From a02e2cdc98807d019b40556e9450ca6551c00bc4 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 8 Jul 2018 20:12:07 +0200
Subject: [PATCH] Prevent admins elevating rights to more schools by
 session-hijacking

---
 models               |  1 +
 src/Handler/Users.hs | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/models b/models
index 90b554663..909a72610 100644
--- a/models
+++ b/models
@@ -12,6 +12,7 @@ User json
 UserAdmin
     user   UserId
     school SchoolId
+    UniqueUserAdmin user school
 UserLecturer
     user   UserId
     school SchoolId
diff --git a/src/Handler/Users.hs b/src/Handler/Users.hs
index ba2ad0022..48010f33c 100644
--- a/src/Handler/Users.hs
+++ b/src/Handler/Users.hs
@@ -13,6 +13,7 @@ import Import
 import Handler.Utils
 
 import qualified Data.Map as Map
+import qualified Data.Set as Set
 
 import qualified Database.Esqueleto as E
 
@@ -95,7 +96,15 @@ postAdminHijackUserR cID = do
   case hijackRes of
     FormSuccess uid'
       | uid' == uid -> do
-          User{..} <- runDB $ get404 uid
+          myUid <- requireAuthId
+          User{..} <- runDB $ do
+            otherSchoolsAdmin <- Set.fromList . map (userAdminSchool . entityVal) <$> selectList [UserAdminUser ==. uid] []
+            otherSchoolsLecturer <- Set.fromList . map (userLecturerSchool . entityVal) <$> selectList [UserLecturerUser ==. uid] []
+            mySchools <- Set.fromList . map (userAdminSchool . entityVal) <$> selectList [UserAdminUser ==. myUid] []
+            when (not $ (otherSchoolsAdmin `Set.union` otherSchoolsLecturer) `Set.isSubsetOf` mySchools) $
+              permissionDenied "Cannot escalate admin status to additional schools"
+
+            get404 uid
           setCredsRedirect $ Creds "dummy" (userPlugin <> ":" <> userIdent) []
       | otherwise -> error "This should be impossible by definition of `hijackUserForm`"
     FormFailure errs -> toTypedContent <$> mapM_ (addMessage "error" . toHtml) errs