Skip to content

Commit

Permalink
Use static nums for role elevation check
Browse files Browse the repository at this point in the history 
* I never have liked this test and mathematial calc... it's just asking for a security breach if there is an error somewhere else
* Set to static numbers... we have static numbers all over the place so continue to use these

Applies to OpenUserJS#1109 and OpenUserJS#1107
  • Loading branch information
Martii committed May 17, 2017
1 parent 4143501 commit 646d80f
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions controllers/scriptStorage.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1337,7 +1337,7 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
}

// Check for role change and modify accordingly
if (aUser.role === userRoles.length - 1) {
if (aUser.role === 5) {
if (!aUser.save) {
// Probably using req.session.user which may have gotten serialized.
userDoc = aUser;
Expand All @@ -1352,7 +1352,7 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
return;
}

--aUser.role;
aUser.role = 4;
aUser.save(function (aErr, aUser) {
if (aErr) {
console.warn('MongoDB User save warning error\n' +
Expand All @@ -1365,7 +1365,7 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
});
});
} else {
--aUser.role;
aUser.role = 4;
aUser.save(function (aErr, aUser) {
if (aErr) {
console.warn('MongoDB User save warning error\n' +
Expand Down

0 comments on commit 646d80f

Please sign in to comment.