Penpot/penpot
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-02-15 11:38:24 -05:00
Code Issues Activity

🐛 Fix wrong permission check on removing member of team.

Browse source
This commit is contained in:
Andrey Antukh 2021-02-24 17:30:06 +01:00
parent e3727aaefe
commit cef0353642
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
backend/src/app/rpc/mutations/teams.clj
View file

@ -146,7 +146,7 @@
nil))) nil)))
;; --- Mutation: Tean Update Role ;; --- Mutation: Team Update Role
(declare retrieve-team-member) (declare retrieve-team-member)
(declare role->params) (declare role->params)
@ -218,7 +218,7 @@
:viewer {:is-owner false :is-admin false :can-edit false})) :viewer {:is-owner false :is-admin false :can-edit false}))
;; --- Mutation: Team Update Role ;; --- Mutation: Delete Team Member
(s/def ::delete-team-member (s/def ::delete-team-member
(s/keys :req-un [::profile-id ::team-id ::member-id])) (s/keys :req-un [::profile-id ::team-id ::member-id]))
@ -227,8 +227,8 @@
[{:keys [pool] :as cfg} {:keys [team-id profile-id member-id] :as params}] [{:keys [pool] :as cfg} {:keys [team-id profile-id member-id] :as params}]
(db/with-atomic [conn pool] (db/with-atomic [conn pool]
(let [perms (teams/check-read-permissions! conn profile-id team-id)] (let [perms (teams/check-read-permissions! conn profile-id team-id)]
(when-not (or (:is-owner perms) (when-not (or (some :is-owner perms)
(:is-admin perms)) (some :is-admin perms))
(ex/raise :type :validation (ex/raise :type :validation
:code :insufficient-permissions)) :code :insufficient-permissions))