From 78d02dc8e5d103d248e5d7632bf7a6facdf4264c Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Mon, 9 May 2022 21:36:13 -0400
Subject: [PATCH] fix: prevent manage system assignment from manage groups
 permission

---
 server/graph/resolvers/group.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/graph/resolvers/group.js b/server/graph/resolvers/group.js
index 3fc7db23..1e295979 100644
--- a/server/graph/resolvers/group.js
+++ b/server/graph/resolvers/group.js
@@ -173,6 +173,14 @@ module.exports = {
         throw new gql.GraphQLError('You are not authorized to manage this group or assign these permissions.')
       }
 
+      // Check assigned permissions for manage:groups
+      if (
+        WIKI.auth.checkExclusiveAccess(req.user, ['manage:groups'], ['manage:system']) &&
+        args.permissions.some(p => _.last(p.split(':')) === 'system')
+      ) {
+        throw new gql.GraphQLError('You are not authorized to manage this group or assign the manage:system permissions.')
+      }
+
       // Update group
       await WIKI.models.groups.query().patch({
         name: args.name,