feat(auth): implement user creation and update logic in registry

fulleni · fulleni · commit 2ae6db40b13b · 2025-10-31T06:56:07.000+01:00
Adds and refactors data operations for the user model.

- Create: A new entry in _itemCreators is added for 'user', enabling user creation through the generic data endpoint.

- Update: The updater for 'user' is refactored to be more secure and flexible. It now accepts a raw Map&lt;String, dynamic&gt; from the request body and selectively applies changes for appRole, dashboardRole, and feedDecoratorStatus.

This approach prevents mass assignment vulnerabilities while allowing both admins and users to perform their permitted updates.
diff --git a/lib/src/registry/data_operation_registry.dart b/lib/src/registry/data_operation_registry.dart
@@ -188,6 +188,11 @@ class DataOperationRegistry {
         item: item as Language,
         userId: uid,
       ),
+      // Handler for creating a new user.
+      'user': (c, item, uid) => c.read<DataRepository<User>>().create(
+        item: item as User,
+        userId: uid,
+      ),
       'remote_config': (c, item, uid) => c
           .read<DataRepository<RemoteConfig>>()
           .create(item: item as RemoteConfig, userId: uid),
@@ -220,13 +225,44 @@ class DataOperationRegistry {
       'language': (c, id, item, uid) => c
           .read<DataRepository<Language>>()
           .update(id: id, item: item as Language, userId: uid),
+      // Custom updater for the 'user' model.
+      // This updater handles two distinct use cases:
+      // 1. Admins updating user roles (`appRole`, `dashboardRole`).
+      // 2. Regular users updating their own `feedDecoratorStatus`.
+      // It accepts a raw Map<String, dynamic> as the `item` to prevent
+      // mass assignment vulnerabilities, only applying allowed fields.
       'user': (c, id, item, uid) {
         final repo = c.read<DataRepository<User>>();
         final existingUser = c.read<FetchedItem<dynamic>>().data as User;
-        final updatedUser = existingUser.copyWith(
-          feedDecoratorStatus: (item as User).feedDecoratorStatus,
+        final requestBody = item as Map<String, dynamic>;
+
+        AppUserRole? newAppRole;
+        if (requestBody.containsKey('appRole')) {
+          newAppRole = AppUserRole.values.byName(
+            requestBody['appRole'] as String,
+          );
+        }
+
+        DashboardUserRole? newDashboardRole;
+        if (requestBody.containsKey('dashboardRole')) {
+          newDashboardRole = DashboardUserRole.values.byName(
+            requestBody['dashboardRole'] as String,
+          );
+        }
+
+        Map<FeedDecoratorType, UserFeedDecoratorStatus>? newStatus;
+        if (requestBody.containsKey('feedDecoratorStatus')) {
+          newStatus = User.fromJson(
+            {'feedDecoratorStatus': requestBody['feedDecoratorStatus']},
+          ).feedDecoratorStatus;
+        }
+
+        final userWithUpdates = existingUser.copyWith(
+          appRole: newAppRole,
+          dashboardRole: newDashboardRole,
+          feedDecoratorStatus: newStatus,
         );
-        return repo.update(id: id, item: updatedUser, userId: uid);
+        return repo.update(id: id, item: userWithUpdates, userId: uid);
       },
       'user_app_settings': (c, id, item, uid) => c
           .read<DataRepository<UserAppSettings>>()
