maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(perm): bump token_version on resetUserPermissions too

Browse Source 
Reset can downgrade effective access (override=1 vs role default=0),

so the user's JWT must be invalidated alongside the DELETE.

Wrapped in db.transaction for atomicity.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Maxim Dolgolyov
2026-05-17 14:25:03 +03:00
parent 76883b569c
commit 3e187a94c0
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/controllers/permissionsController.js
+5
View File
@@ -138,6 +138,7 @@ function setUserPermission(req, res) {
function resetUserPermissions(req, res) { function resetUserPermissions(req, res) {
const uid = Number(req.params.id); const uid = Number(req.params.id);
const { permission } = req.body; // optional: reset one key const { permission } = req.body; // optional: reset one key
db.transaction(() => {
if (permission) { if (permission) {
db.prepare( db.prepare(
'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?' 'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?'
@@ -145,6 +146,10 @@ function resetUserPermissions(req, res) {
} else { } else {
db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid); db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid);
} }
// Bump token_version so the user's JWT picks up the new effective permissions
// immediately (could be a downgrade if override was =1 and role default is =0).
db.prepare('UPDATE users SET token_version = token_version + 1 WHERE id = ?').run(uid);
})();
audit(req, 'permission.user_reset', `user:${uid}`, permission || null); audit(req, 'permission.user_reset', `user:${uid}`, permission || null);
res.json({ ok: true }); res.json({ ok: true });
} }