prevent manager in multi-user from updatingENV via HTTP (#576)

* prevent manager in multi-user from updatingENV via HTTP

* remove unneeded args

server/endpoints/system.js

@@ -283,6 +283,12 @@ function systemEndpoints(app) {
     [validatedRequest, flexUserRoleValid],
     async (request, response) => {
       try {
+        const user = await userFromSession(request, response);
+        if (!!user && user.role !== "admin") {
+          response.sendStatus(401).end();
+          return;
+        }
+
         const body = reqBody(request);
         const { newValues, error } = updateENV(body);
         if (process.env.NODE_ENV === "production") await dumpENV();

server/utils/http/index.js

@@ -20,6 +20,8 @@ function makeJWT(info = {}, expiry = "30d") {
   return JWT.sign(info, process.env.JWT_SECRET, { expiresIn: expiry });
 }
 
+// Note: Only valid for finding users in multi-user mode
+// as single-user mode with password is not a "user"
 async function userFromSession(request, response = null) {
   if (!!response && !!response.locals?.user) {
     return response.locals.user;