prevent updates to users that would move them to a different account … (#122)

* prevent updates to users that would move them to a different account or service provider, or make them admin users

* bugfix: when updating account as admin user, verify the account sid

* validate account sid when SP user tries to update

lib/routes/api/accounts.js

@@ -344,10 +344,20 @@ async function validateUpdate(req, sid) {
 
   if (req.user.service_provider_sid && !req.user.hasScope('admin')) {
     const result = await Account.retrieve(sid);
+    if (!result || result.length === 0) {
+      throw new DbErrorBadRequest(`account not found for sid ${sid}`);
+    }
     if (result[0].service_provider_sid !== req.user.service_provider_sid) {
       throw new DbErrorUnprocessableRequest('cannot update account from different service provider');
     }
   }
+  if (req.user.hasScope('admin')) {
+    /* check to be sure that the account_sid exists */
+    const result = await Account.retrieve(sid);
+    if (!result || result.length === 0) {
+      throw new DbErrorBadRequest(`account not found for sid ${sid}`);
+    }
+  }
   if (req.body.service_provider_sid) throw new DbErrorBadRequest('service_provider_sid may not be modified');
 }
 async function validateDelete(req, sid) {

lib/routes/api/users.js

@@ -39,6 +39,13 @@ const validateRequest = async(user_sid, payload) => {
     force_change,
     is_active} = payload;
 
+  if ('account_sid' in payload) {
+    throw new DbErrorBadRequest('user may not be moved to a different account');
+  }
+  if ('service_provider_sid' in payload) {
+    throw new DbErrorBadRequest('user may not be moved to a different service provider');
+  }
+
   const [r] = await promisePool.query(retrieveSql, user_sid);
   if (r.length === 0) return null;
   const user = r[0];