mirror of
https://github.com/Unleash/unleash.git
synced 2025-01-25 00:07:47 +01:00
e9d9db17fe
In order to prevent users from being able to assign roles/permissions they don't have, this PR adds a check that the user performing the action either is Admin, Project owner or has the same role they are trying to grant/add. This addAccess method is only used from Enterprise, so there will be a separate PR there, updating how we return the roles list for a user, so that our frontend can only present the roles a user is actually allowed to grant. This adds the validation to the backend to ensure that even if the frontend thinks we're allowed to add any role to any user here, the backend can be smart enough to stop it. We should still update frontend as well, so that it doesn't look like we can add roles we won't be allowed to. |
||
|---|---|---|
| .. | ||
| access-store.test.ts | ||
| access-store.ts | ||
| account-store.ts | ||
| addon-store.ts | ||
| api-token-store.ts | ||
| client-applications-store.ts | ||
| client-instance-store.ts | ||
| context-field-store.ts | ||
| db-pool.ts | ||
| db.ts | ||
| event-store.ts | ||
| favorite-features-store.ts | ||
| favorite-projects-store.ts | ||
| feature-environment-store.ts | ||
| feature-strategy-store.test.ts | ||
| feature-tag-store.ts | ||
| feature-type-store.ts | ||
| group-store.ts | ||
| index.ts | ||
| pat-store.ts | ||
| project-stats-store.ts | ||
| public-signup-token-store.ts | ||
| reset-token-store.ts | ||
| role-store.ts | ||
| segment-store.test.ts | ||
| segment-store.ts | ||
| session-store.ts | ||
| setting-store.ts | ||
| strategy-store.ts | ||
| tag-store.ts | ||
| transaction.ts | ||
| user-feedback-store.ts | ||
| user-splash-store.ts | ||
| user-store.ts | ||