extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2024-11-22 08:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent last admin demotion - Closes #331

Browse Source
This commit is contained in:
Bubka 2024-04-09 14:41:26 +02:00
parent be229d9746
commit 1bc55f5535
6 changed files with 101 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
app/Api/v1/Controllers/UserManagerController.php
View File

@ -102,9 +102,10 @@ public function store(UserManagerStoreRequest $request)
Log::info(sprintf('User ID #%s created by user ID #%s', $user->id, $request->user()->id));
if ($validated['is_admin']) {
$user->promoteToAdministrator();
$user->save();
Log::notice(sprintf('User ID #%s set as administrator at creation by user ID #%s', $user->id, $request->user()->id));
if ($user->promoteToAdministrator()) {
$user->save();
Log::notice(sprintf('User ID #%s set as administrator at creation by user ID #%s', $user->id, $request->user()->id));
}
}
$user->refresh();
@ -192,12 +193,17 @@ public function promote(UserManagerPromoteRequest $request, User $user)
{
$this->authorize('promote', $user);
$user->promoteToAdministrator($request->validated('is_admin'));
$user->save();
if ($user->promoteToAdministrator($request->validated('is_admin')))
{
$user->save();
Log::info(sprintf('User ID #%s set is_admin=%s for User ID #%s', $request->user()->id, $user->isAdministrator(), $user->id));
Log::info(sprintf('User ID #%s set is_admin=%s for User ID #%s', $request->user()->id, $user->isAdministrator(), $user->id));
return new UserManagerResource($user);
}
return new UserManagerResource($user);
return response()->json([
'message' => __('errors.cannot_demote_the_only_admin'),
], 403);
}
/**

29
app/Models/User.php
View File

@ -77,6 +77,13 @@ class User extends Authenticatable implements WebAuthnAuthenticatable
'groups_count' => 'integer',
];
/**
* These are extra user-defined events observers may subscribe to.
*/
protected $observables = [
'demoting'
];
/**
* Scope a query to only include admin users.
*
@ -100,12 +107,30 @@ public function isAdministrator()
/**
* Grant administrator permissions to the user.
*/
public function promoteToAdministrator(bool $promote = true): bool
{
if ($promote == false && $this->fireModelEvent('demoting') === false) {
return false;
}
$this->is_admin = $promote;
return true;
}
/**
* Say if the user is the only registered administrator
*
* @return void
*/
public function promoteToAdministrator(bool $promote = true)
public function isLastAdministrator()
{
$this->is_admin = $promote;
$admins = User::admins()->get();
$toto = $admins->contains($this->id) && $admins->count() === 1;
return $toto;
}
/**

21
app/Observers/UserObserver.php
View File

@ -31,6 +31,21 @@ public function updated(User $user) : void
//
}
/**
* Handle the User "demoting" event.
*/
public function demoting(User $user) : bool
{
// Prevent demotion of the only administrator
if ($user->isLastAdministrator()) {
Log::notice(sprintf('Demotion of user ID #%s denied, cannot demote the only administrator', $user->id));
return false;
}
return true;
}
/**
* Handle the User "deleting" event.
*/
@ -39,10 +54,8 @@ public function deleting(User $user) : bool
Log::info(sprintf('Deletion of User ID #%s requested by User ID #%s', $user->id, Auth::user()->id ?? 'unknown'));
// Prevent deletion of the only administrator
$isLastAdmin = $user->isAdministrator() && User::admins()->count() == 1;
if ($isLastAdmin) {
Log::notice(sprintf('Deletion of user ID #%s refused, cannot delete the only administrator', $user->id));
if ($user->isLastAdministrator()) {
Log::notice(sprintf('Deletion of user ID #%s denied, cannot delete the only administrator', $user->id));
return false;
}

10
resources/js/views/admin/users/Manage.vue
View File

@ -100,12 +100,18 @@
}
}
userService.promote(managedUser.value.info.id, { 'is_admin': isAdmin }).then(response => {
userService.promote(managedUser.value.info.id, { 'is_admin': isAdmin }, { returnError: true }).then(response => {
managedUser.value.info.is_admin = response.data.info.is_admin
notify.success({ text: trans('admin.user_role_updated') })
})
.catch(error => {
notify.error(error)
if( error.response.status === 403 ) {
notify.alert({ text: error.response.data.message })
managedUser.value.info.is_admin = true
}
else {
notify.error(error.response)
}
})
}

1
resources/lang/en/errors.php
View File

@ -57,6 +57,7 @@
'unauthorized' => 'Unauthorized',
'unauthorized_legend' => 'You do not have permissions to view this resource or to perform this action',
'cannot_delete_the_only_admin' => 'Cannot delete the only admin account',
'cannot_demote_the_only_admin' => 'Cannot demote the only admin account',
'error_during_data_fetching' => '💀 Something went wrong during data fetching',
'check_failed_try_later' => 'Check failed, please retry later',
'sso_disabled' => 'SSO is disabled',

35
tests/Api/v1/Controllers/UserManagerControllerTest.php
View File

@ -483,4 +483,39 @@ public function test_promote_returns_UserManagerResource() : void
$response->assertExactJson($resources->response($request)->getData(true));
}
/**
* @test
*/
public function test_demote_returns_UserManagerResource() : void
{
$anotherAdmin = User::factory()->administrator()->create();
$path = '/api/v1/users/' . $anotherAdmin->id . '/promote';
$request = Request::create($path, 'PUT');
$response = $this->actingAs($this->admin, 'api-guard')
->json('PATCH', $path, [
'is_admin' => false,
]);
$anotherAdmin->refresh();
$resources = UserManagerResource::make($anotherAdmin);
$response->assertExactJson($resources->response($request)->getData(true));
}
/**
* @test
*/
public function test_demote_the_only_admin_returns_forbidden() : void
{
$this->assertTrue(User::admins()->count() == 1);
$this->actingAs($this->admin, 'api-guard')
->json('PATCH', '/api/v1/users/' . $this->admin->id . '/promote', [
'is_admin' => false,
])
->assertForbidden();
}
}