Skip to content

Commit

Permalink
fix: Allow adjacent import only for admins
Browse files Browse the repository at this point in the history
  • Loading branch information
@Gustl22
Gustl22 committed Nov 9, 2024
1 parent 707b93f commit dbab889
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 5 deletions.
14 changes: 10 additions & 4 deletions wrestling_scoreboard_client/lib/view/screens/overview/shared/actions.dart
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,12 +179,18 @@ class _IncludeSubjacentDialogState extends State<_IncludeSubjacentDialog> {
mainAxisSize: MainAxisSize.min,
children: [
widget.child,
CheckboxListTile(
Restricted(
privilege: UserPrivilege.admin,
child: CheckboxListTile(
title: Text(localizations.importIncludeSubjacent),
value: _includeSubjacent,
onChanged: (v) => setState(() {
_includeSubjacent = v ?? false;
})),
onChanged: (v) => setState(
() {
_includeSubjacent = v ?? false;
},
),
),
),
],
),
);
Expand Down
4 changes: 3 additions & 1 deletion wrestling_scoreboard_server/lib/controllers/entity_controller.dart
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,9 @@ mixin ImportController<T extends DataObject> implements ShelfController<T> {
try {
final message = await request.readAsString();

final includeSubjacent = bool.parse(queryParams['subjacent'] ?? 'false');
// Only admins can call a subjacent import, to prevent overwriting critical entities.
final includeSubjacent = bool.parse(queryParams['subjacent'] ?? 'false') &&
(user?.privilege ?? UserPrivilege.none) >= UserPrivilege.admin;
final entity = await getSingle(entityId, obfuscate: obfuscate);

final organization = getOrganization(entity);
Expand Down

0 comments on commit dbab889

Please sign in to comment.