maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(perm): bump token_version on resetUserPermissions too

Browse Source 
Reset can downgrade effective access (override=1 vs role default=0),

so the user's JWT must be invalidated alongside the DELETE.

Wrapped in db.transaction for atomicity.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Maxim Dolgolyov
2026-05-17 14:25:03 +03:00
parent 76883b569c
commit 3e187a94c0
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/controllers/permissionsController.js
+12 -7
View File
@@ -138,13 +138,18 @@ function setUserPermission(req, res) {
function resetUserPermissions(req, res) { function resetUserPermissions(req, res) {
const uid = Number(req.params.id); const uid = Number(req.params.id);
const { permission } = req.body; // optional: reset one key const { permission } = req.body; // optional: reset one key
if (permission) { db.transaction(() => {
db.prepare( if (permission) {
'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?' db.prepare(
).run(uid, permission); 'DELETE FROM user_permissions WHERE user_id = ? AND permission = ?'
} else { ).run(uid, permission);
db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid); } else {
} db.prepare('DELETE FROM user_permissions WHERE user_id = ?').run(uid);
}
// Bump token_version so the user's JWT picks up the new effective permissions
// immediately (could be a downgrade if override was =1 and role default is =0).
db.prepare('UPDATE users SET token_version = token_version + 1 WHERE id = ?').run(uid);
})();
audit(req, 'permission.user_reset', `user:${uid}`, permission || null); audit(req, 'permission.user_reset', `user:${uid}`, permission || null);
res.json({ ok: true }); res.json({ ok: true });
} }