(partially) fix security problem with federated session

author: metamuffin <metamuffin@disroot.org> 2023-12-11 01:19:51 +0100
committer: metamuffin <metamuffin@disroot.org> 2023-12-11 01:19:51 +0100
commit: 36d7fb2790774c53415c96f8c6955be42bad952f (patch)
tree: 4481dac53a6d0896e90ff72b9b68665e59e159db /server/src/routes/ui/account/settings.rs
parent: 767d6c4c7b8518198b0343781128027051b94ae5 (diff)
download: jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar
jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar.bz2
jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar.zst
1 files changed, 7 insertions, 1 deletions
diff --git a/server/src/routes/ui/account/settings.rs b/server/src/routes/ui/account/settings.rs
index 2192d43..90dcf37 100644
--- a/server/src/routes/ui/account/settings.rs
+++ b/server/src/routes/ui/account/settings.rs
@@ -13,7 +13,8 @@ use crate::{
     },
     uri,
 };
-use jellycommon::user::Theme;
+use jellybase::permission::PermissionSetExt;
+use jellycommon::user::{Theme, UserPermission};
 use rocket::{
     form::{self, validate::len, Contextual, Form},
     get,
@@ -95,6 +96,11 @@ pub fn r_account_settings_post(
     database: &State<Database>,
     form: Form<Contextual<SettingsForm>>,
 ) -> MyResult<DynLayoutPage<'static>> {
+    session
+        .user
+        .permissions
+        .assert(&UserPermission::ManageSelf)?;
+
     let form = match &form.value {
         Some(v) => v,
         None => return Ok(settings_page(session, Some(Err(format_form_error(form))))),
author	metamuffin <metamuffin@disroot.org>	2023-12-11 01:19:51 +0100
committer	metamuffin <metamuffin@disroot.org>	2023-12-11 01:19:51 +0100
commit	36d7fb2790774c53415c96f8c6955be42bad952f (patch)
tree	4481dac53a6d0896e90ff72b9b68665e59e159db /server/src/routes/ui/account/settings.rs
parent	767d6c4c7b8518198b0343781128027051b94ae5 (diff)
download	jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar.bz2 jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar.zst