Skip to content

Commit 281d03c

Browse files
andr3i1010andr3i1010
committed
Security patches (thanks @Jvr2022)
1 parent ad2ca58 commit 281d03c

File tree

2 files changed

+31
-0
lines changed

2 files changed

+31
-0
lines changed

src/utils/auth/ban.ts

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,14 @@ async function sendDiscordEmbed(embed: Embed) {
1616
}
1717

1818
export async function banUserPlatform(userId: string, banReason: string, banEnd?: string) {
19+
const operator = await getUserFromSession()
20+
if (!operator) {
21+
throw new Error('Not allowed')
22+
}
1923
try {
24+
if (operator.role !== "admin") {
25+
return { success: false, error: 'Unauthorized' }
26+
}
2027
const updateData: any = {
2128
loginAllowed: false,
2229
banReason: banReason
@@ -63,6 +70,10 @@ export async function banUserPlatform(userId: string, banReason: string, banEnd?
6370
}
6471

6572
export async function banUserForum(userId: string, banReason: string, banEnd?: string) {
73+
const operator = await getUserFromSession()
74+
if (!operator || !(operator.role !== "admin")) {
75+
return { success: false, error: 'Unauthorized' }
76+
}
6677
try {
6778
const updateData: any = {
6879
forumAllowed: false,
@@ -99,6 +110,10 @@ export async function banUserForum(userId: string, banReason: string, banEnd?: s
99110
}
100111
}
101112
export async function unbanUserPlatform(userId: string) {
113+
const operator = await getUserFromSession()
114+
if (!operator || !(operator.role !== "admin")) {
115+
return { success: false, error: 'Unauthorized' }
116+
}
102117
try {
103118
await prisma.user.update({
104119
where: {
@@ -131,6 +146,10 @@ export async function unbanUserPlatform(userId: string) {
131146
}
132147
}
133148
export async function unbanUserForum(userId: string) {
149+
const operator = await getUserFromSession()
150+
if (!operator || !(operator.role !== "admin")) {
151+
return { success: false, error: 'Unauthorized' }
152+
}
134153
try {
135154
await prisma.user.update({
136155
where: {

src/utils/auth/user.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -302,6 +302,10 @@ export async function createUserCredentials(
302302
}
303303

304304
export async function resetUserPassword(userId: string): Promise<PasswordActionResult> {
305+
const operator = await getUserFromSession()
306+
if (!operator || !(operator.role !== "admin")) {
307+
return { success: false, error: 'Unauthorized' }
308+
}
305309
try {
306310
// Generate a random temporary password
307311
const tempPassword = crypto.randomBytes(8).toString('base64');
@@ -345,6 +349,10 @@ export async function resetUserPassword(userId: string): Promise<PasswordActionR
345349
}
346350

347351
export async function setCustomPassword(userId: string, password: string): Promise<PasswordActionResult> {
352+
const operator = await getUserFromSession()
353+
if (!operator || !(operator.role !== "admin")) {
354+
return { success: false, error: 'Unauthorized' }
355+
}
348356
try {
349357
const salt = crypto.randomBytes(16).toString("base64");
350358

@@ -386,6 +394,10 @@ export async function setCustomPassword(userId: string, password: string): Promi
386394
}
387395

388396
export async function deleteUser(userId: string) {
397+
const operator = await getUserFromSession()
398+
if (!operator || !(operator.role !== "admin")) {
399+
return { success: false, error: 'Unauthorized' }
400+
}
389401
try {
390402
// First, delete all sessions for this user
391403
await prisma.session.deleteMany({

0 commit comments

Comments
 (0)