From 2dfdac5a3eed93cd0151c6931a631c80e99fb1c5 Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Thu, 11 Jan 2024 12:07:49 -0800
Subject: [PATCH 1/2] prevent manager in multi-user from updatingENV via HTTP

---
 server/endpoints/system.js | 12 +++++++++++-
 server/utils/http/index.js |  2 ++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index d2a13d10f9a..ba648aee8f1 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -283,8 +283,18 @@ function systemEndpoints(app) {
     [validatedRequest, flexUserRoleValid],
     async (request, response) => {
       try {
+        const user = await userFromSession(request, response);
+        if (!!user && user.role !== "admin") {
+          response.sendStatus(401).end();
+          return;
+        }
+
         const body = reqBody(request);
-        const { newValues, error } = updateENV(body);
+        const { newValues, error } = updateENV(
+          body,
+          false,
+          response.locals?.user
+        );
         if (process.env.NODE_ENV === "production") await dumpENV();
         response.status(200).json({ newValues, error });
       } catch (e) {
diff --git a/server/utils/http/index.js b/server/utils/http/index.js
index cb57c4a2894..83e3fa5dd47 100644
--- a/server/utils/http/index.js
+++ b/server/utils/http/index.js
@@ -20,6 +20,8 @@ function makeJWT(info = {}, expiry = "30d") {
   return JWT.sign(info, process.env.JWT_SECRET, { expiresIn: expiry });
 }
 
+// Note: Only valid for finding users in multi-user mode
+// as single-user mode with password is not a "user"
 async function userFromSession(request, response = null) {
   if (!!response && !!response.locals?.user) {
     return response.locals.user;

From fdffa5d28f89dbf260c1758cac2c5aa0e47a8f4d Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Thu, 11 Jan 2024 12:11:26 -0800
Subject: [PATCH 2/2] remove unneeded args

---
 server/endpoints/system.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index ba648aee8f1..345bd230a70 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -290,11 +290,7 @@ function systemEndpoints(app) {
         }
 
         const body = reqBody(request);
-        const { newValues, error } = updateENV(
-          body,
-          false,
-          response.locals?.user
-        );
+        const { newValues, error } = updateENV(body);
         if (process.env.NODE_ENV === "production") await dumpENV();
         response.status(200).json({ newValues, error });
       } catch (e) {