From 6142697b4a21bf357874704d68ab6abb41d0fe4e Mon Sep 17 00:00:00 2001
From: Antoine Gersant <antoine.gersant@lesforges.org>
Date: Sun, 31 May 2020 18:37:08 -0700
Subject: [PATCH] Do not let users remove their own admin rights

---
 src/service/rocket/api.rs | 24 +++++++++++++++++++-----
 src/service/test.rs       |  2 +-
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/service/rocket/api.rs b/src/service/rocket/api.rs
index 53771c6..47c9d8d 100644
--- a/src/service/rocket/api.rs
+++ b/src/service/rocket/api.rs
@@ -146,7 +146,10 @@ impl<'a, 'r> FromRequest<'a, 'r> for Auth {
 	}
 }
 
-struct AdminRights {}
+struct AdminRights {
+	auth: Option<Auth>,
+}
+
 impl<'a, 'r> FromRequest<'a, 'r> for AdminRights {
 	type Error = ();
 
@@ -155,14 +158,14 @@ impl<'a, 'r> FromRequest<'a, 'r> for AdminRights {
 
 		match user::count(&db) {
 			Err(_) => return Outcome::Failure((Status::InternalServerError, ())),
-			Ok(0) => return Outcome::Success(AdminRights {}),
+			Ok(0) => return Outcome::Success(AdminRights { auth: None }),
 			_ => (),
 		};
 
 		let auth = request.guard::<Auth>()?;
 		match user::is_admin(&db, &auth.username) {
 			Err(_) => Outcome::Failure((Status::InternalServerError, ())),
-			Ok(true) => Outcome::Success(AdminRights {}),
+			Ok(true) => Outcome::Success(AdminRights { auth: Some(auth) }),
 			Ok(false) => Outcome::Failure((Status::Forbidden, ())),
 		}
 	}
@@ -213,8 +216,19 @@ fn get_settings(db: State<'_, DB>, _admin_rights: AdminRights) -> Result<Json<Co
 }
 
 #[put("/settings", data = "<config>")]
-fn put_settings(db: State<'_, DB>, _admin_rights: AdminRights, config: Json<Config>) -> Result<()> {
-	config::amend(&db, &config)?;
+fn put_settings(db: State<'_, DB>, admin_rights: AdminRights, config: Json<Config>) -> Result<()> {
+	// Do not let users remove their own admin rights
+	let mut sanitized_config = config.clone();
+	if let Some(users) = &mut sanitized_config.users {
+		for user in users.iter_mut() {
+			if let Some(auth) = &admin_rights.auth {
+				if auth.username == user.name {
+					user.admin = true;
+				}
+			}
+		}
+	}
+	config::amend(&db, &sanitized_config)?;
 	Ok(())
 }
 
diff --git a/src/service/test.rs b/src/service/test.rs
index bad1dbc..eb8733f 100644
--- a/src/service/test.rs
+++ b/src/service/test.rs
@@ -188,7 +188,7 @@ fn test_service_settings() {
 			config::ConfigUser {
 				name: "test_user".into(),
 				password: "some_password".into(),
-				admin: true,
+				admin: false,
 			},
 			config::ConfigUser {
 				name: "other_user".into(),