fix exploit with role

2022-02-16 20:21:55 -05:00 · 2022-02-16 20:21:55 -05:00 · 1f789c0a8d
parent 2f9c08b79f
commit 1f789c0a8d
1 changed files with 3 additions and 4 deletions
--- a/lib/cannery/accounts.ex
+++ b/lib/cannery/accounts.ex
@ -109,12 +109,11 @@ defmodule Cannery.Accounts do
  @spec register_user(map()) :: {:ok, User.t()} | {:error, Changeset.t(User.new_user())}
  def register_user(attrs) do
    # if no registered users, make first user an admin
-    attrs =
+    role =
      if Repo.one!(from u in User, select: count(u.id), distinct: true) == 0,
-        do: attrs |> Map.put("role", "admin"),
-        else: attrs
+        do: "admin", else: "user"

-    %User{} |> User.registration_changeset(attrs) |> Repo.insert()
+    %User{} |> User.registration_changeset(attrs |> Map.put("role", role)) |> Repo.insert()
  end

  @doc """