Added check for last admin on role change

Will show error message if last admin and admin role is removed.
Closes #1124
Also cleaned up user controller a little.
This commit is contained in:
Dan Brown 2018-12-30 16:11:58 +00:00
parent 456afdcd4c
commit 2317bf2350
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
6 changed files with 74 additions and 10 deletions

View File

@ -3,6 +3,7 @@
use Activity;
use BookStack\Entities\Repos\EntityRepo;
use BookStack\Exceptions\NotFoundException;
use BookStack\Exceptions\UserUpdateException;
use BookStack\Uploads\Image;
use Exception;
use Images;
@ -42,7 +43,7 @@ class UserRepo
*/
public function getById($id)
{
return $this->user->findOrFail($id);
return $this->user->newQuery()->findOrFail($id);
}
/**
@ -135,6 +136,40 @@ class UserRepo
return true;
}
/**
* Set the assigned user roles via an array of role IDs.
* @param User $user
* @param array $roles
* @throws UserUpdateException
*/
public function setUserRoles(User $user, array $roles)
{
if ($this->demotingLastAdmin($user, $roles)) {
throw new UserUpdateException(trans('errors.role_cannot_remove_only_admin'), $user->getEditUrl());
}
$user->roles()->sync($roles);
}
/**
* Check if the given user is the last admin and their new roles no longer
* contains the admin role.
* @param User $user
* @param array $newRoles
* @return bool
*/
protected function demotingLastAdmin(User $user, array $newRoles) : bool
{
if ($this->isOnlyAdmin($user)) {
$adminRole = $this->role->getSystemRole('admin');
if (!in_array(strval($adminRole->id), $newRoles)) {
return true;
}
}
return false;
}
/**
* Create a new basic instance of user.
* @param array $data
@ -143,7 +178,6 @@ class UserRepo
*/
public function create(array $data, $verifyEmail = false)
{
return $this->user->forceCreate([
'name' => $data['name'],
'email' => $data['email'],

View File

@ -11,7 +11,7 @@ class NotifyException extends \Exception
* @param string $message
* @param string $redirectLocation
*/
public function __construct($message, $redirectLocation)
public function __construct(string $message, string $redirectLocation = "/")
{
$this->message = $message;
$this->redirectLocation = $redirectLocation;

View File

@ -0,0 +1,3 @@
<?php namespace BookStack\Exceptions;
class UserUpdateException extends NotifyException {}

View File

@ -3,6 +3,7 @@
use BookStack\Auth\Access\SocialAuthService;
use BookStack\Auth\User;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\UserUpdateException;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
@ -15,7 +16,7 @@ class UserController extends Controller
/**
* UserController constructor.
* @param User $user
* @param \BookStack\Auth\UserRepo $userRepo
* @param UserRepo $userRepo
*/
public function __construct(User $user, UserRepo $userRepo)
{
@ -59,6 +60,7 @@ class UserController extends Controller
* Store a newly created user in storage.
* @param Request $request
* @return Response
* @throws UserUpdateException
*/
public function store(Request $request)
{
@ -89,7 +91,7 @@ class UserController extends Controller
if ($request->filled('roles')) {
$roles = $request->get('roles');
$user->roles()->sync($roles);
$this->userRepo->setUserRoles($user, $roles);
}
$this->userRepo->downloadAndAssignUserAvatar($user);
@ -124,6 +126,7 @@ class UserController extends Controller
* @param Request $request
* @param int $id
* @return Response
* @throws UserUpdateException
*/
public function update(Request $request, $id)
{
@ -140,13 +143,13 @@ class UserController extends Controller
'setting' => 'array'
]);
$user = $this->user->findOrFail($id);
$user = $this->userRepo->getById($id);
$user->fill($request->all());
// Role updates
if (userCan('users-manage') && $request->filled('roles')) {
$roles = $request->get('roles');
$user->roles()->sync($roles);
$this->userRepo->setUserRoles($user, $roles);
}
// Password updates
@ -185,7 +188,7 @@ class UserController extends Controller
return $this->currentUser->id == $id;
});
$user = $this->user->findOrFail($id);
$user = $this->userRepo->getById($id);
$this->setPageTitle(trans('settings.users_delete_named', ['userName' => $user->name]));
return view('users/delete', ['user' => $user]);
}
@ -194,6 +197,7 @@ class UserController extends Controller
* Remove the specified user from storage.
* @param int $id
* @return Response
* @throws \Exception
*/
public function destroy($id)
{
@ -279,7 +283,7 @@ class UserController extends Controller
$viewType = 'list';
}
$user = $this->user->findOrFail($id);
$user = $this->userRepo->getById($id);
setting()->putUser($user, 'bookshelves_view_type', $viewType);
return redirect()->back(302, [], "/settings/users/$id");

View File

@ -64,6 +64,7 @@ return [
'role_cannot_be_edited' => 'This role cannot be edited',
'role_system_cannot_be_deleted' => 'This role is a system role and cannot be deleted',
'role_registration_default_cannot_delete' => 'This role cannot be deleted while set as the default registration role',
'role_cannot_remove_only_admin' => 'This user is the only user assigned to the administrator role. Assign the administrator role to another user before attempting to remove it here.',
// Comments
'comment_list' => 'An error occurred while fetching the comments.',

View File

@ -78,6 +78,28 @@ class RolesTest extends BrowserKitTest
->dontSee($testRoleUpdateName);
}
public function test_admin_role_cannot_be_removed_if_last_admin()
{
$adminRole = Role::where('system_name', '=', 'admin')->first();
$adminUser = $this->getAdmin();
$adminRole->users()->where('id', '!=', $adminUser->id)->delete();
$this->assertEquals($adminRole->users()->count(), 1);
$viewerRole = $this->getViewer()->roles()->first();
$editUrl = '/settings/users/' . $adminUser->id;
$this->actingAs($adminUser)->put($editUrl, [
'name' => $adminUser->name,
'email' => $adminUser->email,
'roles' => [
'viewer' => strval($viewerRole->id),
]
])->followRedirects();
$this->seePageIs($editUrl);
$this->see('This user is the only user assigned to the administrator role');
}
public function test_manage_user_permission()
{
$this->actingAs($this->user)->visit('/settings/users')