From a27b8018b1cdf421abbf9d5ca99567b9a63d56a8 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 20:32:37 +0200 Subject: [PATCH] fix(users): restrict role updates to Admin users only Any authenticated user could previously call PUT /update/role and escalate their own role to Admin. The endpoint now returns 403 if the requesting user is not already an Admin. --- src/controllers/users.controller.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/controllers/users.controller.js b/src/controllers/users.controller.js index 3a26039..a133b6f 100644 --- a/src/controllers/users.controller.js +++ b/src/controllers/users.controller.js @@ -201,6 +201,9 @@ module.exports.updateUserRole = asyncHandler(async (req, res, next) => { if (!user) { return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource.")); } + if (user.role !== 'Admin') { + return next(new ErrorResponse("Forbidden", 403, "You are not allowed to change user roles.")); + } fieldValidation(req.body.user.role, next); if (typeof req.body.user.role !== 'undefined') {