Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-07-19 05:09:42 +02:00
Code Releases Activity

Test for user permissions before setting them

Browse source
This commit is contained in:
Harvey Kandola 2023-02-06 11:46:03 -05:00
parent 76c777acc1
commit 13fc5b5015
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
domain/user/endpoint.go
View file

@ -508,6 +508,21 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
return return
} }
// Trap for non-admin users boosting their own user roles
if u.Admin && !a.Admin && !ctx.Administrator {
response.WriteForbiddenError(w)
return
}
if u.Editor && !a.Editor && !ctx.Administrator {
response.WriteForbiddenError(w)
return
}
if u.Active && !a.Active && !ctx.Administrator {
response.WriteForbiddenError(w)
return
}
// Set user roles
a.Editor = u.Editor a.Editor = u.Editor
a.Admin = u.Admin a.Admin = u.Admin
a.Active = u.Active a.Active = u.Active