core: fix changing password escalating user privileges

koush · Mar 5, 2023 · f726826 · f726826
1 parent dc5148c
commit f726826
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 8 deletions.
diff --git a/plugins/core/package-lock.json b/plugins/core/package-lock.json
diff --git a/plugins/core/package.json b/plugins/core/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@scrypted/core",
-   "version": "0.1.95",
+   "version": "0.1.96",
    "description": "Scrypted Core plugin. Provides the UI, websocket, and engine.io APIs.",
    "author": "Scrypted",
    "license": "Apache-2.0",

diff --git a/plugins/core/src/converters.ts b/plugins/core/src/converters.ts
@@ -1,8 +1,7 @@
-import { BufferConverter, BufferConvertorOptions, HttpRequest, HttpRequestHandler, HttpResponse, HttpResponseOptions, MediaObject, RequestMediaObject, ScryptedDeviceBase, ScryptedMimeTypes } from "@scrypted/sdk";
-import sdk from "@scrypted/sdk";
+import sdk, { BufferConverter, HttpRequest, HttpRequestHandler, HttpResponse, HttpResponseOptions, MediaObject, RequestMediaObject, ScryptedDeviceBase, ScryptedMimeTypes } from "@scrypted/sdk";
+import crypto from 'crypto';
 import mime from "mime/lite";
 import path from 'path';
-import crypto from 'crypto';
 
 const { endpointManager } = sdk;
 

diff --git a/plugins/core/src/main.ts b/plugins/core/src/main.ts
@@ -1,3 +1,4 @@
+import { tsCompile } from '@scrypted/common/src/eval/scrypted-eval';
 import sdk, { DeviceProvider, EngineIOHandler, HttpRequest, HttpRequestHandler, HttpResponse, ScryptedDeviceBase, ScryptedDeviceType, ScryptedInterface, Setting, Settings, SettingValue } from '@scrypted/sdk';
 import { StorageSettings } from "@scrypted/sdk/storage-settings";
 import fs from 'fs';
@@ -237,3 +238,9 @@ class ScryptedCore extends ScryptedDeviceBase implements HttpRequestHandler, Eng
 }
 
 export default ScryptedCore;
+
+export async function fork() {
+    return {
+        tsCompile,
+    }
+}
diff --git a/plugins/core/src/user.ts b/plugins/core/src/user.ts
@@ -3,7 +3,7 @@ import { addAccessControlsForInterface } from "@scrypted/sdk/acl";
 import { StorageSettings } from "@scrypted/sdk/storage-settings";
 export const UsersNativeId = 'users';
 
-type DBUser = { username: string, aclId: string };
+type DBUser = { username: string, admin: boolean };
 
 export class User extends ScryptedDeviceBase implements Settings, ScryptedUser {
     storageSettings = new StorageSettings(this, {
@@ -79,7 +79,19 @@ export class User extends ScryptedDeviceBase implements Settings, ScryptedUser {
         const user = users.find(user => user.username === this.username);
         if (!user)
             return;
-        await usersService.addUser(user.username, value.toString(), user.aclId);
+        const { username, admin } = user;
+        const nativeId = `user:${username}`;
+        const aclId = await sdk.deviceManager.onDeviceDiscovered({
+            providerNativeId: this.nativeId,
+            name: username.toString(),
+            nativeId,
+            interfaces: [
+                ScryptedInterface.ScryptedUser,
+                ScryptedInterface.Settings,
+            ],
+            type: ScryptedDeviceType.Person,
+        })
+        await usersService.addUser(user.username, value.toString(), admin ? undefined : aclId);
     }
 }