fix: req user references

Signed-off-by: mertmit <mertmit99@gmail.com>

packages/nc-gui/components/project/AccessSettings.vue

@@ -187,7 +187,7 @@ const accessibleRoles = computed<(typeof ProjectRoles)[keyof typeof ProjectRoles
                   class="w-35 !rounded px-1"
                   :virtual="true"
                   :placeholder="$t('labels.noAccess')"
-                  :disabled="collab.id === user?.id"
+                  :disabled="collab.id === user?.id || (collab.roles && !accessibleRoles.includes(collab.roles))"
                   :allow-clear="!isEeUI"
                   @change="(value) => updateCollaborator(collab, value)"
                 >

packages/nocodb-sdk/src/lib/enums.ts

@@ -175,7 +175,7 @@ export const RoleLabels = {
   [OrgUserRoles.SUPER_ADMIN]: 'Super',
   [OrgUserRoles.CREATOR]: 'Creator',
   [OrgUserRoles.VIEWER]: 'Viewer',
-}
+};
 
 export const RoleColors = {
   [WorkspaceUserRoles.OWNER]: 'purple',
@@ -192,7 +192,7 @@ export const RoleColors = {
   [ProjectRoles.NO_ACCESS]: 'red',
   [OrgUserRoles.CREATOR]: 'blue',
   [OrgUserRoles.VIEWER]: 'yellow',
-}
+};
 
 export const OrderedWorkspaceRoles = [
   WorkspaceUserRoles.OWNER,
@@ -202,7 +202,7 @@ export const OrderedWorkspaceRoles = [
   WorkspaceUserRoles.VIEWER,
   // placeholder for no access
   null,
-]
+];
 
 export const OrderedProjectRoles = [
   ProjectRoles.OWNER,
@@ -211,4 +211,4 @@ export const OrderedProjectRoles = [
   ProjectRoles.COMMENTER,
   ProjectRoles.VIEWER,
   ProjectRoles.NO_ACCESS,
-]
+];

packages/nocodb/src/services/project-users/project-users.service.ts

@@ -1,5 +1,10 @@
 import { Injectable } from '@nestjs/common';
-import { AppEvents, OrgUserRoles, PluginCategory } from 'nocodb-sdk';
+import {
+  AppEvents,
+  OrgUserRoles,
+  PluginCategory,
+  ProjectRoles,
+} from 'nocodb-sdk';
 import { v4 as uuidv4 } from 'uuid';
 import * as ejs from 'ejs';
 import validator from 'validator';
@@ -16,6 +21,7 @@ import { Project, ProjectUser, User } from '~/models';
 
 import { CacheGetType, CacheScope, MetaTable } from '~/utils/globals';
 import { extractProps } from '~/helpers/extractProps';
+import { getProjectRolePower } from '~/utils/roleHelper';
 
 @Injectable()
 export class ProjectUsersService {
@@ -193,25 +199,43 @@ export class ProjectUsersService {
       return NcError.badRequest('Invalid project id');
     }
 
+    if (param.projectUser.roles.includes(ProjectRoles.OWNER)) {
+      NcError.badRequest('Owner cannot be updated');
+    }
+
     if (
-      param.req.session?.passport?.user?.roles?.owner &&
-      param.req.session?.passport?.user?.id === param.userId &&
-      param.projectUser.roles.indexOf('owner') === -1
+      ![
+        ProjectRoles.CREATOR,
+        ProjectRoles.EDITOR,
+        ProjectRoles.COMMENTER,
+        ProjectRoles.VIEWER,
+        ProjectRoles.NO_ACCESS,
+      ].includes(param.projectUser.roles as ProjectRoles)
     ) {
-      NcError.badRequest("Super admin can't remove Super role themselves");
+      NcError.badRequest('Invalid role');
     }
+
     const user = await User.get(param.userId);
 
     if (!user) {
       NcError.badRequest(`User with id '${param.userId}' doesn't exist`);
     }
 
-    // todo: handle roles which contains super
+    const targetUser = await User.getWithRoles(param.userId, {
+      user,
+      projectId: param.projectId,
+    });
+
+    if (!targetUser) {
+      NcError.badRequest(
+        `User with id '${param.userId}' doesn't exist in this project`,
+      );
+    }
+
     if (
-      !param.req.session?.passport?.user?.roles?.owner &&
-      param.projectUser.roles.indexOf('owner') > -1
+      getProjectRolePower(targetUser) >= getProjectRolePower(param.req.user)
     ) {
-      NcError.forbidden('Insufficient privilege to add super admin role.');
+      NcError.badRequest(`Insufficient privilege to update user`);
     }
 
     await ProjectUser.updateRoles(
@@ -241,11 +265,11 @@ export class ProjectUsersService {
   }): Promise<any> {
     const project_id = param.projectId;
 
-    if (param.req.session?.passport?.user?.id === param.userId) {
+    if (param.req.user?.id === param.userId) {
       NcError.badRequest("Admin can't delete themselves!");
     }
 
-    if (!param.req.session?.passport?.user?.roles?.owner) {
+    if (!param.req.user?.roles?.owner) {
       const user = await User.get(param.userId);
       if (user.roles?.split(',').includes('super'))
         NcError.forbidden(
@@ -336,7 +360,7 @@ export class ProjectUsersService {
               .split(',')
               .map((r) => r.replace(/^./, (m) => m.toUpperCase()))
               .join(', '),
-            adminEmail: req.session?.passport?.user?.email,
+            adminEmail: req.user?.email,
           }),
         });
         return true;

packages/nocodb/src/utils/roleHelper.ts

@@ -1,5 +1,6 @@
 import { OrderedProjectRoles } from 'nocodb-sdk';
 import { NcError } from 'src/helpers/catchError';
+import type { ProjectRoles } from 'nocodb-sdk';
 
 export function getProjectRolePower(user: any) {
   const reverseOrderedProjectRoles = [...OrderedProjectRoles].reverse();
@@ -7,8 +8,8 @@ export function getProjectRolePower(user: any) {
   // get most powerful role of user (TODO moving forward we will confirm that user has only one role)
   let role = null;
   let power = -1;
-  for (const r of user.project_roles) {
-    const ind = reverseOrderedProjectRoles.indexOf(r);
+  for (const r of Object.keys(user.project_roles)) {
+    const ind = reverseOrderedProjectRoles.indexOf(r as ProjectRoles);
     if (ind > power) {
       role = r;
       power = ind;