roles:delete, roles:edit error parity & fix glaring security hole in role edit
Implements: https://todo.e3t.cc/~core/trifid/1
This commit is contained in:
parent
e7da2d7009
commit
7dd7cf80ff
1 changed files with 38 additions and 38 deletions
|
@ -926,8 +926,8 @@ pub async fn delete_role(
|
|||
} else {
|
||||
HttpResponse::NotFound().json(APIErrorsResponse {
|
||||
errors: vec![APIError {
|
||||
code: "ERR_MISSING_ROLE".to_string(),
|
||||
message: "Role does not exist".to_string(),
|
||||
code: "ERR_NOT_FOUND".to_string(),
|
||||
message: "resource not found".to_string(),
|
||||
path: None,
|
||||
}],
|
||||
})
|
||||
|
@ -1041,8 +1041,43 @@ pub async fn update_role_request(
|
|||
}
|
||||
};
|
||||
|
||||
let role = match role::Entity::find()
|
||||
.filter(role::Column::Id.eq(role.as_str()))
|
||||
.one(&db.conn)
|
||||
.await
|
||||
{
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
error!("database error: {}", e);
|
||||
return HttpResponse::InternalServerError().json(APIErrorsResponse {
|
||||
errors: vec![
|
||||
APIError {
|
||||
code: "ERR_DB_ERROR".to_string(),
|
||||
message: "There was an error performing the database request, please try again later.".to_string(),
|
||||
path: None,
|
||||
}
|
||||
],
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
let role = match role {
|
||||
Some(r) => r,
|
||||
None => {
|
||||
return HttpResponse::NotFound().json(APIErrorsResponse {
|
||||
errors: vec![APIError {
|
||||
code: "ERR_NOT_FOUND".to_string(),
|
||||
message:
|
||||
"This resource does not exist or you do not have permission to access it."
|
||||
.to_string(),
|
||||
path: None,
|
||||
}],
|
||||
})
|
||||
}
|
||||
};
|
||||
|
||||
let existing_rules: Vec<firewall_rule::Model> = match firewall_rule::Entity::find()
|
||||
.filter(firewall_rule::Column::Role.eq(role.clone()))
|
||||
.filter(firewall_rule::Column::Role.eq(role.id.clone()))
|
||||
.all(&db.conn)
|
||||
.await
|
||||
{
|
||||
|
@ -1079,41 +1114,6 @@ pub async fn update_role_request(
|
|||
};
|
||||
}
|
||||
|
||||
let role = match role::Entity::find()
|
||||
.filter(role::Column::Id.eq(role.as_str()))
|
||||
.one(&db.conn)
|
||||
.await
|
||||
{
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
error!("database error: {}", e);
|
||||
return HttpResponse::InternalServerError().json(APIErrorsResponse {
|
||||
errors: vec![
|
||||
APIError {
|
||||
code: "ERR_DB_ERROR".to_string(),
|
||||
message: "There was an error performing the database request, please try again later.".to_string(),
|
||||
path: None,
|
||||
}
|
||||
],
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
let role = match role {
|
||||
Some(r) => r,
|
||||
None => {
|
||||
return HttpResponse::Unauthorized().json(APIErrorsResponse {
|
||||
errors: vec![APIError {
|
||||
code: "ERR_UNAUTHORIZED".to_string(),
|
||||
message:
|
||||
"This resource does not exist or you do not have permission to access it."
|
||||
.to_string(),
|
||||
path: None,
|
||||
}],
|
||||
})
|
||||
}
|
||||
};
|
||||
|
||||
let mut role_active_model = role.clone().into_active_model();
|
||||
|
||||
role_active_model.modified_at = Set(SystemTime::now()
|
||||
|
|
Loading…
Reference in a new issue