satellite user delete updated to require user password (#852)

2018-12-14 18:14:17 +02:00 · 2018-12-14 18:14:17 +02:00 · 60fb655db2
commit 60fb655db2
parent 725ed44ce0
2 changed files with 17 additions and 3 deletions
--- a/pkg/satellite/satelliteweb/satelliteql/mutation.go
+++ b/pkg/satellite/satelliteweb/satelliteql/mutation.go
@ -129,6 +129,9 @@ func rootMutation(service *satellite.Service, types Types) *graphql.Object {
 					fieldID: &graphql.ArgumentConfig{
 						Type: graphql.String,
 					},
+					fieldPassword: &graphql.ArgumentConfig{
+						Type: graphql.NewNonNull(graphql.String),
+					},
 				},
 				Resolve: func(p graphql.ResolveParams) (interface{}, error) {
 					id, err := uuidIDAuthFallback(p, fieldID)
@ -136,12 +139,14 @@ func rootMutation(service *satellite.Service, types Types) *graphql.Object {
 						return nil, err
 					}

+					password, _ := p.Args[fieldPassword].(string)
+
 					user, err := service.GetUser(p.Context, *id)
 					if err != nil {
 						return nil, err
 					}

-					err = service.DeleteUser(p.Context, *id)
+					err = service.DeleteUser(p.Context, *id, password)
 					return user, err
 				},
 			},
--- a/pkg/satellite/service.go
+++ b/pkg/satellite/service.go
@ -151,12 +151,21 @@ func (s *Service) ChangeUserPassword(ctx context.Context, id uuid.UUID, pass, ne
 }

 // DeleteUser deletes User by id
-func (s *Service) DeleteUser(ctx context.Context, id uuid.UUID) error {
-	_, err := GetAuth(ctx)
+func (s *Service) DeleteUser(ctx context.Context, id uuid.UUID, password string) error {
+	auth, err := GetAuth(ctx)
 	if err != nil {
 		return err
 	}

+	if auth.User.ID != id {
+		return ErrUnauthorized.New("user has no rights")
+	}
+
+	err = bcrypt.CompareHashAndPassword(auth.User.PasswordHash, []byte(password))
+	if err != nil {
+		return ErrUnauthorized.New("origin password is incorrect")
+	}
+
 	return s.store.Users().Delete(ctx, id)
 }