From 186f0ac97bd5b59d1bcd9023412495e4244cbf33 Mon Sep 17 00:00:00 2001
From: imp2002 <imp07@qq.com>
Date: Mon, 2 Jan 2023 09:27:25 +0800
Subject: [PATCH] feat: check permission when update user (#1438)

* feat: check permission when update user

* feat: check permission when update user

* fix: fix organization accountItem modifyRule

* fix: fix organization accountItem modifyRule
---
 controllers/user.go     | 118 ++++++++++++++++++++++++++++++++++++++++
 web/src/AccountTable.js |   2 +-
 web/src/UserEditPage.js |   4 +-
 3 files changed, 121 insertions(+), 3 deletions(-)

diff --git a/controllers/user.go b/controllers/user.go
index 3edb5537..b8ae62b0 100644
--- a/controllers/user.go
+++ b/controllers/user.go
@@ -17,6 +17,7 @@ package controllers
 import (
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"strings"
 
 	"github.com/beego/beego/utils/pagination"
@@ -125,6 +126,117 @@ func (c *ApiController) GetUser() {
 	c.ServeJSON()
 }
 
+func checkPermissionForUpdateUser(id string, newUser object.User, c *ApiController) (bool, string) {
+	oldUser := object.GetUser(id)
+	org := object.GetOrganizationByUser(oldUser)
+	var itemsChanged []*object.AccountItem
+
+	if oldUser.Owner != newUser.Owner {
+		item := object.GetAccountItemByName("Organization", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Name != newUser.Name {
+		item := object.GetAccountItemByName("Name", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Id != newUser.Id {
+		item := object.GetAccountItemByName("ID", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.DisplayName != newUser.DisplayName {
+		item := object.GetAccountItemByName("Display name", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Avatar != newUser.Avatar {
+		item := object.GetAccountItemByName("Avatar", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Type != newUser.Type {
+		item := object.GetAccountItemByName("User type", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	// The password is *** when not modified
+	if oldUser.Password != newUser.Password && newUser.Password != "***" {
+		item := object.GetAccountItemByName("Password", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Email != newUser.Email {
+		item := object.GetAccountItemByName("Email", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Phone != newUser.Phone {
+		item := object.GetAccountItemByName("Phone", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Region != newUser.Region {
+		item := object.GetAccountItemByName("Country/Region", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Location != newUser.Location {
+		item := object.GetAccountItemByName("Location", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Affiliation != newUser.Affiliation {
+		item := object.GetAccountItemByName("Affiliation", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Title != newUser.Title {
+		item := object.GetAccountItemByName("Title", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Homepage != newUser.Homepage {
+		item := object.GetAccountItemByName("Homepage", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Bio != newUser.Bio {
+		item := object.GetAccountItemByName("Bio", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.Tag != newUser.Tag {
+		item := object.GetAccountItemByName("Tag", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.SignupApplication != newUser.SignupApplication {
+		item := object.GetAccountItemByName("Signup application", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if reflect.DeepEqual(oldUser.Roles, newUser.Roles) {
+		item := object.GetAccountItemByName("Roles", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if reflect.DeepEqual(oldUser.Permissions, newUser.Permissions) {
+		item := object.GetAccountItemByName("Permissions", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if reflect.DeepEqual(oldUser.Properties, newUser.Properties) {
+		item := object.GetAccountItemByName("Properties", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.IsAdmin != newUser.IsAdmin {
+		item := object.GetAccountItemByName("Is admin", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.IsGlobalAdmin != newUser.IsGlobalAdmin {
+		item := object.GetAccountItemByName("Is global admin", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.IsForbidden != newUser.IsForbidden {
+		item := object.GetAccountItemByName("Is forbidden", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+	if oldUser.IsDeleted != newUser.IsDeleted {
+		item := object.GetAccountItemByName("Is deleted", org)
+		itemsChanged = append(itemsChanged, item)
+	}
+
+	for i := range itemsChanged {
+		if pass, err := object.CheckAccountItemModifyRule(itemsChanged[i], c.getCurrentUser(), c.GetAcceptLanguage()); !pass {
+			return pass, err
+		}
+	}
+	return true, ""
+}
+
 // UpdateUser
 // @Title UpdateUser
 // @Tag User API
@@ -159,6 +271,12 @@ func (c *ApiController) UpdateUser() {
 	}
 
 	isGlobalAdmin := c.IsGlobalAdmin()
+
+	if pass, err := checkPermissionForUpdateUser(id, user, c); !pass {
+		c.ResponseError(c.T(err))
+		return
+	}
+
 	affected := object.UpdateUser(id, &user, columns, isGlobalAdmin)
 	if affected {
 		object.UpdateUserToOriginalDatabase(&user)
diff --git a/web/src/AccountTable.js b/web/src/AccountTable.js
index 7ff96ab6..0482fa7e 100644
--- a/web/src/AccountTable.js
+++ b/web/src/AccountTable.js
@@ -170,7 +170,7 @@ class AccountTable extends React.Component {
           }
 
           let options;
-          if (record.viewRule === "Admin") {
+          if (record.viewRule === "Admin" || record.name === "Is admin" || record.name === "Is global admin") {
             options = [
               {id: "Admin", name: "Admin"},
               {id: "Immutable", name: "Immutable"},
diff --git a/web/src/UserEditPage.js b/web/src/UserEditPage.js
index 93b57d5a..c48f3034 100644
--- a/web/src/UserEditPage.js
+++ b/web/src/UserEditPage.js
@@ -500,7 +500,7 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("user:Is admin"), i18next.t("user:Is admin - Tooltip"))} :
           </Col>
           <Col span={(Setting.isMobile()) ? 22 : 2} >
-            <Switch disabled={this.state.user.owner === "built-in"} checked={this.state.user.isAdmin} onChange={checked => {
+            <Switch disabled={disabled} checked={this.state.user.isAdmin} onChange={checked => {
               this.updateUserField("isAdmin", checked);
             }} />
           </Col>
@@ -513,7 +513,7 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("user:Is global admin"), i18next.t("user:Is global admin - Tooltip"))} :
           </Col>
           <Col span={(Setting.isMobile()) ? 22 : 2} >
-            <Switch disabled={this.state.user.owner === "built-in"} checked={this.state.user.isGlobalAdmin} onChange={checked => {
+            <Switch disabled={disabled} checked={this.state.user.isGlobalAdmin} onChange={checked => {
               this.updateUserField("isGlobalAdmin", checked);
             }} />
           </Col>