yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Add locks to user mutations (#5805)

Browse Source
This commit is contained in:
Tom Moor
2023-09-09 23:26:22 -04:00
committed by GitHub
parent c22ed0c82e
commit 9602d09964
5 changed files with 140 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
server/routes/api/users/users.ts
View File

@@ -187,8 +187,8 @@ router.post(
router.post(
"users.update",
auth(),
transaction(),
validate(T.UsersUpdateSchema),
transaction(),
async (ctx: APIContext<T.UsersUpdateReq>) => {
const { auth, transaction } = ctx.state;
const actor = auth.user;
@@ -196,7 +196,11 @@ router.post(
let user: User | null = actor;
if (id) {
user = await User.findByPk(id);
user = await User.findByPk(id, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
}
authorize(actor, "update", user);
const includeDetails = can(actor, "readDetails", user);
@@ -240,24 +244,37 @@ router.post(
"users.promote",
auth(),
validate(T.UsersPromoteSchema),
transaction(),
async (ctx: APIContext<T.UsersPromoteReq>) => {
const { transaction } = ctx.state;
const userId = ctx.input.body.id;
const actor = ctx.state.auth.user;
const teamId = actor.teamId;
const user = await User.findByPk(userId);
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
authorize(actor, "promote", user);
await user.promote();
await Event.create({
name: "users.promote",
actorId: actor.id,
userId,
teamId,
data: {
name: user.name,
},
ip: ctx.request.ip,
await user.promote({
transaction,
});
await Event.create(
{
name: "users.promote",
actorId: actor.id,
userId,
teamId,
data: {
name: user.name,
},
ip: ctx.request.ip,
},
{
transaction,
}
);
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
@@ -273,20 +290,29 @@ router.post(
"users.demote",
auth(),
validate(T.UsersDemoteSchema),
transaction(),
async (ctx: APIContext<T.UsersDemoteReq>) => {
const userId = ctx.input.body.id;
const to = ctx.input.body.to;
const { transaction } = ctx.state;
const { to, id: userId } = ctx.input.body;
const actor = ctx.state.auth.user;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
authorize(actor, "demote", user);
await Team.findByPk(user.teamId, {
transaction,
lock: transaction.LOCK.UPDATE,
});
await userDemoter({
to,
user,
actorId: actor.id,
transaction,
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
@@ -304,11 +330,15 @@ router.post(
"users.suspend",
auth(),
validate(T.UsersSuspendSchema),
transaction(),
async (ctx: APIContext<T.UsersSuspendReq>) => {
const { transaction } = ctx.state;
const userId = ctx.input.body.id;
const actor = ctx.state.auth.user;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
authorize(actor, "suspend", user);
@@ -316,6 +346,7 @@ router.post(
user,
actorId: actor.id,
ip: ctx.request.ip,
transaction,
});
const includeDetails = can(actor, "readDetails", user);
@@ -332,17 +363,22 @@ router.post(
"users.activate",
auth(),
validate(T.UsersActivateSchema),
transaction(),
async (ctx: APIContext<T.UsersActivateReq>) => {
const { transaction } = ctx.state;
const userId = ctx.input.body.id;
const actor = ctx.state.auth.user;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
authorize(actor, "activate", user);
await userUnsuspender({
user,
actorId: actor.id,
transaction,
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
@@ -465,6 +501,8 @@ router.post(
if (id) {
user = await User.findByPk(id, {
rejectOnEmpty: true,
transaction,
lock: transaction.LOCK.UPDATE,
});
} else {
user = actor;