Prevent non-admins from creating Manager or Admin accounts

Client-side, I'm not exposing the role option to users. Server-side, I'm asserting that requests to create Manager and Admin accounts are attempted by users with a session tied to an admin account.
author: William Carroll <wpcarro@gmail.com> 2020-08-01T10·48+0100
committer: William Carroll <wpcarro@gmail.com> 2020-08-01T10·48+0100
commit: 83f4f8e9d669d91602520e1c12d2e8892120e4ba (patch)
tree: 125f3c637ceaca32b35ff9007c03ede068788094 /src/API.hs
parent: a3732300e1c4dfa14a7ba9d7367ebbef914d8398 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/API.hs b/src/API.hs
index 461c851126a4..956e745b30fd 100644
--- a/src/API.hs
+++ b/src/API.hs
@@ -16,6 +16,7 @@ type SessionCookie = Header' '[Required] "Cookie" T.SessionCookie
 type API =
       -- accounts: Create
            "accounts"
+           :> Header "Cookie" T.SessionCookie
            :> ReqBody '[JSON] T.CreateAccountRequest
            :> Post '[JSON] NoContent
       :<|> "verify"
author	William Carroll <wpcarro@gmail.com>	2020-08-01T10·48+0100
committer	William Carroll <wpcarro@gmail.com>	2020-08-01T10·48+0100
commit	83f4f8e9d669d91602520e1c12d2e8892120e4ba (patch)
tree	125f3c637ceaca32b35ff9007c03ede068788094 /src/API.hs
parent	a3732300e1c4dfa14a7ba9d7367ebbef914d8398 (diff)