From de23d1aa035dc08ba2f42cc79b27c35dcfcaa333 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Thu, 5 Mar 2020 21:00:59 -0800
Subject: [PATCH] Do not allow to set active flag for the operating user

---
 src/routes/users.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/routes/users.js b/src/routes/users.js
index d51b49423..644f7dcda 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -75,7 +75,10 @@ function update(req, res, next) {
         if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but user has only '${req.user.role}'`));
     }
 
-    if ('active' in req.body && typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
+    if ('active' in req.body) {
+        if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
+        if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
+    }
 
     users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
         if (error) return next(BoxError.toHttpError(error));