From 014d479df8f36515915bc7991bb97bad24dcbef9 Mon Sep 17 00:00:00 2001
From: Steffen Jost <S.Jost@Fraport.de>
Date: Tue, 25 Apr 2023 09:56:18 +0000
Subject: [PATCH] fix(users): prevent accidental user hijacking

---
 src/Handler/Users.hs | 4 ++--
 src/Utils/Form.hs    | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Handler/Users.hs b/src/Handler/Users.hs
index 3ae8c8885..1e20bdde1 100644
--- a/src/Handler/Users.hs
+++ b/src/Handler/Users.hs
@@ -45,7 +45,7 @@ import Auth.Dummy (apDummy)
 
 
 hijackUserForm :: Form ()
-hijackUserForm csrf = do
+hijackUserForm = identifyForm FIDHijackUser $ \csrf -> do
   (btnResult, btnView) <- mopt (buttonField BtnHijack) "" Nothing
   return (btnResult >>= guard . is _Just, mconcat [toWidget csrf, fvWidget btnView])
 
@@ -351,7 +351,7 @@ postUsersR = do
       , dbtExtraReps = []
       }
 
-  $logInfoS "UsersFormResult" $ tshow usersRes
+  -- $logInfoS "UsersFormResult" $ tshow usersRes
   formResult usersRes $ \case
     (act, usersSet)
       | Set.null usersSet && isNotSetSupervisor act ->
diff --git a/src/Utils/Form.hs b/src/Utils/Form.hs
index c5f8ef383..1cee75678 100644
--- a/src/Utils/Form.hs
+++ b/src/Utils/Form.hs
@@ -308,6 +308,7 @@ data FormIdentifier
   | FIDAvsSetLicence
   | FIDBtnAvsImportUnknown
   | FIDBtnAvsRevokeUnknown
+  | FIDHijackUser
   deriving (Eq, Ord, Read, Show)
 
 instance PathPiece FormIdentifier where