fix(auth): checking permissions to update setting only when directly …

…performed by user (#892)
standardnotes · Oct 30, 2023 · 9bd4fb2 · 9bd4fb2
1 parent 647aeda
commit 9bd4fb2
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.spec.ts b/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.spec.ts
@@ -92,6 +92,7 @@ describe('SetSettingValue', () => {
       userUuid: '00000000-0000-0000-0000-000000000000',
       settingName: SettingName.NAMES.ListedAuthorSecrets,
       value: 'value',
+      checkUserPermissions: true,
     })
 
     expect(result.isFailed()).toBe(true)
@@ -108,6 +109,7 @@ describe('SetSettingValue', () => {
       userUuid: '00000000-0000-0000-0000-000000000000',
       settingName: SettingName.NAMES.MfaSecret,
       value: 'value',
+      checkUserPermissions: true,
     })
 
     expect(result.isFailed()).toBe(true)
@@ -140,6 +142,20 @@ describe('SetSettingValue', () => {
     expect(settingRepository.update).toHaveBeenCalled()
   })
 
+  it('should create a setting with checking user permissions', async () => {
+    const useCase = createUseCase()
+
+    const result = await useCase.execute({
+      userUuid: '00000000-0000-0000-0000-000000000000',
+      settingName: SettingName.NAMES.MfaSecret,
+      value: 'value',
+      checkUserPermissions: true,
+    })
+
+    expect(result.isFailed()).toBe(false)
+    expect(settingRepository.insert).toHaveBeenCalled()
+  })
+
   it('should insert a new setting if one does not exist', async () => {
     getSetting.execute = jest.fn().mockReturnValue(Result.fail('not found'))
 

diff --git a/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.ts b/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValue.ts
@@ -37,7 +37,7 @@ export class SetSettingValue implements UseCaseInterface<Setting> {
       return Result.fail(`Setting ${settingName.value} is a subscription setting!`)
     }
 
-    if (!(await this.userHasPermissionToUpdateSetting(userUuid, settingName))) {
+    if (dto.checkUserPermissions && !(await this.userHasPermissionToUpdateSetting(userUuid, settingName))) {
       return Result.fail(`User ${userUuid.value} does not have permission to update setting ${settingName.value}.`)
     }
 

diff --git a/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValueDTO.ts b/packages/auth/src/Domain/UseCase/SetSettingValue/SetSettingValueDTO.ts
@@ -2,4 +2,5 @@ export interface SetSettingValueDTO {
   settingName: string
   userUuid: string
   value: string | null
+  checkUserPermissions?: boolean
 }
diff --git a/packages/auth/src/Infra/InversifyExpressUtils/Base/BaseSettingsController.ts b/packages/auth/src/Infra/InversifyExpressUtils/Base/BaseSettingsController.ts
@@ -160,6 +160,7 @@ export class BaseSettingsController extends BaseHttpController {
       settingName: name,
       value,
       userUuid: response.locals.user.uuid,
+      checkUserPermissions: true,
     })
 
     if (result.isFailed()) {