From 81b43b8824a32aa5afbd5011dd68e56abe41ed1d Mon Sep 17 00:00:00 2001
From: the_aceix <aceixsmartx@gmail.com>
Date: Fri, 19 Jan 2024 12:06:57 +0000
Subject: [PATCH] fix(NET-887): prevent non-admin users from registering

---
 auth/host_session.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/auth/host_session.go b/auth/host_session.go
index 0bc7000af..1b75697cf 100644
--- a/auth/host_session.go
+++ b/auth/host_session.go
@@ -86,6 +86,24 @@ func SessionHandler(conn *websocket.Conn) {
 			return
 		}
 		req.Pass = req.Host.ID.String()
+		user, err := logic.GetUser(req.User)
+		if err != nil {
+			logger.Log(0, "failed to get user", req.User, "from database")
+			err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+			if err != nil {
+				logger.Log(0, "error during message writing:", err.Error())
+			}
+			return
+		}
+		if !user.IsAdmin && !user.IsSuperAdmin {
+			logger.Log(0, "user", req.User, "is neither an admin or superadmin. denying registeration")
+			conn.WriteMessage(messageType, []byte("cannot register with a non-admin or non-superadmin"))
+			err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+			if err != nil {
+				logger.Log(0, "error during message writing:", err.Error())
+			}
+			return
+		}
 
 		if err = netcache.Set(stateStr, req); err != nil { // give the user's host access in the DB
 			logger.Log(0, "machine failed to complete join on network,", registerMessage.Network, "-", err.Error())