]> git.r.bdr.sh - rbdr/mobius/blobdiff - hotline/transaction_handlers.go
git.r.bdr.sh / rbdr / mobius / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Prevent account from creating new account with greater permission
[rbdr/mobius] / hotline / transaction_handlers.go
diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go
index abe2ea8d2c72c01695f7ad474f4c0c63c8857b38..2d03b0723c496239d08ff5bf7f80d86aaba9b1ae 100644 (file)
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -805,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
                        newAccess := accessBitmap{}
                        copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
 
                        newAccess := accessBitmap{}
                        copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
 
+                       // Prevent account from creating new account with greater permission
+                       for i := 0; i < 64; i++ {
+                               if newAccess.IsSet(i) {
+                                       if !cc.Authorize(i) {
+                                               return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err
+                                       }
+                               }
+                       }
+
                        err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
                        if err != nil {
                                return []Transaction{}, err
                        err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
                        if err != nil {
                                return []Transaction{}, err
@@ -834,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error
        newAccess := accessBitmap{}
        copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
 
        newAccess := accessBitmap{}
        copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
 
+       // Prevent account from creating new account with greater permission
+       for i := 0; i < 64; i++ {
+               if newAccess.IsSet(i) {
+                       if !cc.Authorize(i) {
+                               res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself."))
+                               return res, err
+                       }
+               }
+       }
+
        if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
                return []Transaction{}, err
        }
        if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
                return []Transaction{}, err
        }
Friendship Quest remix of mobius, a hotline server in go #cli