From 3e187a94c017e0633d503152bc8c756f073d837b Mon Sep 17 00:00:00 2001 From: Maxim Dolgolyov Date: Sun, 17 May 2026 14:25:03 +0300 Subject: [PATCH] fix(perm): bump token_version on resetUserPermissions too Reset can downgrade effective access (override=1 vs role default=0), so the user's JWT must be invalidated alongside the DELETE. Wrapped in db.transaction for atomicity. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../src/controllers/permissionsController.js | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/backend/src/controllers/permissionsController.js b/backend/src/controllers/permissionsController.js index 403fc7c..7906b26 100644 --- a/backend/src/controllers/permissionsController.js +++ b/backend/src/controllers/permissionsController.js @@ -138,13 +138,18 @@ function setUserPermission(req, res) { function resetUserPermissions(req, res) { const uid = Number(req.params.id); const { permission } = req.body; // optional: reset one key - if (permission) { - db.prepare( - 'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?' - ).run(uid, permission); - } else { - db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid); - } + db.transaction(() => { + if (permission) { + db.prepare( + 'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?' + ).run(uid, permission); + } else { + db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid); + } + // Bump token_version so the user's JWT picks up the new effective permissions + // immediately (could be a downgrade if override was =1 and role default is =0). + db.prepare('UPDATE users SET token_version = token_version + 1 WHERE id = ?').run(uid); + })(); audit(req, 'permission.user_reset', `user:${uid}`, permission || null); res.json({ ok: true }); }