From dea16773dfcc4e38e48c2980731af6e2a17a7aa6 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Thu, 22 Aug 2019 10:59:14 +0200
Subject: Fix user creation by moderators

---
 server/middlewares/validators/users.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'server/middlewares/validators/users.ts')

diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 16d297047..8ee2ec1f5 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -38,7 +38,9 @@ const usersAddValidator = [
   body('email').isEmail().withMessage('Should have a valid email'),
   body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
   body('videoQuotaDaily').custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
-  body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
+  body('role')
+    .customSanitizer(toIntOrNull)
+    .custom(isUserRoleValid).withMessage('Should have a valid role'),
   body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
 
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
@@ -50,7 +52,7 @@ const usersAddValidator = [
     const authUser = res.locals.oauth.token.User
     if (authUser.role !== UserRole.ADMINISTRATOR && req.body.role !== UserRole.USER) {
       return res.status(403)
-        .json({ error: 'You can only create users (and not administrators or moderators' })
+        .json({ error: 'You can only create users (and not administrators or moderators)' })
     }
 
     return next()
@@ -160,7 +162,10 @@ const usersUpdateValidator = [
   body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'),
   body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
   body('videoQuotaDaily').optional().custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
-  body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
+  body('role')
+    .optional()
+    .customSanitizer(toIntOrNull)
+    .custom(isUserRoleValid).withMessage('Should have a valid role'),
   body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
 
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
-- 
cgit v1.2.3