galima/periodic-table
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed project admin being able to create superadmin users

Browse Source
This commit is contained in:
gulimabr
2026-01-19 15:20:10 -03:00
parent 384375a297
commit c99f4d8986
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
backend/src/main.py
View File

@@ -740,6 +740,13 @@ async def update_member_role(
status_code=status.HTTP_400_BAD_REQUEST, status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid role id {role_data.role_id}" detail=f"Invalid role id {role_data.role_id}"
) )
allowed_role_names = {"editor", "auditor", "admin", "viewer"}
if role.role_name not in allowed_role_names:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Project admins cannot assign this role"
)
# Update the user's role # Update the user's role
from src.repositories import UserRepository from src.repositories import UserRepository
@@ -798,6 +805,13 @@ async def create_project_user(
status_code=status.HTTP_400_BAD_REQUEST, status_code=status.HTTP_400_BAD_REQUEST,
detail=f"Invalid role id {user_data.role_id}" detail=f"Invalid role id {user_data.role_id}"
) )
allowed_role_names = {"editor", "auditor", "admin", "viewer"}
if role.role_name not in allowed_role_names:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Project admins cannot create users with this role"
)
# Create user in Keycloak # Create user in Keycloak
keycloak_sub = await KeycloakAdminService.create_user( keycloak_sub = await KeycloakAdminService.create_user(

13
frontend/src/pages/AdminPage.tsx
View File

@@ -82,6 +82,9 @@ export default function AdminPage() {
// Check if user is admin // Check if user is admin
const isAdmin = user?.role_id === 3 const isAdmin = user?.role_id === 3
const allowedRoleNames = ['editor', 'auditor', 'admin', 'viewer']
const allowedRoles = roles.filter(role => allowedRoleNames.includes(role.role_name))
// Redirect if not admin // Redirect if not admin
useEffect(() => { useEffect(() => {
if (!isAdmin) { if (!isAdmin) {
@@ -539,6 +542,12 @@ export default function AdminPage() {
<tbody> <tbody>
{members.map((member) => { {members.map((member) => {
const isCurrentUser = member.id === user?.db_user_id const isCurrentUser = member.id === user?.db_user_id
const roleOptions = allowedRoleNames.includes(member.role_name)
? allowedRoles
: [
...allowedRoles,
...roles.filter(role => role.id === member.role_id)
]
return ( return (
<tr key={member.id} className="border-b border-gray-100"> <tr key={member.id} className="border-b border-gray-100">
@@ -575,7 +584,7 @@ export default function AdminPage() {
}`} }`}
title={isCurrentUser && member.role_id === 3 ? t('memberRoles.cannotDemoteSelf') : ''} title={isCurrentUser && member.role_id === 3 ? t('memberRoles.cannotDemoteSelf') : ''}
> >
{roles.map((role) => ( {roleOptions.map((role) => (
<option key={role.id} value={role.id}> <option key={role.id} value={role.id}>
{role.display_name} {role.display_name}
</option> </option>
@@ -1011,7 +1020,7 @@ export default function AdminPage() {
onChange={(e) => setNewRoleId(parseInt(e.target.value))} onChange={(e) => setNewRoleId(parseInt(e.target.value))}
className="w-full px-3 py-2 border border-gray-300 rounded text-sm focus:outline-none focus:ring-2 focus:ring-teal-500" className="w-full px-3 py-2 border border-gray-300 rounded text-sm focus:outline-none focus:ring-2 focus:ring-teal-500"
> >
{roles.map((role) => ( {allowedRoles.map((role) => (
<option key={role.id} value={role.id}> <option key={role.id} value={role.id}>
{role.display_name} {role.display_name}
</option> </option>