From 963526ab0e98958d2808a02f2553b756f540f83c Mon Sep 17 00:00:00 2001 From: Charles Zhao Date: Sun, 5 Mar 2023 23:04:36 +0800 Subject: [PATCH] fix(core): check identifier collision before updating admin tenant user (#3292) --- packages/core/src/routes-me/user.ts | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/packages/core/src/routes-me/user.ts b/packages/core/src/routes-me/user.ts index 7901239f7..3bcafb2f8 100644 --- a/packages/core/src/routes-me/user.ts +++ b/packages/core/src/routes-me/user.ts @@ -15,7 +15,14 @@ import type { AuthedMeRouter } from './types.js'; export default function userRoutes( ...[router, tenant]: RouterInitArgs ) { - const { findUserById, updateUserById } = tenant.queries.users; + const { + queries: { + users: { findUserById, updateUserById }, + }, + libraries: { + users: { checkIdentifierCollision }, + }, + } = tenant; router.patch( '/user', @@ -29,10 +36,13 @@ export default function userRoutes( }), async (ctx, next) => { const { id: userId } = ctx.auth; + const { body } = ctx.guard; + const user = await findUserById(userId); assertThat(!user.isSuspended, new RequestError({ code: 'user.suspended', status: 401 })); - await updateUserById(userId, ctx.guard.body); + await checkIdentifierCollision(body, userId); + await updateUserById(userId, body); ctx.status = 204; return next();