Do not allow lower level roles to edit higher level ones

src/routes/users.js

@@ -71,8 +71,6 @@ function update(req, res, next) {
     if ('role' in req.body) {
         if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
         if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
-
-        if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
     }
 
     if ('active' in req.body) {
@@ -80,6 +78,8 @@ function update(req, res, next) {
         if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
     }
 
+    if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
+
     users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
         if (error) return next(BoxError.toHttpError(error));