Added protection for ownership transfer

no issue
2025-02-10 23:36:14 -05:00 · 2018-10-06 21:50:31 +02:00 · 2018-10-06 21:50:31 +02:00 · 476ac185aa
commit 476ac185aa
parent d0f2b843c8
2 changed files with 19 additions and 3 deletions
--- a/core/server/models/user.js
+++ b/core/server/models/user.js
@ -873,9 +873,16 @@ User = ghostBookshelf.Model.extend({
                    User.findOne({id: object.id}, {withRelated: ['roles']}));
            })
            .then(function then(results) {
-                var adminRole = results[0],
-                    user = results[1],
-                    currentRoles = user.toJSON(options).roles;
+                const adminRole = results[0];
+                const user = results[1];
+
+                if (!user) {
+                    return Promise.reject(new common.errors.NotFoundError({
+                        message: common.i18n.t('errors.models.user.userNotFound')
+                    }));
+                }
+
+                const currentRoles = user.toJSON(options).roles;

                if (!_.some(currentRoles, {id: adminRole.id})) {
                    return Promise.reject(new common.errors.ValidationError({
--- a/core/test/integration/api/api_users_spec.js
+++ b/core/test/integration/api/api_users_spec.js
@ -1529,6 +1529,15 @@ describe('Users API', function () {
            }).catch(done);
        });

+        it('Owner can transfer ownership, but `id` does not exist', function () {
+            return UserAPI
+                .transferOwnership({owner: [{id: 'id'}]}, context.owner)
+                .then(Promise.reject)
+                .catch((err) => {
+                    err.statusCode.should.eql(404);
+                });
+        });
+
        it('Owner CANNOT downgrade own role', function (done) {
            // Cannot change own role to admin
            UserAPI.transferOwnership(