Add rules to saveUser for a token


#1

Hi,

I created a token and added rule /api/cockpit/saveUser so it only works for registration. But the problem is if someone just finds the token, it’s possible to create admin by just defining group as admin then that user will have admin rights.

How can I prevent user registration with admin group for a token?

fetch('/api/cockpit/saveUser?token=xxtokenxx', {
    method: 'post',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
        "user": {
            "user": "Test",
            "name": "TestName",
            "password": "123123",
            "email": "test4@invalid.com",    
	    "group": "admin",
	    "active": true
	}
    })
})

Thanks


#2

If you are planning to store end users as cockpit users may be better to change the strategy, I would prefer to have a collection for it or use a third party system.

In such case, you can protect by hooking into the cockpit.accounts.save and remove the admin groups, e.g.:

$app->on('cockpit.accounts.save', function (&$data, $update) {
  // Any additional logic you may require (check if request is from the api, etc..)
  if (in_array($data['group'], ['admin', 'other admin groups'])) {
    unset($data['group']);
  }
});

#3

Thanks for the reply I also thought about creating a collection for that but then I have to take care of all the authentication and api_key stuff which I don’t want.

This hooking should solve my problem but where should I place this code snippet for cockpit.accounts.save?


#4

I still think that collections would be more flexible as you can extend the user fields as you need (e.g. multiple roles, address, etc…), the intent of cockpit users is just to manage the CMS.

You can put inside a bootstrap.php file in an addon (e.g. /addons/users/bootstrap.php), a more complete example can be:

<?php
if (COCKPIT_API_REQUEST) {
  $app->on('cockpit.accounts.save', function (&$data, $update) {
    // Any additional logic you may require (check if request is from the api, etc..)
    if (in_array($data['group'], ['admin', 'other admin groups'])) {
      unset($data['group']);
    }
  });
}