From e9a1a8c4eb88f3c7a0d88ff27380987d7b546f3e Mon Sep 17 00:00:00 2001 From: Kraiem Taha Yassine Date: Tue, 3 Dec 2024 16:27:42 +0100 Subject: [PATCH] fix(chalice): fixed edit user's role (#2810) --- ee/api/chalicelib/core/roles.py | 17 +++++++++++++++++ ee/api/chalicelib/core/users.py | 20 ++++++++++++++++---- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/ee/api/chalicelib/core/roles.py b/ee/api/chalicelib/core/roles.py index ca1bf9812..5d92fbbc6 100644 --- a/ee/api/chalicelib/core/roles.py +++ b/ee/api/chalicelib/core/roles.py @@ -182,3 +182,20 @@ def delete(tenant_id, user_id, role_id): {"tenant_id": tenant_id, "role_id": role_id}) cur.execute(query=query) return get_roles(tenant_id=tenant_id) + + +def get_role(tenant_id, role_id): + with pg_client.PostgresClient() as cur: + query = cur.mogrify("""SELECT roles.* + FROM public.roles + WHERE tenant_id =%(tenant_id)s + AND deleted_at IS NULL + AND not service_role + AND role_id = %(role_id)s + LIMIT 1;""", + {"tenant_id": tenant_id, "role_id": role_id}) + cur.execute(query=query) + row = cur.fetchone() + if row is not None: + row["created_at"] = TimeUTC.datetime_to_timestamp(row["created_at"]) + return helper.dict_to_camel_case(row) diff --git a/ee/api/chalicelib/core/users.py b/ee/api/chalicelib/core/users.py index 96a4f7693..ee76150ff 100644 --- a/ee/api/chalicelib/core/users.py +++ b/ee/api/chalicelib/core/users.py @@ -199,6 +199,12 @@ def create_member(tenant_id, user_id, data: schemas.CreateMemberSchema, backgrou role_id = data.roleId if role_id is None: role_id = roles.get_role_by_name(tenant_id=tenant_id, name="member").get("roleId") + else: + role = roles.get_role(tenant_id=tenant_id, role_id=role_id) + if role is None: + return {"errors": ["role not found"]} + if role["name"].lower() == "owner" and role["protected"]: + return {"errors": ["invalid role"]} invitation_token = __generate_invitation_token() user = get_deleted_user_by_email(email=data.email) if user is not None and user["tenantId"] == tenant_id: @@ -333,7 +339,7 @@ def edit_member(user_id_to_update, tenant_id, changes: schemas.EditMemberSchema, if editor_id != user_id_to_update: admin = get_user_role(tenant_id=tenant_id, user_id=editor_id) if not admin["superAdmin"] and not admin["admin"]: - return {"errors": ["unauthorized"]} + return {"errors": ["unauthorized, you must have admin privileges"]} if admin["admin"] and user["superAdmin"]: return {"errors": ["only the owner can edit his own details"]} else: @@ -343,10 +349,10 @@ def edit_member(user_id_to_update, tenant_id, changes: schemas.EditMemberSchema, return {"errors": ["cannot change your own admin privileges"]} if changes.roleId: if user["superAdmin"] and changes.roleId != user["roleId"]: - changes.roleId = None return {"errors": ["owner's role cannot be changed"]} - - if changes.roleId != user["roleId"]: + elif user["superAdmin"]: + changes.roleId = None + elif changes.roleId != user["roleId"]: return {"errors": ["cannot change your own role"]} if changes.name and len(changes.name) > 0: @@ -357,6 +363,12 @@ def edit_member(user_id_to_update, tenant_id, changes: schemas.EditMemberSchema, if changes.roleId is not None: _changes["roleId"] = changes.roleId + role = roles.get_role(tenant_id=tenant_id, role_id=changes.roleId) + if role is None: + return {"errors": ["role not found"]} + else: + if role["name"].lower() == "owner" and role["protected"]: + return {"errors": ["invalid role"]} if len(_changes.keys()) > 0: update(tenant_id=tenant_id, user_id=user_id_to_update, changes=_changes, output=False)