fix(auth): checking permissions to update setting only when directly performed by user (#892)

2026-01-16 20:04:32 -05:00 · 2023-10-30 12:51:31 +01:00
parent 647aeda1de
commit 9bd4fb2d79
4 changed files with 19 additions and 1 deletions
--- a/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.spec.ts
+++ b/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.spec.ts
@@ -92,6 +92,7 @@ describe('SetSettingValue', () => {
      userUuid: '00000000-0000-0000-0000-000000000000',
      settingName: SettingName.NAMES.ListedAuthorSecrets,
      value: 'value',
+      checkUserPermissions: true,
    })

    expect(result.isFailed()).toBe(true)
@@ -108,6 +109,7 @@ describe('SetSettingValue', () => {
      userUuid: '00000000-0000-0000-0000-000000000000',
      settingName: SettingName.NAMES.MfaSecret,
      value: 'value',
+      checkUserPermissions: true,
    })

    expect(result.isFailed()).toBe(true)
@@ -140,6 +142,20 @@ describe('SetSettingValue', () => {
    expect(settingRepository.update).toHaveBeenCalled()
  })

+  it('should create a setting with checking user permissions', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      settingName: SettingName.NAMES.MfaSecret,
+      value: 'value',
+      checkUserPermissions: true,
+    })
+
+    expect(result.isFailed()).toBe(false)
+    expect(settingRepository.insert).toHaveBeenCalled()
+  })
+
  it('should insert a new setting if one does not exist', async () => {
    getSetting.execute = jest.fn().mockReturnValue(Result.fail('not found'))

--- a/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.ts
+++ b/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.ts
@@ -37,7 +37,7 @@ export class SetSettingValue implements UseCaseInterface<Setting> {
      return Result.fail(`Setting ${settingName.value} is a subscription setting!`)
    }

-    if (!(await this.userHasPermissionToUpdateSetting(userUuid, settingName))) {
+    if (dto.checkUserPermissions && !(await this.userHasPermissionToUpdateSetting(userUuid, settingName))) {
      return Result.fail(`User ${userUuid.value} does not have permission to update setting ${settingName.value}.`)
    }

--- a/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValueDTO.ts
+++ b/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValueDTO.ts
@@ -2,4 +2,5 @@ export interface SetSettingValueDTO {
  settingName: string
  userUuid: string
  value: string | null
+  checkUserPermissions?: boolean
 }
--- a/packages/auth/src/Infra/InversifyExpressUtils/Base/BaseSettingsController.ts
+++ b/packages/auth/src/Infra/InversifyExpressUtils/Base/BaseSettingsController.ts
@@ -160,6 +160,7 @@ export class BaseSettingsController extends BaseHttpController {
      settingName: name,
      value,
      userUuid: response.locals.user.uuid,
+      checkUserPermissions: true,
    })

    if (result.isFailed()) {