From ea885e4e7e30007a72b08656685468249a5f5645 Mon Sep 17 00:00:00 2001
From: joostdecock <joost@joost.at>
Date: Mon, 14 Nov 2022 18:30:54 +0100
Subject: [PATCH] wip(backend): Guarding user updates

---
 sites/backend/src/controllers/user.mjs | 6 +++---
 sites/backend/src/models/user.mjs      | 7 +++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/sites/backend/src/controllers/user.mjs b/sites/backend/src/controllers/user.mjs
index 6eaaf889af6..648000db8eb 100644
--- a/sites/backend/src/controllers/user.mjs
+++ b/sites/backend/src/controllers/user.mjs
@@ -48,7 +48,7 @@ UserController.prototype.login = async function (req, res, tools) {
  */
 UserController.prototype.whoami = async (req, res, tools) => {
   const User = new UserModel(tools)
-  await User.guardedRead({ id: req.user.uid })
+  await User.guardedRead({ id: req.user.uid }, req)
 
   return User.sendResponse(res)
 }
@@ -60,8 +60,8 @@ UserController.prototype.whoami = async (req, res, tools) => {
  */
 UserController.prototype.update = async (req, res, tools) => {
   const User = new UserModel(tools)
-  await User.read({ id: req.user.uid })
-  await User.guardedUpdate(req.body, req.user)
+  await User.guardedRead({ id: req.user.uid }, req)
+  await User.guardedUpdate(req)
 
   return User.sendResponse(res)
 }
diff --git a/sites/backend/src/models/user.mjs b/sites/backend/src/models/user.mjs
index 8f5ac2d0159..4baa556d9af 100644
--- a/sites/backend/src/models/user.mjs
+++ b/sites/backend/src/models/user.mjs
@@ -67,7 +67,9 @@ UserModel.prototype.cloak = function (data) {
  *
  * Stores result in this.record
  */
-UserModel.prototype.guardedRead = async function (where) {
+UserModel.prototype.guardedRead = async function (where, { user }) {
+  if (user.level < 3) return this.setResponse(403, 'insufficientAccessLevel')
+  if (user.iss && user.status < 1) return this.setResponse(403, 'accountStatusLacking')
   await this.read(where)
 
   return this.setResponse(200, false, {
@@ -318,8 +320,9 @@ UserModel.prototype.unguardedUpdate = async function (data) {
  * Updates the user data - Used when we pass through user-provided data
  * so we can't be certain it's safe
  */
-UserModel.prototype.guardedUpdate = async function (body, user) {
+UserModel.prototype.guardedUpdate = async function ({ body, user }) {
   if (user.level < 3) return this.setResponse(403, 'insufficientAccessLevel')
+  if (user.iss && user.status < 1) return this.setResponse(403, 'accountStatusLacking')
   const data = {}
   // Bio
   if (typeof body.bio === 'string') data.bio = body.bio