marcel/familienarchiv
1
0
Fork 0
Code Issues 107 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Browse Source 
Fixes IDOR: the endpoint was publicly accessible to any authenticated user.
Now requires ADMIN_USER permission, matching all other user management endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-03-30 01:09:40 +02:00
parent 169e6dc578
commit 8fc360a596
22 changed files with 844 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
frontend/src/routes/admin/users/[id]/+page.svelte
View File

@@ -10,85 +10,74 @@ let { data, form } = $props();
const selectedGroupIds = $derived(data.editUser.groups?.map((g: { id: string }) => g.id) ?? []);
</script>
<div class="mx-auto max-w-3xl px-4 py-8 sm:px-6 lg:px-8">
<a
href="/admin"
class="group mb-4 inline-flex items-center text-xs font-bold tracking-widest text-ink-2 uppercase transition-colors hover:text-ink"
>
<svg
class="mr-2 h-4 w-4 transform transition-transform group-hover:-translate-x-1"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
stroke-width="2"
<div class="flex flex-1 flex-col overflow-hidden">
<!-- Detail panel header -->
<div class="flex items-center border-b border-line px-5 py-3">
<h2 class="flex-1 font-sans text-sm font-bold text-ink">
{m.admin_user_edit_heading({ username: data.editUser.username })}
</h2>
</div>
<!-- Scrollable body -->
<div class="flex-1 overflow-y-auto px-5 py-5">
{#if form?.success}
<div class="mb-5 rounded border border-green-200 bg-green-50 p-3 text-sm text-green-700">
{m.admin_user_updated()}
</div>
{/if}
{#if form?.error}
<div class="mb-5 rounded border border-red-200 bg-red-50 p-3 text-sm text-red-700">
{form.error}
</div>
{/if}
<form id="edit-user-form" method="POST" use:enhance class="space-y-5">
<!-- Profile card -->
<div class="rounded-sm border border-line bg-surface p-5 shadow-sm">
<h3 class="mb-4 text-xs font-bold tracking-widest text-ink-3 uppercase">
{m.profile_section_personal()}
</h3>
<UserProfileSection
firstName={data.editUser.firstName ?? ''}
lastName={data.editUser.lastName ?? ''}
birthDate={data.editUser.birthDate ?? ''}
email={data.editUser.email ?? ''}
contact={data.editUser.contact ?? ''}
/>
</div>
<!-- Groups card -->
<div class="rounded-sm border border-line bg-surface p-5 shadow-sm">
<h3 class="mb-4 text-xs font-bold tracking-widest text-ink-3 uppercase">
{m.admin_col_groups()}
</h3>
<UserGroupsSection groups={data.groups} selectedGroupIds={selectedGroupIds} />
</div>
<!-- Password card -->
<div class="rounded-sm border border-line bg-surface p-5 shadow-sm">
<h3 class="mb-4 text-xs font-bold tracking-widest text-ink-3 uppercase">
{m.admin_label_new_password_optional()}
</h3>
<UserPasswordSection />
</div>
</form>
</div>
<!-- Docked footer -->
<div class="flex items-center justify-between border-t border-line bg-surface px-5 py-3">
<a
href="/admin/users"
class="font-sans text-xs font-bold tracking-widest text-ink-2 uppercase hover:text-ink"
>
<path stroke-linecap="round" stroke-linejoin="round" d="M15 19l-7-7 7-7" />
</svg>
{m.btn_back_to_overview()}
</a>
<h1 class="mb-6 font-serif text-3xl font-bold text-ink">
{m.admin_user_edit_heading({ username: data.editUser.username })}
</h1>
{#if form?.success}
<div class="mb-5 rounded border border-green-200 bg-green-50 p-3 text-sm text-green-700">
{m.admin_user_updated()}
</div>
{/if}
{#if form?.error}
<div class="mb-5 rounded border border-red-200 bg-red-50 p-3 text-sm text-red-700">
{form.error}
</div>
{/if}
<form method="POST" use:enhance class="space-y-6">
<!-- Profile card -->
<div class="rounded-sm border border-line bg-surface p-6 shadow-sm">
<h2 class="mb-5 text-xs font-bold tracking-widest text-ink-3 uppercase">
{m.profile_section_personal()}
</h2>
<UserProfileSection
firstName={data.editUser.firstName ?? ''}
lastName={data.editUser.lastName ?? ''}
birthDate={data.editUser.birthDate ?? ''}
email={data.editUser.email ?? ''}
contact={data.editUser.contact ?? ''}
/>
</div>
<!-- Groups card -->
<div class="rounded-sm border border-line bg-surface p-6 shadow-sm">
<h2 class="mb-5 text-xs font-bold tracking-widest text-ink-3 uppercase">
{m.admin_col_groups()}
</h2>
<UserGroupsSection groups={data.groups} selectedGroupIds={selectedGroupIds} />
</div>
<!-- Password card -->
<div class="rounded-sm border border-line bg-surface p-6 shadow-sm">
<h2 class="mb-5 text-xs font-bold tracking-widest text-ink-3 uppercase">
{m.admin_label_new_password_optional()}
</h2>
<UserPasswordSection />
</div>
<!-- Save bar -->
<div
class="sticky bottom-0 z-10 -mx-4 flex items-center justify-between border-t border-line bg-surface px-6 py-4 shadow-[0_-2px_8px_rgba(0,0,0,0.06)]"
{m.btn_cancel()}
</a>
<button
type="submit"
form="edit-user-form"
class="rounded-sm bg-primary px-5 py-2 font-sans text-xs font-bold tracking-widest text-primary-fg uppercase transition-opacity hover:opacity-80"
>
<a
href="/admin"
class="font-sans text-xs font-bold tracking-widest text-ink-2 uppercase hover:text-ink"
>
{m.btn_cancel()}
</a>
<button
type="submit"
class="rounded-sm bg-primary px-5 py-2 font-sans text-xs font-bold tracking-widest text-primary-fg uppercase transition-opacity hover:opacity-80"
>
{m.btn_save()}
</button>
</div>
</form>
{m.btn_save()}
</button>
</div>
</div>

4
frontend/src/routes/admin/users/[id]/page.svelte.spec.ts
View File

@@ -110,11 +110,11 @@ describe('Admin edit user page rendering', () => {
});
});
it('cancel link points to /admin', async () => {
it('cancel link points to /admin/users', async () => {
render(Page, { data: baseData, form: null });
await expect
.element(page.getByRole('link', { name: /Abbrechen/i }))
.toHaveAttribute('href', '/admin');
.toHaveAttribute('href', '/admin/users');
});
it('renders the save button', async () => {