fix: restrict user creation without a role (#913)

server returns error `User cannot be created without a role` if no role is provided in API call
parseablehq · Sep 5, 2024 · 6095922 · 6095922
1 parent cdbab23
commit 6095922
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/server/src/handlers/http/rbac.rs b/server/src/handlers/http/rbac.rs
@@ -67,7 +67,9 @@ pub async fn post_user(
     let roles: Option<HashSet<String>> = body
         .map(|body| serde_json::from_value(body.into_inner()))
         .transpose()?;
-
+    if roles.is_none() || roles.as_ref().unwrap().is_empty() {
+        return Err(RBACError::RoleValidationError);
+    }
     validator::user_name(&username)?;
     let _ = UPDATE_LOCK.lock().await;
     if Users.contains(&username) {
@@ -215,6 +217,8 @@ pub enum RBACError {
     ObjectStorageError(#[from] ObjectStorageError),
     #[error("invalid Username: {0}")]
     ValidationError(#[from] UsernameValidationError),
+    #[error("User cannot be created without a role")]
+    RoleValidationError,
 }
 
 impl actix_web::ResponseError for RBACError {
@@ -225,6 +229,7 @@ impl actix_web::ResponseError for RBACError {
             Self::SerdeError(_) => StatusCode::BAD_REQUEST,
             Self::ValidationError(_) => StatusCode::BAD_REQUEST,
             Self::ObjectStorageError(_) => StatusCode::INTERNAL_SERVER_ERROR,
+            Self::RoleValidationError => StatusCode::BAD_REQUEST,
         }
     }