studiocms 0.4.2 → 0.4.4

package/frontend/pages/studiocms_api/_handlers/dashboard/create.ts

@@ -90,15 +90,37 @@ export const CreateHandlers = HttpApiBuilder.group(
 							return yield* new DashboardAPIError({ error: 'Unauthorized' });
 						}
 
-						const [token, user] = yield* Effect.all([
-							sdk.resetTokenBucket.new(userId),
-							sdk.GET.users.byId(userId),
-						]);
+						const user = yield* sdk.GET.users.byId(userId);
 
-						if (!token || !user) {
+						if (!user) {
 							return yield* new DashboardAPIError({ error: 'User not found' });
 						}
 
+						const rank = user.permissionsData?.rank;
+
+						if (!rank) {
+							return yield* new DashboardAPIError({ error: 'User rank not found' });
+						}
+
+						if (!ValidRanks.has(rank) || rank === 'unknown') {
+							return yield* new DashboardAPIError({ error: 'Invalid rank' });
+						}
+
+						const callerPerm = availablePermissionRanks.indexOf(userData.permissionLevel);
+						const targetPerm = availablePermissionRanks.indexOf(rank);
+
+						if (targetPerm >= callerPerm) {
+							return yield* new DashboardAPIError({
+								error: 'Unauthorized: insufficient permissions to assign target rank',
+							});
+						}
+
+						const token = yield* sdk.resetTokenBucket.new(userId);
+
+						if (!token) {
+							return yield* new DashboardAPIError({ error: 'Failed to generate reset token' });
+						}
+
 						yield* notifier
 							.sendAdminNotification('user_updated', user.username)
 							.pipe(

package/frontend/pages/studiocms_api/_handlers/dashboard/users.ts

@@ -277,6 +277,12 @@ export const UsersHandlers = HttpApiBuilder.group(StudioCMSDashboardApiSpec, 'us
 					});
 				}
 
+				if (id !== userData.user?.id && !userData.userPermissionLevel.isAdmin) {
+					return yield* new DashboardAPIError({
+						error: "Unauthorized: cannot modify another user's notification preferences",
+					});
+				}
+
 				const existingUser = yield* sdk.GET.users.byId(id);
 
 				if (!existingUser) {

package/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts

@@ -1362,9 +1362,12 @@ export const RestApiSecureHandler = HttpApiBuilder.group(
 							});
 						}
 
-						if (newUserRank === 'owner' && rank !== 'owner') {
+						const callerPerm = availablePermissionRanks.indexOf(rank);
+						const targetPerm = availablePermissionRanks.indexOf(newUserRank);
+
+						if (targetPerm >= callerPerm) {
 							return yield* new RestAPIError({
-								error: 'Unauthorized to create user with owner rank',
+								error: 'Unauthorized: insufficient permissions to assign target rank',
 							});
 						}
 
@@ -1372,12 +1375,6 @@ export const RestApiSecureHandler = HttpApiBuilder.group(
 							password = yield* sdk.UTIL.Generators.generateRandomPassword(12);
 						}
 
-						if (rank === 'admin' && newUserRank === 'owner') {
-							return yield* new RestAPIError({
-								error: 'Unauthorized to create user with owner rank',
-							});
-						}
-
 						const checkEmail = isValidEmail(email);
 
 						if (!checkEmail.success) {
@@ -1639,19 +1636,24 @@ export const RestApiSecureHandler = HttpApiBuilder.group(
 							})
 						);
 
-						if (rank !== 'owner') {
-							data = data.filter((user) => user.rank !== 'owner');
-						}
+						const loggedInUserRankIndex = availablePermissionRanks.indexOf(user.rank);
+
+						data = data.filter((candidate) => {
+							const candidateRankIndex = availablePermissionRanks.indexOf(candidate.rank);
+							return loggedInUserRankIndex > candidateRankIndex;
+						});
 
 						if (name) {
-							data = data.filter((user) => user.name.toLowerCase().includes(name.toLowerCase()));
+							data = data.filter((candidate) =>
+								candidate.name.toLowerCase().includes(name.toLowerCase())
+							);
 						}
 						if (rank) {
-							data = data.filter((user) => user.rank === rank);
+							data = data.filter((candidate) => candidate.rank === rank);
 						}
 						if (username) {
-							data = data.filter((user) =>
-								user.username.toLowerCase().includes(username.toLowerCase())
+							data = data.filter((candidate) =>
+								candidate.username.toLowerCase().includes(username.toLowerCase())
 							);
 						}
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "studiocms",
-  "version": "0.4.2",
+  "version": "0.4.4",
   "description": "A Community-Driven Astro native CMS. Built from the ground up by the Astro community.",
   "author": {
     "name": "withstudiocms",
@@ -253,17 +253,17 @@
     "tinyglobby": "^0.2.15",
     "ultrahtml": "^1.6.0",
     "web-vitals": "^5.1.0",
-    "@withstudiocms/api-spec": "^0.3.1",
+    "@withstudiocms/api-spec": "^0.3.2",
     "@withstudiocms/internal_helpers": "^0.2.0",
     "@withstudiocms/auth-kit": "^0.1.4",
     "@withstudiocms/cli-kit": "^0.2.1",
     "@withstudiocms/component-registry": "^0.1.4",
     "@withstudiocms/config-utils": "^0.2.0",
-    "@withstudiocms/effect": "^0.4.0",
+    "@withstudiocms/effect": "^0.4.1",
     "@withstudiocms/template-lang": "^0.1.0",
     "@withstudiocms/kysely": "^0.2.1",
     "@withstudiocms/sdk": "^0.3.0",
-    "effectify": "^0.1.1"
+    "effectify": "^0.2.0"
   },
   "devDependencies": {
     "@types/mdast": "^4.0.4",
@@ -276,6 +276,7 @@
   },
   "peerDependencies": {
     "@effect/platform": "^0.94.5",
+    "@effect/platform-node": "^0.104.1",
     "@libsql/client": "^0.15.15",
     "astro": "^5.12.9",
     "effect": "^3.19.19",
@@ -283,9 +284,21 @@
     "mysql2": "^3.18.0"
   },
   "peerDependenciesMeta": {
+    "@effect/platform": {
+      "optional": false
+    },
+    "@effect/platform-node": {
+      "optional": false
+    },
     "@libsql/client": {
       "optional": true
     },
+    "astro": {
+      "optional": false
+    },
+    "effect": {
+      "optional": false
+    },
     "pg": {
       "optional": true
     },