revert account type permission changes

While this does make more sense to me personally, there is no need to change how the AUR treats its users; it has been accepted for ages and not found to be ridden with flaws. Stay with the tried and true method. Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-12-27 17:42:56 -08:00 · 2021-12-27 17:42:56 -08:00 · d55dab93da
commit d55dab93da
parent 80ee7f3d4b
4 changed files with 132 additions and 82 deletions
--- a/aurweb/users/validate.py
+++ b/aurweb/users/validate.py
@ -13,7 +13,6 @@ from aurweb import config, db, l10n, logging, models, time, util
 from aurweb.auth import creds
 from aurweb.captcha import get_captcha_answer, get_captcha_salts, get_captcha_token
 from aurweb.exceptions import ValidationError
-from aurweb.models import account_type as at
 from aurweb.models.account_type import ACCOUNT_TYPE_NAME
 from aurweb.models.ssh_pub_key import get_fingerprint

@ -171,31 +170,23 @@ def invalid_account_type(T: int = None, request: Request = None,
                         _: l10n.Translator = None,
                         **kwargs) -> None:
    if T is not None and (T := int(T)) != user.AccountTypeID:
+        name = ACCOUNT_TYPE_NAME.get(T, None)
        has_cred = request.user.has_credential(creds.ACCOUNT_CHANGE_TYPE)
-        if T not in ACCOUNT_TYPE_NAME:
+        if name is None:
            raise ValidationError(["Invalid account type provided."])
        elif not has_cred:
            raise ValidationError([
                "You do not have permission to change account types."])
-
-        credential_checks = {
-            at.USER_ID: request.user.is_trusted_user,
-            at.TRUSTED_USER_ID: request.user.is_trusted_user,
-            at.DEVELOPER_ID: request.user.is_developer,
-            at.TRUSTED_USER_AND_DEV_ID: (lambda: request.user.is_trusted_user()
-                                         and request.user.is_developer())
-        }
-        credential_check = credential_checks.get(T)
-
-        name = ACCOUNT_TYPE_NAME.get(T)
-        if not credential_check() or request.user == user:
+        elif T > request.user.AccountTypeID:
+            # If the chosen account type is higher than the editor's account
+            # type, the editor doesn't have permission to set the new type.
            error = _("You do not have permission to change "
                      "this user's account type to %s.") % name
            raise ValidationError([error])
-        else:
-            logger.debug(f"Trusted User '{request.user.Username}' has "
-                         f"modified '{user.Username}' account's type to"
-                         f" {name}.")
+
+        logger.debug(f"Trusted User '{request.user.Username}' has "
+                     f"modified '{user.Username}' account's type to"
+                     f" {name}.")


 def invalid_captcha(captcha_salt: str = None, captcha: str = None,