summaryrefslogtreecommitdiffstats
path: root/api4/user.go
diff options
context:
space:
mode:
Diffstat (limited to 'api4/user.go')
-rw-r--r--api4/user.go46
1 files changed, 46 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go
index e46ded670..ae1b2418c 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -537,6 +537,20 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if c.Session.IsOAuth {
+ ouser, err := c.App.GetUser(user.Id)
+ if err != nil {
+ c.Err = err
+ return
+ }
+
+ if ouser.Email != user.Email {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+ c.Err.DetailedError += ", attempted email update by oauth app"
+ return
+ }
+ }
+
if ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin()); err != nil {
c.Err = err
return
@@ -563,6 +577,20 @@ func patchUser(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if c.Session.IsOAuth && patch.Email != nil {
+ ouser, err := c.App.GetUser(c.Params.UserId)
+ if err != nil {
+ c.Err = err
+ return
+ }
+
+ if ouser.Email != *patch.Email {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+ c.Err.DetailedError += ", attempted email update by oauth app"
+ return
+ }
+ }
+
if ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin()); err != nil {
c.Err = err
return
@@ -690,6 +718,12 @@ func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if c.Session.IsOAuth {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+ c.Err.DetailedError += ", attempted access by oauth app"
+ return
+ }
+
if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
return
@@ -729,6 +763,12 @@ func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if c.Session.IsOAuth {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+ c.Err.DetailedError += ", attempted access by oauth app"
+ return
+ }
+
if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
return
@@ -1102,6 +1142,12 @@ func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if c.Session.IsOAuth {
+ c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN)
+ c.Err.DetailedError += ", attempted access by oauth app"
+ return
+ }
+
accessToken := model.UserAccessTokenFromJson(r.Body)
if accessToken == nil {
c.SetInvalidParam("user_access_token")
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-06-06 10:38:29 +0000