From f8b8c36b2a92bfee435747ab5a0283924be76281 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 23 Jan 2018 09:15:36 +0100 Subject: Destroy user token when changing its role --- server/controllers/api/users.ts | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'server/controllers') diff --git a/server/controllers/api/users.ts b/server/controllers/api/users.ts index aced4639e..79bb2665d 100644 --- a/server/controllers/api/users.ts +++ b/server/controllers/api/users.ts @@ -19,6 +19,7 @@ import { import { usersUpdateMyAvatarValidator, videosSortValidator } from '../../middlewares/validators' import { AccountVideoRateModel } from '../../models/account/account-video-rate' import { UserModel } from '../../models/account/user' +import { OAuthTokenModel } from '../../models/oauth/oauth-token' import { VideoModel } from '../../models/video/video' const reqAvatarFile = createReqFiles('avatarfile', CONFIG.STORAGE.AVATARS_DIR, AVATAR_MIMETYPE_EXT) @@ -288,6 +289,7 @@ async function updateMyAvatar (req: express.Request, res: express.Response, next async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) { const body: UserUpdate = req.body const user = res.locals.user as UserModel + const roleChanged = body.role !== undefined && body.role !== user.role if (body.email !== undefined) user.email = body.email if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota @@ -295,6 +297,11 @@ async function updateUser (req: express.Request, res: express.Response, next: ex await user.save() + // Destroy user token to refresh rights + if (roleChanged) { + await OAuthTokenModel.deleteUserToken(user.id) + } + // Don't need to send this update to followers, these attributes are not propagated return res.sendStatus(204) -- cgit v1.2.3