From 7200a06ef07d92eef5f3c4c8be29824aa001d688 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Thu, 11 Jan 2024 12:11:45 -0800
Subject: [PATCH] prevent manager in multi-user from updatingENV via HTTP
 (#576)

* prevent manager in multi-user from updatingENV via HTTP

* remove unneeded args
---
 server/endpoints/system.js | 6 ++++++
 server/utils/http/index.js | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index d2a13d10f..345bd230a 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -283,6 +283,12 @@ function systemEndpoints(app) {
     [validatedRequest, flexUserRoleValid],
     async (request, response) => {
       try {
+        const user = await userFromSession(request, response);
+        if (!!user && user.role !== "admin") {
+          response.sendStatus(401).end();
+          return;
+        }
+
         const body = reqBody(request);
         const { newValues, error } = updateENV(body);
         if (process.env.NODE_ENV === "production") await dumpENV();
diff --git a/server/utils/http/index.js b/server/utils/http/index.js
index cb57c4a28..83e3fa5dd 100644
--- a/server/utils/http/index.js
+++ b/server/utils/http/index.js
@@ -20,6 +20,8 @@ function makeJWT(info = {}, expiry = "30d") {
   return JWT.sign(info, process.env.JWT_SECRET, { expiresIn: expiry });
 }
 
+// Note: Only valid for finding users in multi-user mode
+// as single-user mode with password is not a "user"
 async function userFromSession(request, response = null) {
   if (!!response && !!response.locals?.user) {
     return response.locals.user;