mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-24 22:42:10 +03:00
Fixed adduserbatch validation.
This commit is contained in:
parent
906bf94916
commit
0604d9f31d
26
meshuser.js
26
meshuser.js
@ -1596,20 +1596,30 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
}
|
||||
case 'adduserbatch':
|
||||
{
|
||||
var err = null;
|
||||
|
||||
// Add many new user accounts
|
||||
if ((user.siteadmin & 2) == 0) break;
|
||||
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) break;
|
||||
if (!Array.isArray(command.users)) break;
|
||||
if ((user.siteadmin & 2) == 0) { err = 'Access denied'; }
|
||||
else if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { err = 'Unable to create users when in SSPI or LDAP mode'; }
|
||||
else if (!Array.isArray(command.users)) { err = 'Invalid users'; }
|
||||
else {
|
||||
var userCount = 0;
|
||||
for (var i in command.users) {
|
||||
if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here.
|
||||
if (common.validateUsername(command.users[i].user, 1, 256) == false) break; // Username is between 1 and 64 characters, no spaces
|
||||
if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) break; // This is a reserved user name or invalid name
|
||||
if (common.validateString(command.users[i].pass, 1, 256) == false) break; // Password is between 1 and 256 characters
|
||||
if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) break; // Password does not meet requirements
|
||||
if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) break; // Check if this is a valid email address
|
||||
if (common.validateUsername(command.users[i].user, 1, 256) == false) { err = 'Invalid username'; break; } // Username is between 1 and 64 characters, no spaces
|
||||
if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) { err = 'Invalid username'; break; } // This is a reserved user name or invalid name
|
||||
if (common.validateString(command.users[i].pass, 1, 256) == false) { err = 'Invalid password'; break; } // Password is between 1 and 256 characters
|
||||
if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) { err = 'Invalid password'; break; } // Password does not meet requirements
|
||||
if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) { err = 'Invalid email'; break; } // Check if this is a valid email address
|
||||
userCount++;
|
||||
}
|
||||
}
|
||||
|
||||
// Handle any errors
|
||||
if (err != null) {
|
||||
if (command.responseid != null) { try { ws.send(JSON.stringify({ action: 'adduserbatch', responseid: command.responseid, result: err })); } catch (ex) { } }
|
||||
break;
|
||||
}
|
||||
|
||||
// Check if we exceed the maximum number of user accounts
|
||||
db.isMaxType(domain.limits.maxuseraccounts + userCount, 'user', domain.id, function (maxExceed) {
|
||||
|
12
webserver.js
12
webserver.js
@ -2615,9 +2615,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
const domain = getDomain(req);
|
||||
if (domain == null) { parent.debug('web', 'handleMeScriptRequest: no domain'); res.sendStatus(404); return; }
|
||||
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
|
||||
|
||||
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only.
|
||||
|
||||
// Get the user and check user rights
|
||||
var authUserid = null;
|
||||
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
|
||||
if (authUserid == null) { res.sendStatus(401); return; }
|
||||
const user = obj.users[authUserid];
|
||||
if (user == null) { res.sendStatus(401); return; }
|
||||
|
||||
if ((req.query.type == 1) && (req.query.meshid != null)) {
|
||||
// Get the CIRA install script
|
||||
if (obj.IsMeshViewable(user, req.query.meshid) == false) { res.sendStatus(404); return; }
|
||||
obj.getCiraConfigurationScript(req.query.meshid, function (script) {
|
||||
if (script == null) { res.sendStatus(404); } else {
|
||||
try {
|
||||
@ -2630,6 +2639,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
});
|
||||
} else if (req.query.type == 2) {
|
||||
// Get the CIRA cleanup script
|
||||
obj.getCiraCleanupScript(function (script) {
|
||||
if (script == null) { res.sendStatus(404); } else {
|
||||
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="cira_cleanup.mescript"' });
|
||||
|
Loading…
Reference in New Issue
Block a user