JSON::Object* JsonGetUserInfos::handle(Poco::Dynamic::Var params)
auto session_user = session->getNewUser(); auto session_user = session->getNewUser();
auto session_user_model = session_user->getModel(); auto session_user_model = session_user->getModel();
bool isAdmin = false; bool isAdmin = false;
bool emailBelongToUser = false;
if (model::table::ROLE_ADMIN == session_user_model->getRole()) { if (model::table::ROLE_ADMIN == session_user_model->getRole()) {
isAdmin = true; isAdmin = true;
} }
if (session_user_model->getEmail() != email && !isAdmin) { if (session_user_model->getEmail() == email) {
return customStateError("not same", "email don't belong to logged in user"); emailBelongToUser = true;
} }
auto user = controller::User::create(); auto user = controller::User::create();
@ -102,7 +103,7 @@ Poco::JSON::Object* JsonGetUserInfos::handle(Poco::Dynamic::Var params)
std::string parameterString; std::string parameterString;
try { try {
parameter.convert(parameterString); parameter.convert(parameterString);
if (parameterString == "EmailVerificationCode.Register" && isAdmin && session_user_model->getEmail() != user_model->getEmail()) { if (parameterString == "EmailVerificationCode.Register" && isAdmin && !emailBelongToUser) {
auto code = readOrCreateEmailVerificationCode(user_model->getID(), model::table::EMAIL_OPT_IN_REGISTER_DIRECT); auto code = readOrCreateEmailVerificationCode(user_model->getID(), model::table::EMAIL_OPT_IN_REGISTER_DIRECT);
if (code) { if (code) {
jsonUser.set("EmailVerificationCode.Register", std::to_string(code)); jsonUser.set("EmailVerificationCode.Register", std::to_string(code));
@ -123,7 +124,7 @@ Poco::JSON::Object* JsonGetUserInfos::handle(Poco::Dynamic::Var params)
else if (parameterString == "user.disabled") { else if (parameterString == "user.disabled") {
jsonUser.set("disabled", user_model->isDisabled()); jsonUser.set("disabled", user_model->isDisabled());
} }
else if (parameterString == "user.email_checked") { else if (parameterString == "user.email_checked" && (isAdmin || emailBelongToUser)) {
jsonUser.set("email_checked", user_model->isEmailChecked()); jsonUser.set("email_checked", user_model->isEmailChecked());
} }
else if (parameterString == "user.identHash") { else if (parameterString == "user.identHash") {