From 1f789c0a8ded2cd7153de2b3515a5f88d3c8fc19 Mon Sep 17 00:00:00 2001 From: shibao Date: Wed, 16 Feb 2022 20:21:55 -0500 Subject: [PATCH] fix exploit with role --- lib/cannery/accounts.ex | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/cannery/accounts.ex b/lib/cannery/accounts.ex index d25d53f..e703d02 100644 --- a/lib/cannery/accounts.ex +++ b/lib/cannery/accounts.ex @@ -109,12 +109,11 @@ defmodule Cannery.Accounts do @spec register_user(map()) :: {:ok, User.t()} | {:error, Changeset.t(User.new_user())} def register_user(attrs) do # if no registered users, make first user an admin - attrs = + role = if Repo.one!(from u in User, select: count(u.id), distinct: true) == 0, - do: attrs |> Map.put("role", "admin"), - else: attrs + do: "admin", else: "user" - %User{} |> User.registration_changeset(attrs) |> Repo.insert() + %User{} |> User.registration_changeset(attrs |> Map.put("role", role)) |> Repo.insert() end @doc """