fix(users): restrict role updates to Admin users only

Any authenticated user could previously call PUT /update/role and
escalate their own role to Admin. The endpoint now returns 403 if
the requesting user is not already an Admin.
This commit is contained in:
2026-04-26 20:32:37 +02:00
parent ece5506904
commit a27b8018b1
+3
View File
@@ -201,6 +201,9 @@ module.exports.updateUserRole = asyncHandler(async (req, res, next) => {
if (!user) {
return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource."));
}
if (user.role !== 'Admin') {
return next(new ErrorResponse("Forbidden", 403, "You are not allowed to change user roles."));
}
fieldValidation(req.body.user.role, next);
if (typeof req.body.user.role !== 'undefined') {