Skip to content

Commit fc17e8c

Browse files
committed
fix(trustlab): validate roles for user access
1 parent d77f702 commit fc17e8c

2 files changed

Lines changed: 17 additions & 2 deletions

File tree

apps/trustlab/src/payload/access/abilities.js

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,14 +41,17 @@ export const hasAdminAccess = ({ req } = {}) => isAdmin(req?.user);
4141

4242
// TODO(@kelvinkipruto): what happens on delete? cascade or not?
4343
export const canManageUser = (user) => {
44-
if (!user) {
44+
if (!isLoggedIn(user)) {
4545
return false;
4646
}
4747
// Admins can manage all users
4848
if (user.role === ROLE_ADMIN) {
4949
return true;
5050
}
5151
// All other users can manage their own accounts
52+
if (!user.id) {
53+
return false;
54+
}
5255
const orQuery = [
5356
{
5457
id: {

apps/trustlab/src/payload/access/index.test.js

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,10 +121,22 @@ describe("payload.access", () => {
121121
});
122122
});
123123

124-
it("denies requests from anonymous users", () => {
124+
it("denies requests from invalid-role and anonymous users", () => {
125+
expect(
126+
hasManageUserAccess({ req: { user: { id: 1, role: "unknown" } } }),
127+
).toBe(false);
125128
expect(hasManageUserAccess({ req: {} })).toBe(false);
126129
expect(hasManageUserAccess(undefined)).toBe(false);
127130
});
131+
132+
it("denies requests from non-admin users without a user id for ownership checks", () => {
133+
expect(
134+
hasManageUserAccess({ req: { user: { role: ROLE_AUTHOR } } }),
135+
).toBe(false);
136+
expect(
137+
hasManageUserAccess({ req: { user: { role: ROLE_EDITOR } } }),
138+
).toBe(false);
139+
});
128140
});
129141

130142
describe("abilities.hasEditorAccess", () => {

0 commit comments

Comments
 (0)