jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Only unset of admin flag is disallowed

Browse Source
This commit is contained in:
Girish Ramakrishnan
2018-07-26 23:42:57 -07:00
parent 0966edd8fe
commit 554006683e
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/routes/users.js
View File

@@ -70,7 +70,7 @@ function update(req, res, next) {
if ('admin' in req.body) {
if (typeof req.body.admin !== 'boolean') return next(new HttpError(400, 'admin must be a boolean'));
// this route is only allowed for admins, so req.user has to be an admin
if (req.user.id === req.params.userId) return next(new HttpError(409, 'Cannot change admin flag on self'));
if (req.user.id === req.params.userId && !req.body.admin) return next(new HttpError(409, 'Cannot remove admin flag on self'));
}
users.update(req.params.userId, req.body, auditSource(req), function (error) {