fix(users): prevent accidental user hijacking

2023-04-25 09:56:18 +00:00 · 2023-04-25 09:56:18 +00:00 · 014d479df8
commit 014d479df8
parent 76fb44d898
2 changed files with 3 additions and 2 deletions
--- a/src/Handler/Users.hs
+++ b/src/Handler/Users.hs
@ -45,7 +45,7 @@ import Auth.Dummy (apDummy)


 hijackUserForm :: Form ()
-hijackUserForm csrf = do
+hijackUserForm = identifyForm FIDHijackUser $ \csrf -> do
  (btnResult, btnView) <- mopt (buttonField BtnHijack) "" Nothing
  return (btnResult >>= guard . is _Just, mconcat [toWidget csrf, fvWidget btnView])

@ -351,7 +351,7 @@ postUsersR = do
      , dbtExtraReps = []
      }

-  $logInfoS "UsersFormResult" $ tshow usersRes
+  -- $logInfoS "UsersFormResult" $ tshow usersRes
  formResult usersRes $ \case
    (act, usersSet)
      | Set.null usersSet && isNotSetSupervisor act ->
--- a/src/Utils/Form.hs
+++ b/src/Utils/Form.hs
@ -308,6 +308,7 @@ data FormIdentifier
  | FIDAvsSetLicence
  | FIDBtnAvsImportUnknown
  | FIDBtnAvsRevokeUnknown
+  | FIDHijackUser
  deriving (Eq, Ord, Read, Show)

 instance PathPiece FormIdentifier where