diff --git a/src/controllers/users.controller.js b/src/controllers/users.controller.js index 3a26039..a133b6f 100644 --- a/src/controllers/users.controller.js +++ b/src/controllers/users.controller.js @@ -201,6 +201,9 @@ module.exports.updateUserRole = asyncHandler(async (req, res, next) => { if (!user) { return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource.")); } + if (user.role !== 'Admin') { + return next(new ErrorResponse("Forbidden", 403, "You are not allowed to change user roles.")); + } fieldValidation(req.body.user.role, next); if (typeof req.body.user.role !== 'undefined') {