Any role that can create users can create Super Admin user

Discord Q&A strapi-questions
21

Thank you for your help Alex, I really appreciate you!

Seems to work just fine after updating to strapi.container.get.

Thought I would ping <@752476861904191499>, <@729581409446133801> and <@711514413982548032> as this workaround works perfectly for our use-case.

I tested the following:

  1. Non super-admin creating/inviting a new user with the super-admin role
  2. Non super-admin creating/inviting a new user without the super-admin role
  3. Super-admin creating/inviting a new user with the super-admin role
  4. Super-admin creating/inviting a new user without the super-admin role
  5. Edit/update actions for all criteria above - both adding and removing super-admin roles from a normal and admin user
  6. Deletion actions (one and many) for all criteria above - deleting users with and without super-admin, as both a normal user and admin user

I included comments, so that everyone can use this, regardless of experience.

Note: deleteOne never seems to trigger, instead deleteMany is called with 1 id when deleting a single/individual user through the dashboard - logic is still added to deleteOne for (potential) user API calls

22

It doesn’t actually spam, that was just from my testing haha - apologies for the misleading screenshot

23

Code goes into application entry point - src/index.js or src/index.ts

24

_

_

<@971785568189022329> Hoping you can clarify the following:

In update, the request is as follows:

  request: {
    roles: [ 1 ],
    isActive: false,
    username: null,
    email: '123@mirasaki.dev',
    lastname: '123',
    firstname: '123'
  }

There’s no uid present, if the update request contains a modified email address - the target user (userBeingUpdated) is unresolved. Is there any way we can include logic for this?

25

I’m guessing the best approach is the following:

Checking if hasRolesChanged, returning early if that is not the case, and not allowing any other edits on the data if the roles have changed. Would you say that if a user can’t be found with the new email address, it’s say to determine hasEmailChanged? I’m not sure if existing email addresses can ever overlap in a way that would cause false positives with that logic