fix(users): restrict role updates to Admin users only
Any authenticated user could previously call PUT /update/role and escalate their own role to Admin. The endpoint now returns 403 if the requesting user is not already an Admin.
This commit is contained in:
@@ -201,6 +201,9 @@ module.exports.updateUserRole = asyncHandler(async (req, res, next) => {
|
|||||||
if (!user) {
|
if (!user) {
|
||||||
return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource."));
|
return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource."));
|
||||||
}
|
}
|
||||||
|
if (user.role !== 'Admin') {
|
||||||
|
return next(new ErrorResponse("Forbidden", 403, "You are not allowed to change user roles."));
|
||||||
|
}
|
||||||
|
|
||||||
fieldValidation(req.body.user.role, next);
|
fieldValidation(req.body.user.role, next);
|
||||||
if (typeof req.body.user.role !== 'undefined') {
|
if (typeof req.body.user.role !== 'undefined') {
|
||||||
|
|||||||
Reference in New Issue
Block a user