From 13fc5b5015344b2dc6bb3083e6abc60a15f4422f Mon Sep 17 00:00:00 2001 From: Harvey Kandola Date: Mon, 6 Feb 2023 11:46:03 -0500 Subject: [PATCH] Test for user permissions before setting them --- domain/user/endpoint.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/domain/user/endpoint.go b/domain/user/endpoint.go index de67f102..73430a90 100644 --- a/domain/user/endpoint.go +++ b/domain/user/endpoint.go @@ -508,6 +508,21 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) { return } + // Trap for non-admin users boosting their own user roles + if u.Admin && !a.Admin && !ctx.Administrator { + response.WriteForbiddenError(w) + return + } + if u.Editor && !a.Editor && !ctx.Administrator { + response.WriteForbiddenError(w) + return + } + if u.Active && !a.Active && !ctx.Administrator { + response.WriteForbiddenError(w) + return + } + + // Set user roles a.Editor = u.Editor a.Admin = u.Admin a.Active = u.Active